A Week After Bug Discovery, Bitcoin Network Remains Vulnerable

- Advertisement -

September 26, 2018 6:05 PM

More than a week after Bitcoin Core released a client update that addressed a denial-of-service vulnerability and consensus bug in its software, most nodes are still running old software. That’s a problem.

Over a week ago, someone found a bug in Bitcoin Core software – a denial-of-service vulnerability affecting versions 0.14.0 to 0.16.2. Several Bitcoin Core developers took a look and saw that there was an additional problem in 0.15.0 and above: a consensus bug that could have allowed inflation. They quickly and quietly patched the bug and released 0.16.3 on September 18. Problem solved, right?

Not quite. For the vulnerabilities to stop being, well, vulnerable, nodes running the software need to upgrade. And not nearly enough are. To be clear, this isn’t like ignoring the app update on your phone that features some aesthetic fixes. Cornell professor Emin Gün Sirer told Motherboard that a malicious actor could have used the vulnerability to crash the Bitcoin network with just $80,000.

Exact numbers are hard to come by – that’s one of the things about a decentralized network no one is in charge of (although it’s likely preferable to a centralized one in which you just have to take their word for it).

In a tweet on September 23, Cøbra, the anonymous co-owner of Bitcoin.org, claimed that over 80 percent of the bitcoin network was still running vulnerable software:

- Advertisement -

Further down the comment thread (read on, I dare you), there’s some speculation that Cobra’s numbers are off. Which is true, but only kind of.

To clarify, according to Coin Dance, as of today, 49 percent of all nodes were protected from the inflation vulnerability. But there are a couple of reasons for this. First, Coin Dance’s numbers don’t include non-listening nodes, which constitute much of the network. Second, the inflation vulnerability wasn’t the only problem with the implementation software.

Moreover, not all of the “protected nodes” listed on Coin Dance are due to updates: Many are running software from pre-0.15.0 (released in September of last year) and pre-0.14.0 (released in March 2017) and some are using nodes outside of Bitcoin Core. (Unlike Ethereum, which has two major clients – Geth and Parity – the Bitcoin network is dominated by Bitcoin Core, but there are a handful of smaller nodes, including Bitcoin Knots and btcsuite.)

- Advertisement -

Look closer at the numbers, though, and you’ll see that Coin Dance has not classified 0.14.x nodes as vulnerable, even though Bitcoin Core specifically says 0.14.x is vulnerable.

Conversely, Bitcoin Core developer Luke Dashjr, who keeps his own numbers (which take into account any node in use within the last month), sees the overwhelming majority of nodes as vulnerable, including any Bitcoin Core implementation before 0.16.3, though not necessarily to the inflation bug. He explains the reason for the different statistics: “0.14.x is not vulnerable to the inflation issue, but will crash if it is attempted. 0.13 is vulnerable to unrelated exploits.”

So, why aren’t people updating?

Dashjr told ETHNews that gradual adoption is standard:

“The current upgrade trend looks more or less like what one would normally expect to see when there is a new release (although bit faster). In ordinary circumstances, this would be reasonably healthy, but since there is a serious publicly disclosed vulnerability, it leaves the network open to attack in this case.”

The fact is that disclosure may not have gotten to all the relevant parties. Apparently, not everyone reads coin journals, subreddits, or crypto Twitter. As evidence, Cøbra‘s Sunday tweet quickly turned into a discussion over the use of an announcement mailing list for just such an occasion, which some people are supposedly subscribed to but not receiving emails from. It’s a phone tree, but instead of trying to get ahold of Suzie and Darryl about the baked sale, they’re trying to reach multiple actors in a $111 billion market…and their phones have been turned off.

Still, what are these nodes that haven’t updated? Sirer opined in a tweet yesterday that they were “economically worthless nodes.”

How much chaff is there amongst the Bitcoin wheat? When asked how many nodes would need to update to version 0.16.3 to comfortably put the vulnerability in the rearview mirror, Dashjr conjectured that enough nodes have updated when they constitute 85 percent of the economic activity. And he’s hoping the network isn’t as centralized as Sirer suggests it is:

“If 5% of nodes (~4000 nodes) make up 85% of economic activity, Bitcoin is in a REALLY bad place generally.”

Jeff Benson is Managing Editor of ETHNews. He’s worked as a writer and editor everywhere from Sudan to Reno. He holds a bachelor’s in politics from Willamette University and a master’s in nationalism studies from University of Edinburgh. When he’s not in the newsroom, he trots the globe and writes about it. He holds a bit of value in ETH.

Like what you read? Follow us on X @Bitnewsbot to receive the latest Bitcoin Core, Bitcoin or other Ethereum ecosystem news.



Previous Articles:

- Advertisement -

Latest

Michael Saylor Invites Joe Rogan to Discuss Bitcoin on Podcast

Michael Saylor has shown interest in discussing Bitcoin on The Joe Rogan Experience podcast.The idea has generated excitement in the Bitcoin community, with some...

Congress Debates Stablecoin Bill Amid Rising Bank and Crypto Tensions

U.S. lawmakers are moving forward with the Senate Guiding and Establishing National Innovation for U.S. Stablecoins (GENIUS) Act, with debates set to resume after...

American Engineer Drugged, Robbed in Sophisticated London Crypto Heist

An American software engineer lost approximately $123,000 in cryptocurrency after being drugged and robbed in London.The victim was targeted by an impersonator posing as...

Max Keiser Doubts New Bitcoin Treasuries’ Discipline in Bear Market

Bitcoin-focused companies are increasingly copying the treasury strategy used by Michael Saylor's Strategy.Max Keiser raised doubts about whether these newer companies can maintain commitment...

South Korea Election Puts Crypto Policy at Center of Debate

Nearly one-third of South Koreans hold digital assets, making crypto a vital issue in the upcoming presidential election.Both major parties support crypto exchange-traded funds...

Must Read

Top 10 BEST Crypto Trading Books for New Traders

If you're thinking of diving into the crypto trading space, acquiring solid knowledge isn't just recommended - it's essential to protect your investment.Learning...