BlockBit is currently in active development. We provide security updates for:
| Version | Supported |
|---|---|
| main branch | ✅ Yes |
| v1.0.x | ✅ Yes (current) |
| < 1.0 | ❌ No (beta/pre-release) |
We recommend always running the latest version from the main branch or the most recent release.
BlockBit adds mining pool functionality to Bitcoin Core. Security-critical components include:
-
Stratum Server (Network-Facing)
- V1 protocol handler (
src/stratum/stratumserver.cpp) - V2 protocol handler (
src/stratum/sv2_server.cpp) - Connection management and authentication
- Buffer overflow protections
- V1 protocol handler (
-
Share Validation
- Share difficulty validation
- Block submission logic
- Duplicate detection
- DoS attack prevention
-
Cryptographic Components
- Stratum V2 Noise protocol handshake
- V2 pool key management
- TLS transport encryption
- ChaCha20Poly1305 AEAD
-
Coinbase Construction
- Payment address validation
- Pool fee calculations
- Coinbase transaction building
- Reward distribution correctness
-
RPC Interface
- Pool control commands
- Worker management
- Configuration updates
- Authentication and authorization
-
Bitcoin Core Base
- All standard Bitcoin Core security considerations
- Consensus rules
- P2P network
- Wallet security
The following are generally not considered security issues:
- Configuration errors by pool operators
- Miner software bugs (unless exploitable by BlockBit)
- DoS attacks solvable by rate limiting / firewall rules
- GUI cosmetic issues (unless they lead to security-relevant confusion)
- Documentation errors (unless they cause insecure configurations)
Please DO NOT file public issues for security vulnerabilities.
To report a security issue, email: blockbitofficial@blockbit.stream
Include:
- Description - What is the vulnerability?
- Impact - What can an attacker do?
- Reproduction - Step-by-step how to trigger it
- Affected Versions - Which versions are vulnerable?
- Suggested Fix (optional) - How to fix it
- Initial Response: Within 48 hours
- Triage: Within 1 week
- Fix Timeline: Varies by severity (see below)
| Severity | Impact | Fix Timeline |
|---|---|---|
| Critical | Network-facing RCE, consensus failure, fund theft | 1-7 days |
| High | DoS, authentication bypass, info leak (keys/addresses) | 1-2 weeks |
| Medium | Local privilege escalation, worker DoS | 2-4 weeks |
| Low | Minor info leak, low-impact bugs | Next release |
- Report received - We acknowledge your report
- Triage - We verify and assess severity
- Fix development - We develop and test a patch
- Coordinated disclosure - We coordinate release timing with you
- Public disclosure - Patch released, advisory published
- Credit - You're credited in release notes (if desired)
For encrypted communication, you may use PGP. Contact us first to exchange keys.
As a pool operator, you are responsible for:
-
Securing the Server
- Keep OS and dependencies updated
- Use firewall rules to restrict access
- Enable fail2ban or similar for IP banning
- Use strong passwords for RPC authentication
-
Network Configuration
- Don't expose RPC interface publicly
- Use TLS or Stratum V2 for encrypted mining
- Consider Tor hidden service for privacy
- Isolate mining network from wallet/node
-
Key Management
- Back up V2 pool keys securely
- Rotate keys periodically
- Use hardware security modules (HSM) for hot wallets if applicable
-
Monitoring
- Watch for unusual worker behavior
- Monitor system resources (CPU, RAM, bandwidth)
- Set up alerts for blocks found and errors
- Review share logs for anomalies
-
Updates
- Subscribe to BlockBit security advisories (GitHub watch releases)
- Test updates on testnet/regtest first
- Plan maintenance windows for upgrades
If you're connecting to a BlockBit pool:
-
Verify Pool Identity
- For V2: Check pool key fingerprint
- For V1: Use HTTPS/TLS when available
- Verify payout address is yours
-
Secure Credentials
- Use unique worker names
- Don't reuse Bitcoin addresses across pools
- Monitor your payouts
-
Report Suspicious Activity
- Unexpected difficulty changes
- Share rejections without cause
- Missing payouts
Minimum Security:
blockbitd -stratum \
-stratumbind=0.0.0.0:3333 \
-stratummaxconnectionsperip=10 \
-stratumauthtimeout=60High Security (Production):
blockbitd -stratum \
-stratumv2 \
-stratumv2bind=0.0.0.0:3336 \
-stratumtls \
-stratumtlsbind=0.0.0.0:3334 \
-stratumredactlogs \
-stratummaxconnectionsperip=5 \
-stratumauthtimeout=30 \
-stratummaxworkers=500 \
-rpcallowip=127.0.0.1 \
-rpcbind=127.0.0.1# Firewall
sudo ufw default deny incoming
sudo ufw allow 3333/tcp # Stratum V1
sudo ufw allow 3336/tcp # Stratum V2
sudo ufw allow 8333/tcp # Bitcoin P2P
sudo ufw enable
# Fail2ban (example)
# Add BlockBit jail to /etc/fail2ban/jail.local
[blockbit]
enabled = true
port = 3333,3336
filter = blockbit
logpath = /home/blockbit/.blockbit/debug.log
maxretry = 5
bantime = 3600
# Process isolation
# Run as dedicated user (not root)
sudo useradd -r -m -d /home/blockbit blockbit
sudo -u blockbit blockbitd- Review logs for suspicious activity
- Check worker list for unknown connections
- Monitor hashrate for sudden drops (network issues?)
- Verify block rewards are correct
- Audit coinbase transactions on blockchain explorer
To help identify security issues, here are example vulnerabilities:
Critical:
- Remote code execution via malformed Stratum message
- Consensus failure due to invalid block construction
- Private key leak from V2 handshake
High:
- Authentication bypass allowing unauthorized RPC access
- Buffer overflow in share validation DoSing the pool
- SQL injection in share logging (if database backend added)
Medium:
- XML external entity attack in config file parsing
- Race condition causing double-payment of rewards
- Integer overflow in hashrate calculation
Low:
- Information disclosure of worker IP addresses despite redaction
- Timing attack revealing valid vs invalid addresses
- Memory leak under high worker churn
Security advisories will be published:
- GitHub Security Advisories: https://github.com/BlockBitOfficial/BlockBit/security/advisories
- Release Notes: Notable fixes mentioned in each release
Subscribe to releases on GitHub to receive notifications.
BlockBit inherits security considerations from:
- Bitcoin Core - See Bitcoin Core Security
- Qt Framework - Keep Qt libraries updated
- Boost - Update Boost to latest stable
- OpenSSL / libevent - System libraries for crypto/networking
Keep all dependencies updated to receive security patches.
We do not currently offer a formal bug bounty program, but we deeply appreciate security researchers' efforts. Significant vulnerabilities may be rewarded at maintainers' discretion.
(None yet - project is new)
As issues are discovered and fixed, they will be listed here with:
- CVE identifier (if applicable)
- Affected versions
- Severity
- Fix commit/release
- Bitcoin Core Security: https://bitcoincore.org/en/security-advisories/
- OWASP Top 10: https://owasp.org/www-project-top-ten/
- CWE (Common Weakness Enumeration): https://cwe.mitre.org/
We thank the security researchers and community members who help keep BlockBit secure. Contributors will be credited in release notes (with permission).
Thank you for helping keep BlockBit and its users safe! 🔒