Bitcoin Core Developers Move to Fix Denial-of-Service Software Bug

Sep 19, 2018 at 20:01 UTC
Updated Sep 20, 2018 at 00:35 UTC

An abnormally severe bug was discovered in bitcoin’s software, prompting developers to put together and release a fix on Tuesday.

Fixed and revealed to the wider public by way of Bitcoin Core software version 0.16.3, the vulnerability is a denial-of-service bug. If exploited, it can be used to take out nodes and at worst, temporarily crash a significant segment of the network.

However, not everyone has the power to take advantage of the bug. Only miners – those that run hardware and spend energy ordering transactions on the network – can exploit the vulnerability by double spending a transaction and placing it in a block.

But, it’s not exactly painless for them to execute, either. If they try the attack, they would lose their block reward, which is worth more than $75,000 at today’s prices.

The vulnerability was introduced in Bitcoin Core version 0.14.0, which was first released in March 2017. But the issue wasn’t found until just two days ago, prompting contributors to the codebase to take action and ultimately release a tested fix within 24 hours.

And luckily, most bitcoin users don’t have to do anything to be protected from the vulnerability now.

Developers stressed that “stored” bitcoins are not at risk. Yet, it could impact those using the Lightning network, an in-development transaction layer that seeks to allow faster and cheaper transactions.

Still, because the bug is potentially dangerous for the network, developers strongly advise users who are running so-called “full nodes” that store bitcoin’s complete transaction history to upgrade their software. Moderator Theymos also pinned a notice to the top of the bitcoin subreddit.

The Bitcoin Core notes describing the software patch state:

“We urge all network participants to upgrade to [the new software] as soon as possible.”

Impacting Lightning

As it turns out, a popular quote in tech circles aptly applies to this kind of bug.

“A distributed system is one in which the failure of a computer you didn’t even know existed can render your own computer unusable,” said famous computer scientist Leslie Lamport.

In this particular circumstance, a miner making a faulty transaction can impact nodes running across the network. As noted in the Bitcoin OpTech newsletter, a miner would need to try to double spend some bitcoin in order to crash bitcoin nodes.

Bitcoin’s code is set up to largely to guard against this kind of problem, but this bug shows how a way around such measures managed to seep through.

Perhaps the biggest impact is on bitcoin-tied technology that isn’t ready for primetime. If this attack were to be executed, bitcoin users running Lightning on the mainnet could be impacted.

“If you’re reckless enough to be running lightning, you should really update ASAP, or close your channels. Updating is easy enough luckily,” Blockstream engineer Gregory Sanders urged on reddit.

Since Lightning is in such an early stage, it requires users to watch their “channels,” which hold their bitcoins in the experimental layer. That way they can stop a party they’ve established a channel with if that party attempts to cheat. Of particular concern here though: if a user’s node is crashed by a miner exploiting this bug, a malicious actor could use the opportunity to cheat other Lightning users.

Even so, some developers argue that successfully doing all of this would be pretty hard to accomplish.

“I find it highly unlikely it has much of an impact,” developer Justin Camarena told CoinDesk.

That’s why some argue that regular users don’t need to worry about it, although there’s been a general sense of urgency in light of the overall risk.

“Unless you’re running a business or lightning network node you really have no funds at risk,” Sanders added later.

Buggy conclusions

Yet how significant this bug is in the context of bitcoin’s history remains difficult to figure out.

Blockchain.info data engineer Antoine Le Calvez tallied up a list of similar exploits made over the years, showing that they were more common in bitcoin’s earlier years.

But Bitcoin Core contributor Luke Dashjr responded by arguing that exploits might not be decreasing over time as the data suggests.

“Sadly, I think recent years suffer from lack of disclosure rather than having fewer exploits,” he said.

He went on to admit he doesn’t know why this is the case, but he nonetheless argued that some bugs in the bitcoin software are found and patched up, yet are never publicly disclosed.

Meanwhile, others are drawing other conclusions from the bug – namely that bitcoin programmers are mere mortals. OpenBazaar lead developer Chris Pacia went as far as to argue that while many users argue that bitcoin developers are among the best in the world, this proves they’re actually normal developers who run into obstacles.

“Bugs happen. This is a fact of life,” he remarked on Twitter. “I’m not criticizing them for having a bug. I’m criticizing the idiot minimalists who insist Core developers are God-like individuals.”

Still, Camarena thinks that because of the bug’s nuances and how difficult the attack is to execute, people are making too big of a deal out of the bug.

He told CoinDesk:

“It’s a serious bug, but not as bad as some are making it to believe.”

TV without signal image via Shutterstock

Crypto Funds Are Outperforming – You Shouldn’t Be Surprised

| Josh Gnaizda

Josh Gnaizda of Crypto Fund Research looks into possible reasons behind the relative performance of crypto funds vs bitcoin since Q1 2017.

Web3’s Gavin Wood Launches Kusama Network to Test Polkadot Protocol

| Christine Kim

The Web3 Foundation launched a live experimental version of the Polkadot network on Friday. Here's what Kusama will be testing.

Bitcoin Miners Are Heating Homes Free of Charge in Frigid Siberia

| Anna Baydakova

Hotmine makes a bitcoin mining rig that doubles as a home heating appliance. It's targeting places where winter is brutally cold.

Craig Wright Again Claims Authorship of Bitcoin White Paper

| Daniel Palmer

Wright has made another attempt to cement his claim to be Satoshi Nakamoto, posting bitcoin's white paper on a scientific paper hosting site.

Bitcoin Price Looks Bearish Despite Bounce to $10.2K

| Omkar Godbole

Bitcoin's recovery to $10,255 seen in the last 24 hours could be short-lived, suggest bearish price and volume indicators.

The leader in blockchain news, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups.


This article is intended as a news item to inform our readers of various events and developments that affect, or that might in the future affect, the value of the cryptocurrency described above. The information contained herein is not intended to provide, and it does not provide, sufficient information to form the basis for an investment decision, and you should not rely on this information for that purpose. The information presented herein is accurate only as of its date, and it was not prepared by a research analyst or other investment professional. You should seek additional information regarding the merits and risks of investing in any cryptocurrency before deciding to purchase or sell any such instruments.