A previously undisclosed vulnerability in the Bitcoin Core software could have allowed attackers to steal funds, delay settlements or split the largest blockchain network into conflicting versions had it not been quietly patched two years ago.
Thats according to apaperpublished Wednesday by Braydon Fuller, a protocol engineer at crypto shopping site Purse, who caught the denial-of-service vulnerabilityin June 2018, and Javed Khan, a core developer of the Handshake protocol.
The vulnerability was given a severity level of 7.8 on a scale of 1 to 10, which is deemed high (9 or above is considered critical). It was caused by remote nodes failing to clear invalid transactions from their memory, Khan told CoinDesk.
The inability to clear those transactions could lead to an aggressor flooding a victim node with stale data in what is referred to as uncontrolled resource consumption, eventually causing the node to shut down, the paper states.
Layer 2 (L2) solutions such as the Lightning Network, the experimental payment system built on top of the Bitcoin blockchain, were at risk due to the vulnerability. Bitcoin full nodes were not at risk of losing funds.
There was no mechanism to make sure that the pending details of a transaction are valid or not. In certain cases you could fill up the remote memory with invalid transactions, Khan said.
No attempt to take advantage of the hole was found in the wild, Khan and Fuller wrote. The vulnerability could not be disclosed publicly for over two years as node operators took longer than expected to update, Fuller said.
While the vulnerability was fixed, its disclosure highlights the difficulties of building a global money standard on programming languages created by humans, not to mention the high technical barriers to engaging in development of the top cryptocurrency.
The vulnerability was introduced to Bitcoin Core in November 2017. Some 50% of Bitcoin nodes at the time were exposed to the attack vector, according to the paper. Earlier versions of Bitcoin Core were not affected.
Khan said the vulnerability could have enabled an attacker to steal funds from nodes that had open channels on Lightning.
Bitcoin Core versions 0.16.0 and 0.16.1 were affected and patched by developer Matt Corallo following Fullers disclosure to the core team in July 2018. Corallo did not answer questions seeking comment by press time.
The discovery by Fuller (who has also worked as lead developer at decentralized cloud storage protocol Storj) was followed by another Bitcoin bug addressed two months later in Bitcoin Core 0.16.3. Also a vector for a denial-of-service attack, one aspect of that bug allowed miners to inflate the supply of bitcoin as they could double-spend certain values, the Bitcoin Core team wrote at the time.
The emergency patch issued in that Bitcoin Core version addressed Fullers bug as well, Khan and Fuller wrote.
A spot was reserved for the resource consumption vulnerability on the National Institute of Standards and Technologys Common Vulnerabilities and Exposures (CVE) registry as CVE-2018-17145 in 2018, but it has yet to be filled out. The registry acts as a public glossary for software bugs of note.
Bitcoin Core is the reference implementation, or standard version of the network software from which others are derived. According to the paper, the exploit was also possible on several other implementations of Bitcoin and its offshoots:
All of these implementations have been patched.
UPDATE (Sept. 10, 15:45 UTC):Since publication, this article has been updated to include a link to the paper and additional information about one of its co-authors and about the vulnerability it described.
See the original post:
'High' Severity Bug in Bitcoin Software Revealed 2 Years After Fix - CoinDesk - Coindesk
- Bitcoin now has a 7% chance of beating $20K highs in the next 2 months - Cointelegraph - October 23rd, 2020
- For the first time since 2018 Bitcoin balances on exchanges fell below 2.5M - Cointelegraph - October 23rd, 2020
- Bitcoin top signal from 2017 reappears, but heres why it may not matter this time - Cointelegraph - October 23rd, 2020
- First Mover: PayPal Rushes In and Bitcoin Breaches $12K, While USDC Gains on Tether - CoinDesk - CoinDesk - October 23rd, 2020
