A Big Vulnerable Bug in Bitcoin Software Could Have Indeed Crashed the Currency

Bitcoin is usually said to be the gold standard for digital currencies, but still, the OG Blockchain-based money has highly catastrophic defects hiding in the software that supports it.

The entire community is discussing a bug which was introduced to the Bitcoin Core reference client in 2016. The issue found in Bitcoin Core software versions 0.14 and above has produced another hot topic regarding the fallibility of developers and applying a single reference client instead of using several implementations. This bug then went lurking for two good years after it was introduced in November 2016 and a significant number of Core contributors allowed (ACK) the change minus any queries.

Popular Software Implementation

On September 18, the developers of Bitcoin Core released a new version which fixed a vulnerability that enabled a malicious user to crash the network, leaving everyone's cryptocurrencies essentially useless.  Several people have described this bug as " very scary," " major," and that it's among the " top three or four" deadly bugs ever seen in Bitcoin.

“For less than $80,000, you could have brought down the entire network,” Emin Gün Sirer, an associate professor of computer science at Cornell University told me over the phone. “That is less money than what a lot of entities would pay for a 0-day attack on many systems. There are many motivated people like this, and they could have brought the network down.”

Remarkably, the bug itself wasn't in the Bitcoin protocol but rather in its most famous software implementation. Some virtual currencies built with the use of Bitcoin Core's code were at large touched - for instance, Litecoin patched similar vulnerability on Tue Sept 18.

Poisoned Block

The Documentation describes the bug as a "denial-of-service vulnerability" which was introduced into Bitcoin Core in an update in 2017. The vulnerability factually permitted miners to form a sort of poisoned block by putting a transaction that tries to spend the same Cryptos twice. The poisoned block could then be spread across all Bitcoin network, damaging the software of any user that gets it.

About 95% of users operating Bitcoin nodes use Core, and the latest-fixed bug showed that any Core node getting the poisoned block would have been immediately terminated rather than simply discarding it for not being valid.

By using this vulnerability, the malevolent miner would forgo the reward for forming the poisoned block, 12.5 Bitcoins.

“[CVE-2018-17144] A bug introduced in Bitcoin Core 0.14.0 and affecting all subsequent versions through to 0.16.2 will cause Bitcoin Core to crash when attempting to validate a block containing a transaction that attempts to spend the same input twice,” explains the Optech newsletter. “Such blocks would be invalid and so can only be created by miners willing to lose the allowed income from having created a block (at least 12.5 XBT or $80,000 USD).”