[PSA/Article] Havana's BitSigner Audit (multisig)

As probable fire put it: "BitSigner is an open-source and offline multi-sig signing Javascript application based off of the popular Coinb.in"

More info: https://www.reddit.com/r/DarkNetMarkets/comments/322zhe/multisig_bitsign_v10_release_now_easy_still_safe/

So I am quite fluent in Javascript and bitcoin so I thought I would go through BitSigner's code to look for vulnerabilities and/or backdoors of any kind. Here is what I found:

There weren't many things I found to look fishy so I'll list those first.

  1. On line 3 of coinbin.js it checks for an internet connection but probable fire says it is only there to warn users if they are connected and it looks like he is telling the truth

  2. It reloads the page on line 194 but probable fire says it is only there to purge javascript variables which makes sense

  3. There were some references to a few clearnet things including a google api on line 182 of coinbin.js but I think that is just some leftover code from the original coinbin. (I couldn't find any other references to google in any of the code)

Is it safe? From what I can see yes, it is safe. That is as long as you download it over https. If you don't trust https you can also use md5sum to validate it. (probable fire has a pgp signed message with the md5sums on the release page) But if you use it offline there is 0 chance you can be de-anonymized even if it is a fake version. Also there were not backdoors of any kind that I could see. This includes autoupdating. (there is none)

When I contacted the admins (probable fire) about auditing the app he gave me some test multisig transactions and I have to say it makes the vendor's job a whole lot easier. I was able to verify and sign 10 transactions in only a couple min.

Disclaimer: I am not a professional auditer. Someone else should probably audit this app too because I might have missed something.

Link: https://github.com/ProbableFire/BitSigner


Comments


[5 Points] anon3824291221:

/. im going to say having users use an offline tool supplied by the market is setting the bar higher than multisig already puts it, no less in a language that in infamous for fucking over the anonymity of Tor users. their multisig is going to have to work with already trusted tools, so electrum. or a plugin for electrum, like how tmp did it. the user shulginscat just made one for BB's multisig, maybe it will work for this site too?

https://www.reddit.com/r/DarkNetMarkets/comments/318fo3/announcement_blackbank_multisig_plugin_for/


[3 Points] RosyPalm:

Hmmm... Let's see how they do against the Rosy audit..

Javascript

Failed

Honestly, the only reason LE hasn't busted anyone with a JavaScript exploit recently is because everyone stopped using it two years ago.

If your OPSec relies on, "maybe LE forgot how totally and completely they defeated TOR in the past with JS exploits," you're doing it wrong.


[1 Points] basshead555:

Why would you ever use a Web based language for an offline app. For an app like this use at least c++ to at least do the cryptography correctly. I also don't like the Google spi cough api. They're notorious at being sneaky as shit with their tech


[1 Points] alexander_bachington:

IME. Javascript can never be audited, because they can't guarantee that it will not change over time. The javascript has to be downloaded and the server can serve a different version of this javascript code whenever the owner of the server decides it or whenever the the server is hacked/seized by LE.


[1 Points] shannoncode:

I'm also auditing this, for the purpose of making a new wallet. A few things bother me. One is the connection needed to get UTXO from the author to coinb.in If you notice, there is a key and a random int generated. I don't feel comfortable giving a fingerprint of my entropy to anyone. especially when this is the only thing being used to generate my wallet addresses.

Also all the weirdness around generating the seed for the main wallet address is unnecessarily complicated looking. I say looking because it's all pointless. With my entropy and the hard coded derivation scheme, I'm pretty sure someone could generate the same keys I do.


[1 Points] shannoncode:

here every time a user performs a balance lookup they give a snapshot of their prng state to the coinb.in site. https://github.com/ProbableFire/BitSigner/blob/master/js/coin.js#L194

seems like they could generate addresses based on this entropy