BEAM — the first full implementation of the privacy-focused Mimblewimble protocol — recently announced a critical vulnerability in both the CLI and desktop wallets. As part of a Medium post following the announcement, the developers behind BEAM say that they have already fixed the bug and laid out instructions for users to go through with.
BEAM’s announcement comes just days after the official release of its mainnet. The team claims that the vulnerability was discovered only by the core BEAM team and the details will be released in the next week to prevent anyone from taking advantage of the bug.
Source Code Wallets Are Vulnerable
On BEAM’s Github repository, users are explicitly told to avoid using wallets which have been built from the mainnet source code. The vulnerability was not uploaded to the public branch of the source code mainnet to avoid disclosing the bug to any potential hackers.
Users of the BEAM wallet are directed not to delete the database or any wallet data, as the vulnerability does not affect private keys or pneumonic seeds. Users need to uninstall or delete the BEAM wallet application and download the updated version from their website.
BEAM also has asked that any other bugs discovered by outside developers be disclosed to the team privately.
Private Bug Disclosures and BEAM’s Vulnerability
Private disclosure of bugs to dev teams is vital to maintaining the security of open-source projects. Bitcoin experienced a vulnerability towards the end of 2018 that was significant enough for developers to keep its full details a secret and was disclosed through the Common Vulnerabilities and Disclosure report. An anonymous person initially uncovered and revealed the vulnerability to Bitcoin ABC devs, where Bitcoin Core developer Matt Corrallo subsequently understood its consequences on Bitcoin as well.
Although the BEAM team discovered the vulnerability, private disclosures of bugs to the team are a major benefit of having open-source protocols. Open-source protocols are continually evolving as they are public-facing and always subject to attack. Bitcoin’s robustness and antifragility are largely due to its extended existence in spite of attempts to attack it or pronounce it dead.
BEAM’s vulnerability — although not fully articulated yet — also offers potential insight into whether the bug originated from a flaw in Mimblewimble or some other component not directly derived from the innovative privacy-preserving and efficient blockchain protocol.
Similar to BEAM, Grin — another open-source Mimblewimble implementation — is set to launch its mainnet on January 15th.