Blockstream’s Liquid sidechain suffered a security incident where 870 BTC were briefly available to the company’s emergency recovery multisig contract.
According to his findings, the spending script for the transaction was configured so as to transfer control to a simple 2-of-3 multisig contract after 2,015 blocks, or about two weeks. While this is intended behavior, this is only meant to be triggered as a last resort if the Liquid network were to collapse, as explained by its documentation.
Prestwich found the issue just as the waiting period expired, which created a window of about thirty minutes, or three Bitcoin blocks, during which the emergency multisig could have taken control of the money.
This did not result in a loss of funds as the emergency multisig is held by Blockstream. The BTC was then moved into a new UTXO that reset the emergency multisig timer.
Security model degradation
The Liquid network is much more centralized than Bitcoin and many other blockchains, as it is validated by a relatively fixed and opaque federation of business entities, primarily exchanges.
The federation also holds custody of the Bitcoin used in the Liquid bridge, as that is the easiest way to peg BTC to other chains. Normally, funds are redeemed through a more distributed 11-of-15 multisig contract, which is signed by the federation members.
The federated security model attempts to be an improvement over holding funds within one exchange, as Cointelegraph reported earlier.
In a conversation with Cointelegraph, Prestwich outlined the importance of the incident:
“This was not normal operation. If anyone says it is, they are wrong. It directly contradicts their docs and public statements.”
The oversight effectively meant that for a brief period, a significant portion of Liquid funds had “greatly reduced security” as only one company controlled them. The issue appears to result from “the code that Blockstream wrote and the federation members run,” which is supposed to automatically renew each transaction before the two-week period comes up.
Commenting on behalf of the company, Neil Woodfine, Blockstream’s director of marketing, told Cointelegraph that “this is a known issue caused by an inconsistency between the timelocks used by Liquid’s functionary HSMs and the functionaries themselves.” He added that the amounts involved are usually small, but due to the growth of the Liquid Network, this issue hit a large UTXO.
Hardware Security Modules, or HSMs, are physical devices for which “coordinating updates is very difficult,” but he said that the team will soon deploy a software workaround.
Woodfine stressed that funds were never at risk because of the safety precautions for the 2-of-3 wallet.
When trying to understand what happened, Prestwich raised the issue that the code “is not completely open source, so we can’t check how it works.”
He noted that “[Blockstream employees] also responded by telling me I was wrong, and linking to factually incorrect docs and tweets,” referring to a since deleted tweet by Grubles, a pseudonymous employee of the company.
The incident seems to have sparked another wave of criticism toward the platform, with pseudonymous analyst Hasu refuting that Liquid should be considered a sidechain because of its trusted model.