- Macro Investor Dan Tapiero on Crypto Adoption: Emerging Economies Ahead of Developed States | News - Bitcoin News - October 23rd, 2020
- Ban All Ransomware Payments, in Bitcoin or Otherwise - CoinDesk - CoinDesk - October 23rd, 2020
- Hotel Bitcoin ATMs on the Rise With Addition of Swiss Hotel Dolder Grand | News - Bitcoin News - October 23rd, 2020
- World Gold Council Survey Shows Cryptocurrency Investment the 5th Most Popular in Russia - Bitcoin News - October 23rd, 2020
- Ethereum Q3 Volume Dwarfs Bitcoin's, Fueled by DeFi - Decrypt - October 23rd, 2020
- Crypto fans rejoice: Bitcoin rallies to the brink of $12,000 - Aljazeera.com - October 23rd, 2020
- 187,000 BTC Drained: Over $2 Billion in Bitcoin Leave the Top Exchanges Since June | Exchanges - Bitcoin News - October 19th, 2020
- A Former Goldman Sachs Hedge Fund Chief Has Predicted Bitcoin Will Surge To $1 MillionHeres Why - Forbes - October 19th, 2020
- Bitcoin minings future is green, and Russia has the best chance - Cointelegraph - October 19th, 2020
- Has Bitcoin Finally Met Its Match? - Forbes - October 19th, 2020
- Bitcoin rips and cruise ships: Bad crypto news of the week - Cointelegraph - October 19th, 2020
- Where Does Bitcoin Fit in the Global Reserve Currency Game? - CoinDesk - Coindesk - October 19th, 2020
- Enormous wall of money will send Bitcoin to $1M in 2025 Raoul Pal - Cointelegraph - October 19th, 2020
- Bitcoin's Intrinsic Value: Crypto Community Responds to Bank of England Governor | News - Bitcoin News - October 19th, 2020
- Bitcoin Price Ready For a New Pop Will It Do It Today? - InvestingCube - October 19th, 2020
- 'Enormous Wall of Money' Coming Into Bitcoin, Price to Reach $1 Million in 5 Years, Says Raoul Pal - Bitcoin News - October 19th, 2020
- Bitcoin and Ripple's XRP - Weekly Technical Analysis October 19th, 2020 - FX Empire - October 19th, 2020
- Blockchain Bites: Bitcoin on Ethereum The Whos, Whats and Whys - CoinDesk - CoinDesk - October 19th, 2020
- First Mover: Privacy Is Litecoin's Ace in the Hole as JPMorgan Touts Bitcoin - CoinDesk - CoinDesk - October 19th, 2020
- Hathor Merge Mining Pool Commands 33% of the Bitcoin Cash Hashrate - Bitcoin News - October 19th, 2020
- Cashfusion Use Increased by 328%, $200M in BCH Fused and Close to 20,000 Fusions | Privacy - Bitcoin News - October 19th, 2020
- The Silk Road Balance Sheet Discrepancy: Bitcoin Worth $4.8 Billion Still Missing | Featured - Bitcoin News - October 19th, 2020
- Bitcoins Taproot is ready to go, but it's unlikely to be included in the next release - Cointelegraph - October 19th, 2020
- How will the US presidential election affect the price of Bitcoin? - Cointelegraph - October 11th, 2020
- $12K Bitcoin price back on the table after BTC rallies above $11.4K - Cointelegraph - October 11th, 2020
- Coinbase's 'Mission' Violates the Spirit of Bitcoin - CoinDesk - CoinDesk - October 11th, 2020
- Bitcoin: the UK and US are clamping down on crypto trading here's why it's not yet a big deal - The Conversation UK - October 11th, 2020
- Lyn Alden: Bitcoin Correlations Depend on What Phase It Is In - CoinDesk - CoinDesk - October 11th, 2020
- UK Bans Sale of Crypto Derivatives to Retail Investors from January 2021 | News - Bitcoin News - October 11th, 2020
- Yearn Finance Token Value Slides 67%, While Locked Value Loses Over $300M | Altcoins - Bitcoin News - October 11th, 2020
- Bitcoin price holds $10.5K but a $30M sell wall looms overhead - Cointelegraph - October 6th, 2020
- Bitcoin To Hit $100,000 in Five Years as Demand and Adoption Increase - Report | Markets and Prices - Bitcoin News - October 6th, 2020
- Trump, price dots and COVID-19: 5 things to watch in Bitcoin this week - Cointelegraph - October 6th, 2020
- $8M Worth of 'Sleeping' Bitcoin Rewards from 2010 Moved the Day Before 'Black Thursday' - Bitcoin News - October 6th, 2020
- Interest in Bitcoin Soars in Egypt Amid Economic Crisis and Unemployment | News - Bitcoin News - October 6th, 2020
- A Major Tesla Investor Has Predicted Bitcoin Will Be Worth More Than $1 Trillion In Under 10 Years - Forbes - October 6th, 2020
- Crypto for Congress: Bitcoin Sent to All Congress Members' Campaigns | News - Bitcoin News - October 6th, 2020
- Stacking Satoshis: Leveraging Defi Applications to Earn More Bitcoin | Featured - Bitcoin News - October 6th, 2020
