Bitcoin Cash, Bitcoin Unlimited Contributor Disclosed Bitcoin Core Bug
The Bitcoin ecosystem was rocked this week after a bug in the Bitcoin Core implementation was found to be able facilitate node crashes and monetary inflation. Fortunately, patches have since been released for Core and some derivative cryptocurrencies. Now, the discloser of the node crash element of the bug has revealed themselves as the pseudonymous Awemany, a contributor in the Bitcoin Cash and Bitcoin Unlimited communities.
Subscribe to the Bitsonline YouTube channel for great videos featuring industry insiders & experts
Awemany: While I Have You Here …
On September 18th, the Bitcoin Core team released CVE-2018-17144 bugfixes in v0.16.3 of their Bitcoin (BTC) end-user implementation. The patches came upon a tip-off from what Core contributor Andrew Chow called at the time “a third party.”
Three days later, that third party came forward as Awemany, a contributor to Bitcoin Unlimited, another Bitcoin implementation, and Bitcoin Cash, or BCH, which was forked off from BTC in 2017.
The pseudonymous developer detailed their experiences in disclosing the bug and wider criticisms of the Core team in a new blog post entitled “600 Microseconds,” a reference to the amount of time that the bug’s originating code was designed to shave off from block validation in the OG cryptocurrency.
First, What Was at Stake?
CVE-2018-17144, hailed by Awemany and other industry thought leaders as among the most critical bugs in Bitcoin’s history, could’ve seen rogue miners spiking connected nodes by including double-spend transactions that relied on several simultaneous, identical inputs.
This was the part of the vulnerability Awemany initially reported.
In turn, it was quickly discovered that dynamic could’ve created malicious inflation on the Bitcoin network, insofar as a block validated after a block structured as described above would essentially create BTC out of thin air, e.g. a miner could then spend a given sum of bitcoin two times.
Accordingly, while the vulnerability doesn’t appear to have been exploited to date, CVE-2018-17144 could have “threatened the legitimacy not only of BTC, but of cryptocurrency in general,” Bitcoin Unlimited Chief Scientist Peter Rizun said upon Awemany taking responsibility for the bug’s initial disclosure.
Congratulations to awemany for making this important discovery and helping Core fix their software. Fake coins being mined into the blockchain would have threatened the legitimacy not only of BTC, but of cryptrocurrency in general.
— Peter R. Rizun (@PeterRizun) September 21, 2018
Awemany has since addressed skepticism around their identity in a new Reddit post.
Strong Words in the Aftermath
Before getting into how they discovered the bug, Awemany began their “600 Microseconds” with choice words for the Core team.
“Here we have an optimization that talks about avoiding ‘duplicate’ validation like validation is nothing to worry about, an afterthought in Bitcoin almost,” the developer wrote near the start of their post.
Awemany went on the criticize the “rubber-stamp-like manner” in which the code in question was approved. They ultimately contributed that dynamic to what they characterized as technical arrogance among members of the Core team. However, Awemany said the possibility the bug was intentionally embedded had crossed their mind, though the probability seemed remote:
“Because what is better to destroy the value of Bitcoin in the public’s eye than a silent inflation bug? What is better than creating code paths that look harmless for themselves but combined with some other, seemingly harmless rework in other areas of the code, result in utter catastrophe?
And it looks like CVE-2018–17144 would eventually have become exactly this. The only thing that saved Core is their effective client diversity between revisions and someone actually noticing that there is a problem. After two years of this bug sitting around idle and exploitable. Client diversity that has been much criticized on the Bitcoin Cash side of things, but it obviously shows its advantages now.”
Awemany also went on to lambast the Core team for disclosing the vulnerability publicly before other projects affected by the bug, like Bitcoin Cash, had adequate time to respond themselves. Awemany raised the possibility that the Core members distrusted how the exploit apparently came from someone sympathetic to BCH and BU, so they moved quickly lest a possible adversary take zero-day advantage. On the other side, Core’s Matt Corallo wrote in GitHub that they “didn’t want to wait much past EST business hours to get people patched so ran out of time.”
The discloser also applauded Bitcoin ABC and their lead developer Amaury Sechet for “Bury[ing] the fix in … unrelated refactoring code so as to fix it but also to buy some more time for an upgrade.”
On the Find
Awemany initially found that Bitcoin ABC’s implementation wasn’t checking for “duplicate inputs when processing a block,” and then quickly realized the vulnerability had originated from Core.
The developer compiled a disclosure report and and discreetly sent it to prominent bitcoiners like Core’s Wladimir J. van der Laan. That’s when work began on a fix on the BTC side of the ball.
Days later, with stakeholders having started implementing Core’s v0.16.3 update, crisis has seemingly been averted for now, but the episode has already notched its place firmly in Bitcoin’s history. Moreover, it appears Core versions before v0.14 would’ve rejected invalid CVE-2018-17144 blocks, so there’s something to be said about having older nodes on the network.
‘Do Unto Others’ Strikes Again, For the Good of All Sides
The animosity between the more passionate parties in the BTC vs. BCH divide is nothing short of fiery, but for all the resulting sparks the cryptoverse has seen from said schism, Awemany’s disclosure now reciprocates the good deed of Core’s Cory Fields, who reported a critical mining vulnerability in Bitcoin ABC in August 2018.
What are the wider takeaways here, then?
As Awemany suggested in his piece, more work needs to be done in many crypto projects where rooting out potentially critical bugs are concerned. There’s always the possibility that more CVE-2018-17144s are lurking out there in the ecosystem, dormant for now but maybe doomful in the future.
Another enlightening suggestion came as Awemany echoed one of Cory Fields’s remarks in his own ABC disclosure, namely that it was difficult to quickly and securely establish contact with leaders in the opposing community:
“I also agree in general with Cory Fields from Core that it is not very easy to find the necessary disclosure addresses and information. He’s right about the lack of easily accessible GPG keys both on the BCH as well as — I like to add- on the BTC side of things. I didn’t find a non-retracted key of Pieter Wuille in time.”
With that said, and with all the bad blood not even needing to be discarded, perhaps it’s time for a parley wherein BTC’s and BCH’s lead developers exchange GPG keys in the case of crises. It would be a decent and reasonable bit of progress for the good of crypto adoption in general.
What’s your take on CVE-2018-17144? Let us know where you stand in the comments section below.
Images via Pixabay