Crisis averted: threatening bitcoin bug removed from client

The vulnerability, known as CVE-2018-17144, was the unknown side effect of a 2017 update which removed a validation check in order to reduce block processing time by 600 microseconds—a step that inadvertently opened the Core client to the possibility of serious security breach.

This loophole was exposed by Bitcoin Cash and Bitcoin Unlimited developer "awemany", who later published a report lambasting the attitudes of Core developers.

The network however remains unscathed, and was hastily patched with the Bitcoin Core v0.16.3 software update, which the majority of miners managed to install within 12 hours of its release.

Just how severe was the bug?

In line with security guidelines on Responsible Disclosure, the full extent of the vulnerability was only revealed to the community once developers had been given a chance to minimise any opportunity for exploitation.

What they did disclose immediately though, was a relatively less serious bug relating to Denial of Service, as explained in the official notice:

"In order to encourage rapid upgrades, the decision was made to immediately patch and disclose the less serious Denial of Service vulnerability, concurrently with reaching out to miners, businesses, and other affected systems while delaying publication of the full issue to give times for systems to upgrade."

Days later, after all nodes were notified of the issue, the second more critical component of the vulnerability was made public—a potentially catastrophic loophole that could have been used to create new bitcoin without mining.

This would have let mal-intentioned miners publish blocks with an invalid transaction, creating a corrupt block which could then be circulated around the network, crashing the software of any node that received it and potentially allowing for a bitcoin to be spent twice.

Not only that, but the Bitcoin network is not the only one made vulnerable by such bugs. As the leading cryptocurrency, Bitcoin’s codebase spawned many similar coins—like Litecoin and Bitcoin Cash—that also rely on adapted versions of the Bitcoin Core client software.

Although these major forks have now been patched accordingly, smaller and more obscure coins may still be at risk.

A constantly evolving codebase

Bitcoin’s short history is littered with security loopholes, most of which affect the software clients rather than the Bitcoin protocol itself.

While the protocol is considered immutable, the clients themselves are more prone to corruption. These clients can be thought of like an email server that must constantly interact with the bitcoin network, and like any piece of software, they are subject to bugs.

As the Bitcoin clients are open source software, they are readily available for the public to scrutinize, and since the first ‘Satoshi Client’ was released in 2008, the software has undergone numerous upgrades, and suffered from a long list of security breaches.

Data collected by Blockchain.info data engineer Antoine Le Calvez suggested that vulnerabilities like this recent bug have grown less common over the years, but it remains a sobering thought that such a bug can remain undetected, even in Bitcoin’s most popular client— Bitcoin Core—which is used by the vast majority of miners.

Finding solutions together

What is encouraging, is that the bug was never exploited in the first place, and that if a miner had been motivated to do so, it is unlikely that they would’ve met with success.

In the event of a corrupt block being created, crash reports would have raised the attention of miners en masse, who would likely then recognise the issue and either upgrade or revert to a previous software version.

Not only that, but it is heartening that such a danger has been so readily disclosed, particularly when discovered by a developer from a rival cryptocurrency in a community frequently divided by distrust.