An anonymous white hat hacker recently discovered a vulnerability in the counterpartyd code, which he exploited to steal 35,000 XCP from Poloniex, a centralized exchange on which XCP is traded. The bug was quickly fixed and the fraudulent transaction invalidated, but not before the attacker sold the stolen funds for approximately 115 BTC, which he immediately withdrew. The hacker has since has returned all of the missing funds to Poloniex, for which we are grateful.
This incident has motivated us to accelerate our efforts to harden Counterparty’s security. To that end, Sergio Lerner and Peter Todd, two digital currency security experts, have accepted an invitation from us to perform comprehensive audits on the Counterparty code. Sergio has discovered and fixed a number of vulnerabilities in the Bitcoin protocol, a list of which may be found on Bitcoin.it. Peter, a Bitcoin core developer, is best known for his work on off-blockchain transactions, dark wallets, and trustless mixing. For a more comprehensive account of Peter’s work, see his GitHub page.
Sergio will begin his audit on March 5th and complete it by March 19th. While Sergio is auditing the code, we will work with Peter on the Counterparty protocol to improve its feature set. After Sergio has completed his audit, new features have been added, and the code has been tested to our satisfaction, we will ask Peter to audit the codebase once again from scratch.
We have also started an official bug-bounty program, which is modeled on similar programs by commercial open-source projects. The bug bounty program offers tiered rewards that encourage people to study the Counterparty source code and report vulnerabilities to the developers in a responsible fashion.