The developers disclosed information about a vulnerability discovered two years ago in Bitcoin Core, which allowed attackers to steal BTC, postpone calculations, or split the network into conflicting versions.
The vulnerability was discovered in June 2018, according to an article published by Purse engineer Braydon Fuller and the main developer of the Handshake protocol, Javed Khan. She was assigned a severity level of 7.8 on a scale of 1 to 10, which is considered “high” (9 or higher is “critical”). According to Khan, this was due to the “remote nodes” not being able to eliminate invalid transactions from their memory.
Failure to delete these transactions could result in the attacker transmitting a large amount of stale data to the victim host. This will lead to “uncontrolled resource consumption” and will eventually cause the node to stop working. Tier 2 solutions such as the Lightning Network were at risk due to the vulnerability, but the risk of losing funds did not affect the full nodes of Bitcoin.
“There was no mechanism to verify the validity of the details of a pending transaction. In some cases, it was possible to fill remote memory with invalid transactions, ”Khan said.
The developers claim that no attempts have been found to exploit this vulnerability. Fuller said information about it was not disclosed for two years, as node operators took longer than expected to update. Although the vulnerability has been patched, its disclosure highlights the difficulties of building a global monetary standard in programming languages, not to mention the high technical barriers to participating in the development of a leading cryptocurrency.
The vulnerability appeared in Bitcoin Core in November 2017. According to the document, about 50% of Bitcoin’s nodes were under attack at the time, however, earlier versions of Bitcoin Core were not affected. Khan noted that the vulnerability allowed attackers to steal funds from nodes that had open channels on Lightning. Bitcoin Core versions 0.16.0 and 0.16.1 were affected and patched by developer Matt Corallo after Fuller reported the issue in July 2018.
Fuller’s discovery, who was also the lead developer of the Storj decentralized cloud storage protocol, was followed by another bug that was fixed two months later in version 0.16.3. One aspect of this error allowed miners to “inflate the Bitcoin supply” as they could spend a certain amount twice, as the Bitcoin Core team wrote at the time. An emergency patch released in this version of Bitcoin Core also fixes Fuller’s bug.
The National Institute of Standards and Technology’s Common Vulnerabilities and Exposures (CVE) registry in 2018, CVE-2018-17145, was reserved for a resource consumption vulnerability, but it has not yet been populated with detailed information. CVE is a publicly available classifier of noticeable software bugs. Bitcoin Core is a reference implementation or standard version of networking software. The vulnerability could also be in several other implementations of Bitcoin software and its offshoots:
Bitcoin Knots v0.16.0
All Bcoin beta versions prior to v1.0.0-pre
All Btcd versions up to v0.20.1-beta
Litecoin Core v0.16.0
Namecoin Core v0.16.1
All Dcrd versions prior to v1.5.1.
All of these implementations were patched to eliminate the vulnerability. As a reminder, an Electrum user recently lost 1,400 BTC after downloading an old wallet version running on malicious servers. This vulnerability has been fixed in versions 3.3.4 and higher.