Bitcoin Core Developers Move to Fix Denial-of-Service Software Bug

FEATURE
Alyssa Hertig
Sep 19, 2018 at 20:01 UTC  |  Updated  Sep 20, 2018 at 00:35 UTC

An abnormally severe bug was discovered in bitcoin's software, prompting developers to put together and release a fix on Tuesday.

Fixed and revealed to the wider public by way of Bitcoin Core software version 0.16.3, the vulnerability is a denial-of-service bug. If exploited, it can be used to take out nodes and at worst, temporarily crash a significant segment of the network.

However, not everyone has the power to take advantage of the bug. Only miners – those that run hardware and spend energy ordering transactions on the network – can exploit the vulnerability by double spending a transaction and placing it in a block.

But, it's not exactly painless for them to execute, either. If they try the attack, they would lose their block reward, which is worth more than $75,000 at today's prices.

The vulnerability was introduced in Bitcoin Core version 0.14.0, which was first released in March 2017. But the issue wasn't found until just two days ago, prompting contributors to the codebase to take action and ultimately release a tested fix within 24 hours.

And luckily, most bitcoin users don't have to do anything to be protected from the vulnerability now.

Developers stressed that "stored" bitcoins are not at risk. Yet, it could impact those using the Lightning network, an in-development transaction layer that seeks to allow faster and cheaper transactions.

Still, because the bug is potentially dangerous for the network, developers strongly advise users who are running so-called "full nodes" that store bitcoin's complete transaction history to upgrade their software. Moderator Theymos also pinned a notice to the top of the bitcoin subreddit.

The Bitcoin Core notes describing the software patch state:

"We urge all network participants to upgrade to [the new software] as soon as possible."

Impacting Lightning

As it turns out, a popular quote in tech circles aptly applies to this kind of bug.

"A distributed system is one in which the failure of a computer you didn't even know existed can render your own computer unusable," said famous computer scientist Leslie Lamport.

In this particular circumstance, a miner making a faulty transaction can impact nodes running across the network. As noted in the Bitcoin OpTech newsletter, a miner would need to try to double spend some bitcoin in order to crash bitcoin nodes.

Bitcoin's code is set up to largely to guard against this kind of problem, but this bug shows how a way around such measures managed to seep through.

Perhaps the biggest impact is on bitcoin-tied technology that isn't ready for primetime. If this attack were to be executed, bitcoin users running Lightning on the mainnet could be impacted.

"If you're reckless enough to be running lightning, you should really update ASAP, or close your channels. Updating is easy enough luckily," Blockstream engineer Gregory Sanders urged on reddit.

Since Lightning is in such an early stage, it requires users to watch their "channels," which hold their bitcoins in the experimental layer. That way they can stop a party they've established a channel with if that party attempts to cheat. Of particular concern here though: if a user's node is crashed by a miner exploiting this bug, a malicious actor could use the opportunity to cheat other Lightning users.

Even so, some developers argue that successfully doing all of this would be pretty hard to accomplish.

"I find it highly unlikely it has much of an impact," developer Justin Camarena told CoinDesk.

That's why some argue that regular users don't need to worry about it, although there's been a general sense of urgency in light of the overall risk.

"Unless you're running a business or lightning network node you really have no funds at risk," Sanders added later.

Buggy conclusions

Yet how significant this bug is in the context of bitcoin's history remains difficult to figure out.

Blockchain.info data engineer Antoine Le Calvez tallied up a list of similar exploits made over the years, showing that they were more common in bitcoin's earlier years.

But Bitcoin Core contributor Luke Dashjr responded by arguing that exploits might not be decreasing over time as the data suggests.

"Sadly, I think recent years suffer from lack of disclosure rather than having fewer exploits," he said.

He went on to admit he doesn't know why this is the case, but he nonetheless argued that some bugs in the bitcoin software are found and patched up, yet are never publicly disclosed.

Meanwhile, others are drawing other conclusions from the bug – namely that bitcoin programmers are mere mortals. OpenBazaar lead developer Chris Pacia went as far as to argue that while many users argue that bitcoin developers are among the best in the world, this proves they're actually normal developers who run into obstacles.

"Bugs happen. This is a fact of life," he remarked on Twitter. "I'm not criticizing them for having a bug. I'm criticizing the idiot minimalists who insist Core developers are God-like individuals."

Still, Camarena thinks that because of the bug's nuances and how difficult the attack is to execute, people are making too big of a deal out of the bug.

He told CoinDesk:

"It's a serious bug, but not as bad as some are making it to believe."

TV without signal image via Shutterstock

The leader in blockchain news, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups.

SecurityBitcoin CoreBitcoinBug