Bitcoin Core Bug Found, Patched - Could've Been Exploited by 'Rogue Miners'

Bitcoin Core Bug Found, Patched – Could’ve Been Exploited by ‘Rogue Miners’

An alleged tip-off led to Bitcoin Core contributors discovering a bug that a rogue miner could’ve used to rather expensively spike swathes of nodes. A patch was tested throughout the day, culminating in the release of a fix in Bitcoin Core v.0.16.3 on Sept. 18th. 

Also see: Examining Lighthouse, a Future-Minded Ethereum 2.0 Client

Subscribe to the Bitsonline YouTube channel for great videos featuring industry insiders & experts

The Name’s CVE-2018-1744 …

A freshly discovered vulnerability in recent versions of the Bitcoin Core client has been patched via bugfixes in the new Bitcoin Core v0.16.3 software release.

The vulnerability, specifically dubbed CVE-2018-1744, could’ve seen rogue miners with considerable hashrate burning blocks’ 12.5 bitcoin rewards through duplicate transaction inputs in order to collapse nodes connected to their clients.

The originating code appears to have been implemented in 2016. Bitcoin Unlimited and Bitcoin XT clients are unaffected by the bug, having gone their own ways respectively before the window wherein they could’ve inherited said code. Bitcoin Cash’s Bitcoin ABC client apparently did inherit the flaw, though a mitigation is likewise already available.

Before the patch’s release, duplicate inputs could’ve been used for destructive effect.

As prolific Bitcoin developer Wladimir J. van der Laan noted in the new Core v.0.16.3 release, it’s recommended that users of the affected clients immediately upgrade:

“A denial-of-service vulnerability (CVE-2018-1744) exploitable by miners has been discovered in Bitcoin Core versions 0.14.0 up to 0.16.2. It is recommended to upgrade any of the vulnerable versions to 0.16.3 as soon as possible.”

As for the source of the bug’s discovery, that remains undeclared for now. Core developer Andrew Chow said without clarification that the vulnerability was brought to light “by a third party.”

Peter Rizun: ‘One of the Most Serious Bugs Ever?’

Over bitcoin’s first decade of existence, there have been those, like Satoshi Nakamoto and Gregory Maxwell, who have called for the existence of a single Bitcoin software specification.

Reasonable folks can disagree on that point, but after the tackling of CVE-2018-1744, many defenders of Bitcoin client-multiplicity didn’t hesitate to chime in.

For one, Bitcoin Unlimited Chief Scientist Peter Rizun mused on the seriousness of the since-patched vulnerability, arguing for “multiple implementations” to Maxwell:

“Wow, isn’t this one of the most serious consensus bugs ever? It affects all BTC Core nodes and the only thing preventing unbound inflation is the fact that the nodes crash, taking down the entire BTC Core network instead.

Maybe multiple implementations isn’t such a bad idea after all, /u/nullc? [Editor’s note: Maxwell’s Reddit account] I think only ABC is affected for BCH.”

Bitcoin ABC’s Amaury Sechet disagreed with Rizun’s take on the severity of the bug, but did concede it was no trivial matter.

“No it wouldn’t crash the whole network, because crashing node do not propagate locks very well. Still pretty bad,” Sechet said.

Closer to Rizun’s position, longtime bitcoin miner Jonathan Toomin called it one of the “top three or four” bugs in Bitcoin history:

“Maybe top three or four. The overflow bug was clearly more serious than this, and I think the BDB/LevelDB lock fork from 0.7 to 0.8 was probably more serious too. Crashing on errors is generally safer than giving incorrect results on errors.”

Whatever’s the case, there’s solace in the fact that a patch has already been released. But the episode does highlight that, though bitcoin is already a viable alternative currency, it’s still a currency very much so in progress.

As always, Bitsonline will continue to track this story as new developments arise.

What’s your take? Just how serious was this bug in your opinion? Let us know in the comments section below. 

Images via Pixabay

Related News