{"id":21360,"date":"2018-09-21T23:22:01","date_gmt":"2018-09-21T23:22:01","guid":{"rendered":"http:\/\/ci027cfe65901726c3"},"modified":"2018-09-21T23:22:01","modified_gmt":"2018-09-21T23:22:01","slug":"good-bad-and-ugly-details-one-bitcoins-nastiest-bugs-yet","status":"publish","type":"post","link":"https:\/\/bitcoinmagazine.com\/technical\/good-bad-and-ugly-details-one-bitcoins-nastiest-bugs-yet","title":{"rendered":"The Good, the Bad and the Ugly Details of One of Bitcoin\u2019s Nastiest Bugs Yet"},"content":{"rendered":"
<\/div>
<\/figure>\n

For well over a year, versions of Bitcoin Core<\/a> \u2014 Bitcoin\u2019s leading software implementation \u2014 contained a severe software bug. The bug was fixed with Bitcoin Core 0.16.3<\/a> (and 0.17.0rc4<\/a>), released this week, and the status of the Bitcoin network now appears to be safe, with no harm done. The Bitcoin Core project has since released a full disclosure<\/a> report, revealing that the bug was even worse than previously thought.<\/p>\n

These are the good, the bad and the ugly details about one of Bitcoin Core\u2019s nastiest bugs to date. (But not in that order.)<\/p>\n

The Bad<\/h2>\n

The bad, of course, is the bug itself, now documented as CVE-2018-17144 in the Common Vulnerabilities and Exposures databank.<\/p>\n

The bug was introduced as part of a block relay-related performance improvement deployed in Bitcoin Core 0.14.0, officially released in March of 2017. In short, the bug would have nodes fail to reject a block containing a transaction that spends the same coins (\u201cinputs\u201d) multiple times. Indeed, it would allow for an (irregular) form of double-spending: arguably the very thing Bitcoin was designed to prevent<\/a>.<\/p>\n

It posed a serious problem, which could have manifested in several ways.<\/p>\n

First, Bitcoin Core versions 0.14.0 through 0.14.2 (and, in some cases, newer versions), would have accepted the block but, at the same time, recognized that something was wrong. However, they wouldn\u2019t be able to tell what<\/em> was wrong, exactly. As a result, the node would stop operating altogether and shut down. If an invalid block caused by this bug had made its way to such nodes, they would have, in effect, crashed. That\u2019s bad.<\/p>\n

But it gets much worse.<\/p>\n

Bitcoin Core versions 0.15.0 through 0.16.2 included another performance improvement, making it such that, in some cases, these nodes would no longer have realized something was wrong. Specifically, if the double-spent coin had not been moved in the same block already (which is often the case), these nodes would have accepted the transaction and block as normal. In a hypothetical, worst-case scenario, a malicious miner could have inflated Bitcoin\u2019s money supply by copying his own coins, and anyone relying on Bitcoin Core versions 0.15.0 through 0.16.2 would have accepted these coins as valid.<\/p>\n

Technically, the bug could also have caused a blockchain fork between affected nodes (Bitcoin Core 0.15.0 through 0.16.2 and codebase forks of it) and unaffected nodes (most notably Bitcoin Core 0.13.2 and older, as well as some alternative Bitcoin implementations). This is unlikely, however, since the latter category probably doesn\u2019t have sufficient hash power behind it to generate even a single block within a couple of days \u2014 let alone several blocks. These nodes would have instead stalled, waiting for a valid block.<\/p>\n

Still, the bug in question could have allowed for one of the worst attacks on Bitcoin in years. It\u2019s sobering for many that this bug made it into a release of Bitcoin\u2019s leading software implementation, as well as several codebase forks of it, and remained unnoticed for about 18 months.<\/p>\n

The Good<\/h2>\n

Now, the good news.<\/p>\n

The first and main piece of good news is that the bug has never been exploited in any way.<\/p>\n

The second piece of good news is that it was not very likely the bug would ever have been exploited in the first place. This is because the attack could only have been exploited by a miner intentionally creating an \u201cattack\u201d block \u2014 not by a miner doing so by accident and also not by a regular user. <\/p>\n

This means that a miner would have had to knowingly risk forfeiting a regular block reward worth some $80,000. An attack like this would have been noticed fairly quickly \u2014 everything happens on a public blockchain, while crash reports would probably have flooded chat rooms and forums. At that point, the Bitcoin user base would certainly agree that the added inflation was, in fact, caused by a bug \u2014 and should not be accepted as a new protocol rule. <\/p>\n

Therefore, like with the bug that caused the value overflow incident in 2010<\/a> or the bug that split the Bitcoin network in 2013<\/a>, a majority of miners (by hash power) would have either upgraded or downgraded their software quickly, rejecting the \u201cattack block\u201d to mine on the \u201chonest chain\u201d instead. As soon as this honest chain overtook the \u201cattack chain,\u201d even vulnerable nodes would have switched to the honest chain and disregarded the attack chain, leaving the attacking miner without any block reward.<\/p>\n

Further, coins on the attack chain would presumably have dropped in value rather quickly: Markets are unlikely to value a coin that can be copied \u201cout of thin air\u201d by a malicious miner. As such, this miner would have immediately undermined the value of the same coins being copied, possibly defeating the point of the attack. (Granted, the miner could also make money by shorting the markets, but this still comes with significant risks.)<\/p>\n

