The developer known in the Bitcoin community as b10c published research on May 27th that expands the tools available to users to verify the authenticity of software installed on their nodes.
As a b10c document in his personal blob, he compiled the main Bitcoin Core v31.0 program using Nix, a software build tool independent of official processes. Byte-for-byte identical results were obtained with the release binaries built by the Bitcoin Core project. with plaster
Until this result, the only way to ensure that the official software had not been modified was to reproduce the compilation process using Guix, the same tool used by the Bitcoin Core team. According to b10c’s descriptionwhich means user trust relies on a single toolchain. Silent software attacks are now technically much more difficult to go undetected, as two completely independent build systems reach exactly the same results.
Silent attacks can be performed in a variety of ways, in this case a distributed attack. Before the software reaches the end user, it is intercepted and modified without the end user’s detection. In this case, the attacker compromises a code repository, a third-party software dependency, or the compiler itself (the tool that transforms the code). If the official Bitcoin Core compiler is compromised, malicious binaries are natively generated. Since the origin itself was compromised, the official team ends up digitally signing it without knowing it was infected.
These types of security breaches can lead to complete loss of funds for anyone operating a node or wallet using compromised software. b10c’s work directly attacks the most important link: the risk vector of the Bitcoin client itself.
b10c is an independent developer who regularly contributes to technical research in the Bitcoin ecosystem. Their efforts are closely followed by the community as they focus on the rigor of their methodology and the security of their protocols. According to the developer himself, the project took three years to complete.
Guix and Nix: two kitchens that cook the same food
To understand this result, it’s worth explaining what these tools are. When developers create a program like Bitcoin Core, they create source code (instructions) and “compile” it into an executable file that users download and install. That conversion process is performed by the build tool. In other words, it converts instructions from human language to machine language.
Guix is the tool officially used by the Bitcoin Core team to create release binaries. Nix is another independently developed tool, with unique architecture and operation. Both producing exactly the same results from the same code is equivalent to two chefs in separate kitchens following the same recipe with different ingredients and serving the same dish down to the last gram.
What matters is whether someone tampered with the software at some point in the process, whether it was in the code, the build tools, or the distribution server. The two results do not match. The very coincidence itself is proof that no one intervened..
Verification that never existed
The mechanism that allows this progress is called reproducible build: If two people compile the same source code using different tools and get exactly the same results, it is virtually impossible for one of them to introduce a malicious change and for the other to detect it. b10c claims the following about this result: Nix will be the first tool external to the project that can independently verify binaries. Bitcoin Core staff.
However, b10c notes that this accomplishment is personal; Not yet part of the official standard adopted by Bitcoin Core. This project does not have an established process for incorporating multiple validation tools. This means that mutual validation between Guix and Nix currently relies on voluntary efforts like yours.
Developers conclude that the next natural step is to build a model in which trust in Bitcoin software relies on multiple independent verifications that confirm each other, rather than a single toolchain. This principle is already standard in other areas of computer security, he said.
