A Critical Bug In The Bitcoin Core Reference Client Makes It Vulnerable To DDoS

It was discovered that Bitcoin miners could cripple the entire Bitcoin Core (BTC) blockchain by flooding its full node operators with traffic using DDoS attack.

The critical vulnerability is having Bitcoin miners to send transaction data twice. This would cause the whole network to crash when attempting to validate the data. This relates to the consensus code, meaning the data block should first be mined.

This bug (CVE-2018-17144) had been present in the Bitcoin Core software since version 0.14 up to 0.16.2, with the developers explaining:

"[…] any attempts to double-spend a transaction output within a single transaction inside of a block where the output being spent was created in the same block, the same assertion failure will occur (as exists in the test case which was included in the 0.16.3 patch). However, if the output being double-spent was created in a previous block, an entry will still remain in the CCoin map with the DIRTY flag set and having been marked as spent, resulting in no such assertion. This could allow a miner to inflate the supply of Bitcoin as they would be then able to claim the value being spent twice."

Initially, the developers had disclosed a lesser but still serious DoS bug that would have allowed Bitcoin miners to crash nodes and disrupt the Bitcoin network.

The bug was first found when an anonymous individual reported it to the Core contributors. It could have allowed a malicious actor with only 12.5 BTC to crash around 90 percent of the Core nodes and wreak havoc on the network. But doing so would cause them to forfeit their block reward.

Knowing that the bug would not only have affected Bitcoins but could also have had a devastating impact on all other cryptocurrencies using Bitcoin Core’s code, the developers have issued a patch for anyone running the nodes, along with an appeal to update the software immediately.

"It is recommended to upgrade any of the vulnerable versions to 0.16.3 as soon as possible," said the developers.

From the statement:

"In order to encourage rapid upgrades, the decision was made to immediately patch and disclose the less serious Denial of Service vulnerability, concurrently with reaching out to miners, businesses, and other affected systems while delaying publication of the full issue to give times for systems to upgrade."

While the vulnerability has been patched, the Bitcoin development team warned that there are still some risks involved.

"[…] There is currently a small risk of a chainsplit. In a chainsplit, transactions could be reversed long after they are fully confirmed," they say. "Therefore, for the next week or so you should consider there to be a small possibility of any transaction with less than 200 confirmations being reversed."

Chainsplit is when two or more versions of a blockchain exists at any given time. When this happens, they would share an identical history up until the point they split. Chainsplit can be triggered by incompatibilities between different versions of full node software.

One example was in 2013, when an unintentional fork separated Bitcoin into two networks for six about hours.

Bitcoin Core developers have released a full disclosure statement regarding the DDoS attack vector. It also details the entire situation, from initial submission to eventual distribution of the fix. The developers said that they waited to disclose the full extent of the bug to prevent malicious miners from exploiting it prior to the upgraded client reaching critical mass.

While developers have issued a patch and urged operators to implement the fix, it's still up to the individual node operators whether they want to implement the fix.

As long as there are nodes running unpatched versions, the integrity of the Bitcoin network remains vulnerable.