Christopher Jeffrey, a bitcoin developer and CTO at Purse, has publicly disclosed a vulnerability that applies to Bitcoin Core – where it remains unpatched at the time of writing – and Bitcoin Cash – where it has been patched weeks ago – as well as potentially other digital currencies.
Seemingly minutes after, that vulnerability started being exploited on the Bitcoin Cash chain by BitClub mining pool which mined a huge block, while having just 31 transactions, by creating 1MB transactions. Amaury Sechet, a Bitcoin Cash developer, stated:
“There is a vulnerability that has been disclosed at Breaking Bitcoin. BitClub is trying to exploit it. The last version of Bitcoin ABC is not vulnerable to the attack, so upgrading is probably a good idea.”
The way some implementations have been coded allows for the creation of special transactions that can spend many transactions from many outputs. As they are loaded onto memory, they can reach a size of 8GB, crashing nodes.
Some Bitcoin Core developers have strongly criticized the disclosure as being irresponsible because it had not yet been patched, but Jeffrey says:
“This is already fixed in multiple implementations including bcoin and Bitcoin ABC.
BitcoinJ, libbitcoin, and Parity Bitcoin were never affected in the first place.
This shouldn’t be a problem, because Bitcoin is a decentralized protocol where people should be using multiple different implementations. At least, that’s how bitcoin should be. I hope I opened some peoples’ eyes on that. Implementation centralization will kill bitcoin one day, just not today, since I don’t think this attack is reasonable to pull off in practice. But it serves as a good reminder — single points of failure suck.
This is also not a zero-day. I privately disclosed this to several different node implementers long beforehand: Sipa (core), Jeff Garzik (btc1), Laolu (btcd), and deadalnix (bitcoin abc).”
The vulnerability has not been patched in Bitcoin Core. The reason for their failure to do so remains unclear. Jeffrey says he informed them 2 months ago. Sachets took two days to implement the patch, he says, while Bitcoin Core still hasn’t at the time of writing. Jeffrey says:
“It was patched, in multiple implementations. Just not Core. It’s not my problem if one implementation is lagging behind when I warned them ages ago.”
The developer is clearly making a point here that developer centralization can be a considerable threat as exploits may be ignored or inadvertently added to the protocol.
In this case, the vulnerability may cause some annoyance if exploited, but it appears unlikely it would lead to any monetary losses. There could be instances however where the vulnerability is more serious.
In such cases, having different implementations may allow the network to continue operating even as one client’s nodes may be sent down crashing.
This is a developing story so we will keep you updated if we learn more.