- FCA bans the public from Bitcoin and other cryptocurrency derivatives - Evening Standard - October 6th, 2020
- Pro-Crypto PAC Giving $50 in Bitcoin to the Campaign of Each Member of Congress - CoinDesk - CoinDesk - October 6th, 2020
- Ethereum Transaction Fees Fall 82%, as Defi Hype Eases | Altcoins Bitcoin News - Bitcoin News - October 6th, 2020
- Crypto for Congress sends $50 in Bitcoin to all US Congress members - Crypto News Flash - October 6th, 2020
- Abkhazia Lifts Two-Year Ban on Bitcoin Mining, Moves to Regulate the Sector | Regulation - Bitcoin News - October 6th, 2020
- Why reduced Bitcoin futures volume may signal the start of a new bull trend - Cointelegraph - October 2nd, 2020
- Market Wrap: Bitcoin Rebounds to $10.5K; Stablecoin Market Cap Goes Parabolic - CoinDesk - CoinDesk - October 2nd, 2020
- Spike in new participants buying Bitcoin is obviously bullish Analyst - Cointelegraph - October 2nd, 2020
- Romania set to auction Bitcoin and Ether confiscated in criminal case - Cointelegraph - October 2nd, 2020
- Bitcoin Balances on Exchanges at 2-Year Low and That May Be a Bullish Sign - CoinDesk - CoinDesk - October 2nd, 2020
- Venezuela To Start Using Cryptocurrency in Global Trade in Efforts To Fend off US Sanctions | Emerging Markets - Bitcoin News - October 2nd, 2020
- Bitcoin Posts a 66-Day Consecutive Streak Above the $10K Price Range | Markets and Prices - Bitcoin News - October 2nd, 2020
- Aurus Disrupts the Gold Industry Today Its Ecosystem Lists at a Value of $75m | Sponsored - Bitcoin News - October 2nd, 2020
- Satoshi Nakamoto's Peer-to-Peer vision for Bitcoin - Korea IT Times - October 2nd, 2020
- Crypto Bets on the US Election Show Joe Biden Winning the Presidency by 60% - Bitcoin News - October 2nd, 2020
- At $10,600, Bitcoin price is on track for its second-best quarter ever - Cointelegraph - September 30th, 2020
- Devere Group CEO Predicts Bitcoin Can Replace Gold as Top Safe-Haven Within a Generation | Finance - Bitcoin News - September 30th, 2020
- Ex-CEO of Bitcoin.com, a Leading Proponent of Bitcoin Cash (BCH), Joins Nodle's Board to Help Develop the Nodle Cash Ecosystem - GlobeNewswire - September 30th, 2020
- Trump, tax and hacks: 5 things shaping Bitcoin price action this week - Cointelegraph - September 30th, 2020
- One of Hal Finney's lost contributions to Bitcoin Core to be 'resurrected' - Cointelegraph - September 30th, 2020
- French police arrest terror financing ring that used Bitcoin coupons - Cointelegraph - September 30th, 2020
- What The IRS's Interest In Your Bitcoins Says About The Future Of Cryptocurrencies - Forbes - September 30th, 2020
- New DeFi Project NEW KANGEN (NEWG) Presale Will Start on 2nd October 2020 | Press release - Bitcoin News - September 30th, 2020
- Token Projects to Recover $130M from the Kucoin Hack, Devs Condemned for Centralization - Bitcoin News - September 30th, 2020
- A Record $1.2 Billion in Bitcoin Has Now Moved to Ethereum - Decrypt - September 30th, 2020
- USDT Trading Arrives on Bitcoin Global - Yahoo Finance - September 30th, 2020
- The Bitcoin Family: Still on the RoadAfter Three Years! - Decrypt - September 30th, 2020
- What REALLY Moves Bitcoin? - Elliott Wave International - September 30th, 2020
- Listen to Calvin Ayre talk about how he found opportunity in Bitcoin - CalvinAyre.com - September 30th, 2020
- Would Bitcoin suffer if the lead maintainers were kidnapped by aliens? - Cointelegraph - September 12th, 2020
- New DeFi Project Xfinance(XFI) ILO Presale Will Start Today | Press release Bitcoin News - Bitcoin News - September 12th, 2020
- Working in the Cryptocurrency Industry as a Woman | Op-Ed Bitcoin News - Bitcoin News - September 12th, 2020
- On-chain data signals increasing Bitcoin activity But theres a catch - Cointelegraph - September 10th, 2020
- Bitcoin and cryptocurrency are no hedge for inflation - Cointelegraph - September 10th, 2020
- TOP 5 Popular Cryptocurrencies Other than Bitcoin - Analytics Insight - September 10th, 2020
- Number of Bitcoin Addresses Holding at Least 1 BTC Hits New ATH - Ethereum World News - September 10th, 2020
- The adjusted on-chain volume of Bitcoin and Ethereum hit a 30-month high in August - Yahoo Finance - September 10th, 2020
- Crypto Borrowing: Here Are Seven of the Best Interest Rates on the Market | Finance - Bitcoin News - September 10th, 2020