LIVE NOW

The bitcoin DoS bug was a smokescreen for a way worse vulnerability

Posted: 24 September 2018 3:09 pm
News

The real problem wasn't DoS vulnerability, it was that people could create new bitcoin from thin air.

Bitcoin is well known for its extremely careful coding and for being as secure as programming ever gets, even by lofty cryptocurrency standards.

This is one of the reasons why a recently discovered vulnerability drew so much attention. It was a vulnerability in Bitcoin Core software rather than the bitcoin protocol itself, but it's the most popular software implementation of bitcoin and could have been used to similar effect. This Bitcoin Core vulnerability meant it was theoretically possible for a miner to create a poisoned block for about $80,000, which could then be passed around the network crashing nodes it encountered. This was the denial of service (DoS) vulnerability.

But now that it's fixed, it turns out there was another much more serious problem lurking behind it, which Bitcoin Core described in its full disclosure as a "critical inflation vulnerability." In other words, it would have let people create bitcoin out of thin air, beyond the usual 21 million limit.



The timeline

The problem was discovered on 17 September, and an update was built the same day. The next couple of days were then spent urging as many people to update as fast as possible. Someone else then independently discovered the same bug on 20 September, at which point Bitcoin Core went public with the full disclosure.

Bitcoin Core deliberately chose to keep this secret, while revealing only the DoS element, to better push nodes to update quickly and buy some time for everyone to update, it says.

"In order to encourage rapid upgrades, the decision was made to immediately patch and disclose the less serious Denial of Service vulnerability, concurrently with reaching out to miners, businesses, and other affected systems while delaying publication of the full issue to give times for systems to upgrade.

"On September 20th a post in a public forum reported the full impact and although it was quickly retracted the claim was further circulated."

Bitcoin Core's timeline explains the series of events approximately like this:

17 September
  • 2.57 pm UTC: An anonymous person discovers and reports the DoS bug. Rumour has it that the reporter was a Bitcoin Cash developer. The report is quickly circulated to various mining pools and other stakeholders.
  • 5.47 pm: Bitcoin developer Matt Corallo discovers the critical inflation bug, spends the next hour or so double checking and saying something like "daaaang."
  • 7.15 pm: Corallo reaches out to slushpool. It is the world's first bitcoin mining pool, and is still one of the largest ones, handling over 10% of bitcoin's hashing power.
  • 7.29 pm: Corallo demonstrates the inflation vulnerability.
  • 8.30 pm: Corallo speaks with slushpool CTO and CEO, shares patch and discloses DoS vulnerability to them

The rest of the day, as well as the next couple of days, involved reaching out to people to encourage them to update, while publicising the DoS vulnerability to add some real urgency to it all.

20 September

At 7.50 pm, a developer who goes by "earlz" independently discovered the critical inflation vulnerability and reported it to Bitcoin Core. At the same time, the vulnerability was also publicised in a post on a public forum. The post was deleted, but rumours kept circulating.

juicy crypto words

The cat was now out of the bag.

Bitcoin Core then went public with its full disclosure, giving the full rundown and adding that it believes over half the bitcoin hashrate has updated to the patched nodes.

"We are unaware of any attempts to exploit this vulnerability," it said.

Some bitcoin forks might still be vulnerable, but it's safe to assume that all the forks that actually matter have fixed the bug by now.

Dodged a bullet?

In some respects it looks like bitcoin might have dodged a bullet. The bug went live, and but for the grace of an anonymous reporter it could have been a disaster. It took a few days for someone else to publicly discover it and for rumours to start circulating, and it's very fortunate that the patch had already been percolating through the bitcoin ecosystem for a couple of days before the public discovery.

But even if developers didn't discover and patch the bug until 20 September, odds are no one could have feasibly walked away with bitcoin created out of thin air. In the event of a successful attack, a rollback fork would be a possibility. It would have been a very unwelcome headache, but still a possibility.


Disclosure: At the time of writing, the author holds ETH, IOTA, ICX, VET, XLM, BTC and ADA.

Disclaimer: This information should not be interpreted as an endorsement of cryptocurrency or any specific provider, service or offering. It is not a recommendation to trade. Cryptocurrencies are speculative, complex and involve significant risks – they are highly volatile and sensitive to secondary activity. Performance is unpredictable and past performance is no guarantee of future performance. Consider your own circumstances, and obtain your own advice, before relying on this information. You should also verify the nature of any product or service (including its legal status and relevant regulatory requirements) and consult the relevant Regulators' websites before making any decision. Finder, or the author, may have holdings in the cryptocurrencies discussed.

Crypto explained


Latest cryptocurrency news

Picture: Shutterstock

Latest crypto guides

Ask an Expert

You are about to post a question on finder.com.au:

  • Do not enter personal information (eg. surname, phone number, bank details) as your question will be made public
  • finder.com.au is a financial comparison and information service, not a bank or product provider
  • We cannot provide you with personal advice or recommendations
  • Your answer might already be waiting – check previous questions below to see if yours has already been asked

Finder only provides general advice and factual information, so consider your own circumstances, or seek advice before you decide to act on our content. By submitting a question, you're accepting our Terms of Use, Disclaimer & Privacy Policy and Privacy & Cookies Policy.
Ask a question
Go to site