Bitcoin’s secret bug – INVDoS rediscovered 2 years after fixing it

    Bitcoin Bug

    In 2018, a security analyst found a significant weakness in Bitcoin Core, the product that controls the Bitcoin blockchain, yet after reporting the issue and having it repaired, the analyst opted to keep the details confidential to keep it away from hackers who will try to exploit it.

    Technological details were disclosed earlier this week after a similar weakness was independently found in another cryptocurrency, in light of a more seasoned rendition of the Bitcoin code that hadn’t got the fix.

    Referred to as INVDoS, the weakness is a typical Denial-of-Service (DoS) attack. While in several outbreaks, DoS attacks are innocuous, they are not for internet-reachable systems, which require to have reliable uptime in order to process transactions. INVDoS was founded in 2018 by Braydon Fuller. Fuller observed that an attacker could create malformed Bitcoin transactions that, when processed by Bitcoin blockchain projections, would direct to uncontrolled consumption of the server’s memory resources, which would ultimately crash affected systems.

    “At the time of the discovery, this represented more than 50% of publicly-advertised Bitcoin nodes with inbound traffic, and likely a majority of miners and exchanges,” Fuller said.

    Likewise, Bitcoin nodes operating Bcoin and Btcd were also affected by the same bug. Other cryptocurrencies that were built on the original Bitcoin protocol were also affected, such as Litecoin and Namecoin. 

    Fuller said the bug was harmful because it could “contribute to a loss of funds or revenue.”                                                     

    “This could be through a loss of mining time or expenditure of electricity by shutting down nodes and delaying blocks or causing the network to temporarily partition,” he said.

    Bug re-discovered two years later

    The INVDoS bug was reported and patched, at that time, under the generic identifier of CVE-2018-17145, which didn’t comprise that many details, so as not to tip off attackers. Nonetheless, the same bug was once again discovered over the summer by Javed Khan, another Bitcoin protocol engineer, while scouring bugs in the Decred cryptocurrency.

    The details about the full INVDoS exposure were disclosed earlier this week, so other cryptocurrencies that forked former versions of the Bitcoin protocols could examine and detect if they were affected as well.

    “There has not been known exploitation of this vulnerability in the wild,” Fuller and Khan said. “Not as far as we know.”

    Recent Articles

    Related Stories