The most serious bug in bitcoin since 2010 has been exploited on testnet, a network used by developers to test code behavior. The real bitcoin network is unaffected, funds are safe.
At about nine o’clock London time on Wednesday someone designed a block which allowed him/her to spend 0.1 BTC twice on testnet:
As can be seen, 0.1 BTC is duplicated to spend 0.099 and pay a fee of 0.101, turning it into 0.2 BTC.
This would have been valid in bitcoin due to the inflationary bug. Nodes would have not noticed anything is wrong prior to updating to the latest version which has fixed the code.
It looks like some have not updated to the latest version, so a chain-split is now in progress with effectively there being two different versions of bitcoin on testnet. Here is what the block in question looks like on one non-updated blockchain explorer:
You can see here there have been two transactions in this block, and this was mined at about 9 o’clock. The updated block explorer, however, tells a different story:
The block number is the same, but the contents are very different. We have 195 transactions here, with this block mined at around 10 o’clock.
That means about one hour of transaction history has been reversed. If that was on the real blockchain, anyone who transacted during that period would have their coins go back to the sender.
The block explorer, for example, has now updated, so what previously was a confirmed transaction has now become unconfirmed, meaning the sender has received back his bitcoin, while the receiver is now out of pocket:
These are fake coins, intended to emulate the network. A race is now ongoing on testnet as the hashrate seems equally split, with the two chains running in parallel.
Eventually one chain will be discarded, but until then much mess would have been created which thankfully is occurring only with play money.
Because this could have happened on the real network as the inflation bug was live for two years. Had it been exploited, it might have not even been noticed until some time after the fact as the then latest nodes would have thought nothing was wrong. Only very old nodes would have noticed.
But thankfully a Bitcoin Cash developer found this bug and revealed it to all, so now most miners have probably upgraded, which means an exploitation of the bug in the real network wouldn’t have too much of an effect.
Yet it seems some have not yet upgraded and remain vulnerable to being cheated despite warnings online to upgrade due to the seriousness of the bug.
Whether such warnings are sufficient is unclear as nodes themselves have not been alerted because the alert was removed, so plenty of node operators might not even know there is anything wrong unless they keep up with the news.
That’s despite this being the most serious bug for the past eight years probably in the whole crypto space out of the top coins.
It’s inflationary nature is far more serious than the DAO, which was not even a protocol bug, and far more serious than any bug in Bitcoin Unlimited or BitcoinABC.
With this utter failure by Bitcoin Core developers still unexplained now many days on since it was first revealed they had removed checks on double spending.