For well over a year, versions of Bitcoin Core — Bitcoin’s leading software implementation — contained a severe software bug. The bug was fixed with Bitcoin Core 0.16.3 (and 0.17.0rc4), released this week, and the status of the Bitcoin network now appears to be safe, with no harm done. The Bitcoin Core project has since released a full disclosure report, revealing that the bug was even worse than previously thought.
These are the good, the bad and the ugly details about one of Bitcoin Core’s nastiest bugs to date. (But not in that order.)
The bad, of course, is the bug itself, now documented as CVE-2018-17144 in the Common Vulnerabilities and Exposures databank.
The bug was introduced as part of a block relay-related performance improvement deployed in Bitcoin Core 0.14.0, officially released in March of 2017. In short, the bug would fail to reject a block containing a transaction that spends the same coins (“inputs”) multiple times. Indeed, it would allow for an (irregular) form of double-spending: arguably the very thing Bitcoin was designed to prevent.
It posed a serious problem, which could have manifested in several ways.
First, Bitcoin Core versions 0.14.0 through 0.14.2 (and, in some cases, newer versions), would have accepted the block but, at the same time, recognized that something was wrong. However, they wouldn’t be able to tell what was wrong, exactly. As a result, the node would stop operating altogether and shut down. If an invalid block caused by this bug had made its way to such nodes, they would have, in effect, crashed. That’s bad.
But it gets much worse.
Bitcoin Core versions 0.15.0 through 0.16.2 included another performance improvement, making it such that, in some cases, these nodes would no longer have realized something was wrong. Specifically, if the double-spent coin had not been moved in the same block already (which is often the case), these nodes would have accepted the transaction and block as normal. In a hypothetical, worst-case scenario, a malicious miner could have inflated Bitcoin’s money supply by copying his own coins, and anyone relying on Bitcoin Core versions 0.15.0 through 0.16.2 would have accepted these coins as valid.
Technically, the bug could also have caused a blockchain fork between affected nodes (Bitcoin Core 0.15.0 through 0.16.2 and codebase forks of it) and unaffected nodes (most notably Bitcoin Core 0.13.2 and older, as well as some alternative Bitcoin implementations). This is unlikely, however, since the latter category probably doesn’t have sufficient hash power behind it to generate even a single block within a couple of days — let alone several blocks. These nodes would have instead stalled, waiting for a valid block.
Still, the bug in question could have allowed for one of the worst attacks on Bitcoin in years. It’s sobering for many that this bug made it into a release of Bitcoin’s leading software implementation, as well as several codebase forks of it, and remained unnoticed for about 18 months.
Now, the good news.
The first and main piece of good news is that the bug has never been exploited in any way.
The second piece of good news is that it was not very likely the bug would ever have been exploited in the first place. This is because the attack could only have been exploited by a miner intentionally creating an “attack” block — not by a miner doing so by accident and also not by a regular user.
This means that a miner would have had to knowingly risk forfeiting a regular block reward worth some $80,000. An attack like this would have been noticed fairly quickly — everything happens on a public blockchain, while crash reports would probably have flooded chat rooms and forums. At that point, the Bitcoin user base would certainly agree that the added inflation was, in fact, caused by a bug — and should not be accepted as a new protocol rule.
Therefore, not unlike a bug that split the Bitcoin network in 2013, a majority of miners (by hash power) would have either upgraded or downgraded their software quickly, rejecting the “attack block” to mine on the “honest chain” instead. As soon as this honest chain overtook the “attack chain,” even vulnerable nodes would have switched to the honest chain and disregarded the attack chain, leaving the attacking miner without any block reward.
Further, coins on the attack chain would presumably have dropped in value rather quickly: Markets are unlikely to value a coin that can be copied “out of thin air” by a malicious miner. As such, this miner would have immediately undermined the value of the same coins being copied, defeating the point of the attack. (Granted, the miner could also make money by shorting the markets, but this still comes with significant risks.)
The third piece of good news is that the bug was responsibly disclosed by an unknown person on Monday to several developers working on Bitcoin Core (as well as Bitcoin Cash implementations…