The third piece of good news is that the bug was responsibly disclosed by an unknown person on Monday to several developers working on Bitcoin Core (as well as Bitcoin Cash implementations Bitcoin ABC<\/a> and Bitcoin Unlimited<\/a>). It was originally presented as a denial of service (DoS) bug which, as mentioned, is accurate for Bitcoin Core versions 0.14.0 through 0.14.2. But on further examination,<\/a>Bitcoin Core contributor and Chaincode Labs<\/a> employee Matt Corallo found that the same bug was also an inflation vulnerability.<\/p>\n

The bug was quickly patched and released on Tuesday in a new Bitcoin Core minor release: Bitcoin Core 0.16.3. The bug is also patched in the fourth and latest release candidate for Bitcoin Core\u2019s upcoming major release, 0.17.0. Meanwhile, the select group of Bitcoin Core contributors that were aware of the bug started reaching out to key players in the Bitcoin ecosystem, most notably miners and large businesses, asking them to upgrade to Bitcoin Core 0.16.3. Regular users were also urged to upgrade.<\/p>\n

The fourth piece of good news is that a majority of miners on the network has probably upgraded to get rid of the bug by now. This means that even if an attacker were to try and exploit it, he wouldn\u2019t get very far. The honest miners would overtake the attack chain sooner rather than later, at which point even non-upgraded nodes would accept the honest chain as the only valid chain. To err on the side of safety, users are currently recommended to wait for extra confirmations before accepting a payment, however.<\/p>\n

(In technical terms, the effects on the Bitcoin protocol are as follows: Bitcoin Core 0.15.0 introduced an “accidental hard fork<\/a>” that was never triggered or acted on by miners and, therefore, never led to a blockchain fork. This \u201chard fork\u201d has practically been undone by an intentional, miner-enforced soft fork<\/a> over the past couple of days, possibly also enforced by the Bitcoin economy at this point in time.)<\/p>\n

The Ugly<\/h2>\n

The severity of a bug like this can be tricky to deal with on an open, decentralized, continuously operating network, supported by open-source software. As exemplified when Bitcoin Unlimited patched a bug<\/a> in early 2017, the very act of fixing a vulnerability in the code might reveal it to potential adversaries, opening a window of attack until the fix is widely deployed on nodes in the field.<\/p>\n

To avoid such attacks, those Bitcoin Core contributors aware of the problem decided not to make the severity of the bug public right away. Initially omitting some information from miners, companies and the greater public, they opted to disclose the DoS vulnerability \u2014 but not the inflation vulnerability. They hoped that the DoS vulnerability (and<\/a> some<\/a> strong<\/a> recommendations<\/a>) would be enough reason for users to upgrade, without tipping off a potential attacker. A full disclosure would follow later.<\/p>\n

However, not everyone shared this approach. As the bug came under the spotlight, more people started to figure out on their own that the bug was more severe than just a DoS vulnerability. It\u2019s rumoured that some started to leak the full extent of the vulnerability, arguably putting the Bitcoin network at greater risk of attack. When the vulnerability was reported on Hacker News<\/a> (though later retracted), there was little reason to keep it under the covers much longer.<\/p>\n

Fortunately, by then, it seemed<\/a> to the Bitcoin Core contributors in the know that most miners had upgraded, meaning that the Bitcoin network was safe. While sooner than originally planned, the Bitcoin Core project opted to publish the full disclosure<\/a> by Thursday evening.<\/p>\n

A number of altcoins based on Bitcoin\u2019s codebase are possibly still vulnerable to the attack, however, and the fact that the weakness is now publicly known probably does not help. While the leading implementations of the biggest Bitcoin codebase-based cryptocurrencies \u2014 most notably Bitcoin Cash\u2019s Bitcoin ABC<\/a> \u2014 deployed fixes and are also safe by now, smaller coins may still be at risk.<\/p>\n

Update <\/strong>Saturday, September 22nd: Pseudonymous Bitcoin Unlimited developer “awemany” has come forward<\/a> as the person who found the bug.<\/p>\n

For more details also see the CVE-2018-17144 Full Disclosure<\/a> by the Bitcoin Core project. It is still recommended that users and miners upgrade to Bitcoin Core 0.16.3<\/a> (or Bitcoin Core 0.17.0rc4<\/a>).<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

The good news is that the Bitcoin protocol is safe and the bug was never exploited in any way. Still, it could have allowed for one of the worst attacks on Bitcoin in years.<\/p>\n","protected":false},"author":2509,"featured_media":21361,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[35],"tags":[1844,3211,1038,330,1443],"class_list":{"0":"post-21360","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-technical","8":"tag-bugs","9":"tag-chaincode-labs","10":"tag-core","11":"tag-security","12":"tag-software"},"author_data":{"id":2509,"name":"Aaron van Wirdum","nicename":"aaron-van-wirdum","avatar_url":"https:\/\/bitcoinmagazine.com\/wp-content\/uploads\/2024\/12\/aaron-van-wirdum-96x96.jpg"},"featured_image_url":"https:\/\/bitcoinmagazine.com\/wp-content\/uploads\/2024\/11\/the-good.jpg","_links":{"self":[{"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/posts\/21360","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/users\/2509"}],"replies":[{"embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/comments?post=21360"}],"version-history":[{"count":0,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/posts\/21360\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/media\/21361"}],"wp:attachment":[{"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/media?parent=21360"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/categories?post=21360"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/tags?post=21360"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}