Severe Bitcoin Network Vulnerability Secretly Patched 2 Years Ago Comes to Light

The bug could have eroded Bitcoin’s credibility as the premier cryptocurrency.

“Severe” Bitcoin Bug Secretly Patched

According to a report by Coindesk, a previously undisclosed vulnerability in the Bitcoin Core software could have enabled hackers to compromise the network’s famed security, allowing them to steal funds, delay on-chain settlements and even split the network.

The bug was, however, quietly patched in 2018, the report reads.

Notably, the bug was first noticed by Braydon Fuller, a protocol engineer at cryptocurrency shopping site Purse. Fuller and Javed Khan – a core developer at Handshake protocol – recently published a paper that goes into the details of the bug.

Notably, the bug was given a severity of 7.8 out of 10 that is considered to be on the “higher scale” (9 or above is deemed “critical”). Speaking to Coindesk, Khan said the vulnerability was caused by “remote nodes” failing to clear invalid transactions from their memory.

Specifically, the inability to clear invalid transactions could have led to an aggressor spamming a target node with redundant data. This malicious practice is typically referred to as “uncontrolled resource consumption” that eventually forces the victim node to shut off.

Khan noted:

“There was no mechanism to make sure that the pending details of a transaction are valid or not. In certain cases you could fill up the remote memory with invalid transactions.”

Interestingly, the vulnerability could not be disclosed for about two years because the node operators took longer than expected to update.

Danger to the Lightning Network

Khan added that the said network vulnerability could have allowed an attacker to siphon funds from nodes possessing open channels on Layer-2 Bitcoin scaling solution, the Lightning Network.

Notably, Bitcoin Core versions 0.16.0 and 0.16.1 were affected by the bug and were duly fixed by Bitcoin Core developer Matt Corallo after Fuller disclosed the issue to the Core team in July 2018.

The report reads in part:

“The discovery by Fuller was followed by another Bitcoin bug addressed two months later in Bitcoin Core 0.16.3. Also a vector for a denial-of-service attack, one aspect of that bug allowed miners to ‘inflate the supply of Bitcoin’ as they could double-spend certain values, the Bitcoin Core team wrote at the time.”

In similar news, earlier this year, BTCManager reported how IOTA (MIOTA) had announced the successful patch of the vulnerability responsible for the Trinity Wallet hack that resulted in the loss of funds to the tune of $1.6 million at the time.