tBTC post-mortem describes how a missed smart contract bug forced the developers to press the emergency pause button 

Quick Take

  • The team behind tBTC has initiated a 10-day emergency pause for new deposits after identifying a smart contract bug that disrupted the protocol’s redemption feature
  • The team can only initiate the emergency pause once, meaning that they will not be able to push pause again if another security issue arises in the future.

The team behind tBTC – a newly launched Ethereum-based token backed 1:1 by bitcoin – has published a post-mortem report detailing a smart contract bug that led the developer team to initiate a system-wide emergency pause on Monday.

The ERC-20 token has its supply pegged to bitcoin’s supply. Users wishing to spend their bitcoin on Ethereum can use the tBTC DApp to deposit their bitcoin into the system and get a minted tBTC token in their Ethereum wallet. They can also use the DApp to redeem their bitcoin.

The team takes pride in the protocol’s permissionless redemption mechanism, which is not a feature in similar projects like WBTC. But now due to a previously undetected bug in the redemption codes, the developers have been forced to stop all new deposits for 10 days, a period which began on Monday at 5:45 UTC.

The bug concerns “signer bonds.” Essentially, when a user asks the system to mint a tBTC token, three randomly selected signers will take collective control of a bitcoin wallet holding the user’s bitcoin deposits. Later, if the user wants to exit to the bitcoin chain, the signers will have to authorize the transaction to redeem the bitcoin, sending it back to the user’s own address. 

To participate in a tBTC minting process, a signer needs to put down an ETH bond worth 1.5 times the value of the bitcoin deposit in question. The protocol’s smart contract will hold that bond until the bitcoin deposit is successfully redeemed by the user. This mechanism is meant to ensure that the signer does not try to run off with the bitcoin deposit. In fact, if a redemption fails, the system can seize the signer’s bond after six hours. 

On May 18, an operator controlling three signers flagged to the tBTC team that they were unable to complete the redemption process. After investigating the issue, the team determined that something was wrong with the particular bitcoin address used for the redemption, and that the system was unable to prove that the bitcoin deposit had been sent to the correct address. As a result, the signer’s bond was at risk of being automatically seized.

“After confirming the issue and confirming that it was not fixable outside the contracts, the decision was made to trigger the single-use 10-day emergency pause available in the tBTC system contract,” said the post-mortem report.

The emergency pause mechanism prevents new deposits from entering into the system. At the same time, the team took down the DApp to ensure that existing deposits would not accidentally trigger the redemption bug. Now they have collected 99.83% of all tBTC supply in a single wallet they control, and plan to use the tokens to redeem open deposits and return signer bonds. No user funds have been lost, they say. 

In the spirit of decentralization, tBTC’s security model only allows the team to use their privilege key to initiate a deposit pause once. The system is scheduled to go live again on May 28th. But after that, if another security issue arises, the developers will not be able to push pause again.

“We can't stop people from using the thing after, that's why communicating our findings is particularly important,” project lead Matt Luongo said on Twitter.

© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.