It was discovered that Bitcoin miners could cripple the entire Bitcoin Core (BTC) blockchain by flooding its full node operators with traffic using DDoS attack.
The critical vulnerability is having Bitcoin miners to send transaction data twice. This would cause the whole network to crash when attempting to validate the data. This relates to the consensus code, meaning the data block should first be mined.
This bug (CVE-2018-17144) had been present in the Bitcoin Core software since version 0.14 up to 0.16.2, with the developers explaining:
Bitcoin Core 0.16.3 was released: https://t.co/SsbsJsqSTo
Upgrade recommended due to vulnerability fix— Bitcoin Core Project (@bitcoincoreorg) September 18, 2018
Initially, the developers had disclosed a lesser but still serious DoS bug that would have allowed Bitcoin miners to crash nodes and disrupt the Bitcoin network.
The bug was first found when an anonymous individual reported it to the Core contributors. It could have allowed a malicious actor with only 12.5 BTC to crash around 90 percent of the Core nodes and wreak havoc on the network. But doing so would cause them to forfeit their block reward.
Knowing that the bug would not only have affected Bitcoins but could also have had a devastating impact on all other cryptocurrencies using Bitcoin Core’s code, the developers have issued a patch for anyone running the nodes, along with an appeal to update the software immediately.
"It is recommended to upgrade any of the vulnerable versions to 0.16.3 as soon as possible," said the developers.
From the statement:
While the vulnerability has been patched, the Bitcoin development team warned that there are still some risks involved.
Chainsplit is when two or more versions of a blockchain exists at any given time. When this happens, they would share an identical history up until the point they split. Chainsplit can be triggered by incompatibilities between different versions of full node software.
One example was in 2013, when an unintentional fork separated Bitcoin into two networks for six about hours.
Bitcoin Core developers have released a full disclosure statement regarding the DDoS attack vector. It also details the entire situation, from initial submission to eventual distribution of the fix. The developers said that they waited to disclose the full extent of the bug to prevent malicious miners from exploiting it prior to the upgraded client reaching critical mass.
While developers have issued a patch and urged operators to implement the fix, it's still up to the individual node operators whether they want to implement the fix.
As long as there are nodes running unpatched versions, the integrity of the Bitcoin network remains vulnerable.