The Good, the Bad and the Ugly Bitcoin Bug

For over a year, all versions of Bitcoin Core contained one of the worst bugs in Bitcoin history. In this article, we will reveal the good, bad and ugly details about one of the most annoying Bitcoin Core bugs to date.

It’s bad, of course, that the very existence of the bug is now registered as CVE-2018-17144 in the vulnerability database "Common Vulnerabilities and Exposures".

The bug appeared as part of the Bitcoin Core 0.14.0 update, released in March 2017 to improve performance and related to block routing. In short, the bug prevented network nodes from rejecting blocks containing a transaction that spent the same funds (“inputs”) multiple times, allowing for an irregular form of double spending. This is despite the fact that one of the problems solved during the development of Bitcoin was preventing double spending of funds.

This serious problem could manifest itself in many different ways. First, Bitcoin Core versions 0.14.0 through 0.14.2 (and in some cases newer versions) would accept the block, but at the same time admit that something was wrong. However, they wouldn't be able to say exactly what was wrong. As a result, the node would stop working and shut down. Thus, if an invalid block made its way to such nodes, it could cause the network to crash. And this is bad...

But then it gets worse. In Bitcoin Core versions 0.15.0 to 0.16.2, another performance improvement was added that allowed that in some cases these nodes did not even realize that something was wrong. Specifically, if the twice-spent coin did not move in the same block (which often happens), these nodes would accept the transaction and not block as usual. In a hypothetical worst-case scenario, an attacker could inflate the Bitcoin money supply by copying his own coins, and any node running Bitcoin Core versions 0.15.0 to 0.16.2 would accept these coins as valid.

Technically, the bug could also lead to a fork in the blockchain between affected nodes (Bitcoin Core 0.15.0 to 0.16.2 and its forks) and unaffected nodes (specifically Bitcoin Core 0.13.2 and older, and their forks). However, this is unlikely, since the latter category would likely not have enough hashrate to create even one block within a few days, let alone multiple blocks. Therefore, such nodes would simply stop waiting for a valid block.

However, the bug in question could have allowed one of the worst attacks on Bitcoin in history.. This is sobering for many, since an error potentially leading to such dire consequences remained undetected for about 18 months.

Now the good news. The first and foremost good news is that this bug was never exploited.

The second good news is that the likelihood that this bug could be exploited at all is extremely low. This is because the attack could only be carried out by a miner intentionally creating an attack block, but not by a miner doing so accidentally or by an ordinary user.

This means that a miner would have to knowingly risk losing the block reward of around $80,000. Such an attack would be noticed quite quickly since everything happens on a public blockchain. Soon enough, crash reports would fill chat rooms and forums. At this point, it would be revealed that the incorrect block was in fact caused by an error.

 As happened in 2010 and 2013, when errors in the code caused the blockchain to fork, most miners would upgrade or downgrade the software they were using, rejecting the attacking block and continuing to mine the honest branch. Over time, the valid branch will outweigh the attacker and even vulnerable nodes will switch to the correct branch, leaving the attacking miner without a block reward. Also, such an incident would immediately reduce the market price of the attacked coin, thereby significantly reducing the financial effectiveness of the attack itself.

The third piece of good news is that a developer named awemany responsibly disclosed the bug primarily to developers working on Bitcoin Core (as well as Bitcoin ABC and Bitcoin Unlimited). The error was initially thought to be a denial of service (DoS) error. But upon further examination, Bitcoin Core and Chaincode Labs employee Matt Corallo discovered that the same error was also a network impact vulnerability. The error was corrected the very next day and Bitcoin Core 0.16.3 and Bitcoin Core release candidate 0.17.0 were released. Meanwhile, a group of Bitcoin Core contributors who were aware of the issue reached out to key players in the Bitcoin ecosystem and asked them to migrate to Bitcoin Core 0.16.3..

The fourth piece of good news is that most miners on the network have updated the software they use fairly quickly, meaning that even if an attacker tries to exploit the bug, they won't get very far. Honest miners will quickly overcome the attacking chain, and at this point even non-updated nodes will perceive the valid chain as the only correct one. However, to secure their transactions, users are currently advised to wait for additional confirmations before accepting payment.

Evil Features... Fixing a bug like this can be challenging in an open, decentralized, always-on network supported by open source software. For example, when Bitcoin Unlimited fixed a critical bug in early 2017, the very fact of fixing the vulnerability in the code exposed it to potential adversaries, opening the attack window until the fix was deployed to the majority of network nodes.

To avoid such attacks, the Bitcoin Core developers decided not to immediately disclose the severity of the error to the public. Initially, by hiding full information from miners and users, they reported a DoS vulnerability, but not a network impact vulnerability. They hoped that the DoS vulnerability and strong recommendations would be enough reason for users to update their software without attracting the attention of potential attackers.

However, not everyone shared this approach. As the bug came under scrutiny, more people began to figure out on their own that the bug was more serious than just a DoS vulnerability. Some of them revealed full details of the vulnerability, putting the Bitcoin network at risk of attack. After this vulnerability was published on Hacker News (although it was later removed), there was no point in keeping it secret any longer.

Fortunately, by the time detailed information about the problem was leaked, most of the major Bitcoin mining players had already updated the software they were using, securing the network from attack, after which Bitcoin Core published full technical information about the error..

A large number of altcoins based on the Bitcoin source code may still be vulnerable, and the fact that the problem is publicly known does not remove the threat from them. Although, cryptocurrencies such as Bitcoin ABC immediately published updates to their software, securing their networks from potential attacks.

According to Bitcoin Magazine