Bitcoin’s secret bug – INVDoS rediscovered 2 years after fixing it

    Bitcoin Bug

    In 2018, a security analyst found a significant weakness in Bitcoin Core, the product that controls the Bitcoin blockchain, yet after reporting the issue and having it repaired, the analyst opted to keep the details confidential to keep it away from hackers who will try to exploit it.

    Technological details were disclosed earlier this week after a similar weakness was independently found in another cryptocurrency, in light of a more seasoned rendition of the Bitcoin code that hadn’t got the fix.

    Referred to as INVDoS, the weakness is a typical Denial-of-Service (DoS) attack. While in several outbreaks, DoS attacks are innocuous, they are not for internet-reachable systems, which require to have reliable uptime in order to process transactions. INVDoS was founded in 2018 by Braydon Fuller. Fuller observed that an attacker could create malformed Bitcoin transactions that, when processed by Bitcoin blockchain projections, would direct to uncontrolled consumption of the server’s memory resources, which would ultimately crash affected systems.

    “At the time of the discovery, this represented more than 50% of publicly-advertised Bitcoin nodes with inbound traffic, and likely a majority of miners and exchanges,” Fuller said.

    Likewise, Bitcoin nodes operating Bcoin and Btcd were also affected by the same bug. Other cryptocurrencies that were built on the original Bitcoin protocol were also affected, such as Litecoin and Namecoin. 

    Fuller said the bug was harmful because it could “contribute to a loss of funds or revenue.”                                                     

    “This could be through a loss of mining time or expenditure of electricity by shutting down nodes and delaying blocks or causing the network to temporarily partition,” he said.

    Bug re-discovered two years later

    The INVDoS bug was reported and patched, at that time, under the generic identifier of CVE-2018-17145, which didn’t comprise that many details, so as not to tip off attackers. Nonetheless, the same bug was once again discovered over the summer by Javed Khan, another Bitcoin protocol engineer, while scouring bugs in the Decred cryptocurrency.

    The details about the full INVDoS exposure were disclosed earlier this week, so other cryptocurrencies that forked former versions of the Bitcoin protocols could examine and detect if they were affected as well.

    “There has not been known exploitation of this vulnerability in the wild,” Fuller and Khan said. “Not as far as we know.”

    Also Read – Security Vulnerabilities identified in Philips Patient Monitoring Software.

    Recent Articles

    Weekly Newsletter (25th Apr’ 21 to 1st May’ 21)

      Here’s the Weekly Newsletter from 25th April’ 2021 to 1st May’ 2021: 1. Moolympics #3: Diversity, Equity, and Inclusion through UX - Moolya Software Testing Private...

    OpKey University launched to provide advanced automation testing training

      Opkey announced on 26th April 2021 that the company has launched its own "Opkey University". According to OpKey University, software testing is a critical...

    Cypress 7.2.0 released with New Features and Bugfixes recently released Cypress 7.2.0 version, the new version comes with various bug fixes and new features. Users can now navigate through folders in...

    Moolympics #3: Diversity, Equity, and Inclusion through UX

      Moolya Software Testing Private Limited recently launched Moolympics which is a monthly competition series that covers different skills, values, cultures you bring to the...

    Weekly Newsletter (18th Apr’ 21 to 24th Apr’ 21)

      Here’s the Weekly Newsletter from 4th April’ 2021 to 10th April’ 2021: 1. OpKey launches Industry’s First Marketplace for ERP Test Automation - Opkey recently launched...

    Related Stories

    Stay on op - Ge the daily news in your inbox