Risk to user Bitcoin ‘unlikely’ after Tesla spots bugs in BTCPay code

Tesla has helped identify a string of vulnerabilities in open-source Bitcoin software BTCPay Server, with users now advised to update their clients as soon as possible.

BTCPay Server recently thanked Tesla’s software security crew for helping patch the bug, which had affected every version of the software to date.

We also want to thank Qaiser Abbas, an independent web-security researcher, for an additional responsible vulnerability disclosure that was handled in this release. 💚

— BTCPay Server (@BtcpayServer) March 30, 2021

Bitcoin Core and dev project founder Nicolas Dorier told Protos that Tesla’s team found the flaws after running an audit on the software.

Dorier said Tesla found several high to low impact vulnerabilities but “funds are unlikely to be at risk, as there are many conditions to satisfy to be effectively at risk.”

BTCPay Server allows users to operate their own server for processing Bitcoin payments, offering a relatively trustless point-of-sale experience for merchants compared to proprietary processors like BitPay.

Dorier explained the high impact vulnerabilities mostly applied to those who open their servers to other BTCPay users (shared instances), rather than those running private instances.

“I think most people use private instances, though I can’t say for sure as we don’t track,” said Dorier.

Do the BTCPay Server bugs affect you?

If you:

• Ran a past version of BTCPay Server using the Docker app.
• Allowed others to register and use your instance.
• Then you should hurry up and update the software.

While all this suggests Tesla might be using — or looking to use — BTCPay to handle Bitcoin payments, the team noted it doesn’t know for sure whether the electric vehicle giant is really using the software just yet.

Reminder, we don't know if @Tesla is actually using BTCPay Server. They just audited the code, and decided to use a "transactionNumber" as 16 bytes encoded in base58 like us!

Keep pressure #BTCPayArmy https://t.co/hv6cJvdpZe

— BTCPay Server (@BtcpayServer) March 31, 2021

In any case, Tesla helping to patch open source Bitcoin platforms does speak to the company’s enthusiasm for the cryptocurrency.

Chief exec Elon Musk announced last week the company accepts Bitcoin for cars and won’t convert any to fiat.

Tesla also bought $1.5 billion worth of Bitcoin earlier this year — now worth $2.58 billion according to Bitcoin Treasuries.

[Read more: Public stocks like Tesla and Square gain $5B on their Bitcoin]

But what did Tesla spot in BTCPay’s code? Unfortunately, for security reasons those details aren’t yet disclosed.

“I can’t say more for now, we will reveal more about the issues in two or three weeks — the time [it takes for] people to update,” said Dorier.