A newly-patched vulnerability in Bitcoin Core was far more severe than initially revealed, developers disclosed in an updated statement on Thursday.
Bitcoin Vulnerability More Serious Than Earlier Announced
The statement, posted on the website for the open source project, revealed that Bitcoin Core versions 0.16.3 and 0.170rc4 not only patch a denial-of-service (DoS) bug but also address a serious vulnerability that would have allowed malicious miners to artificially inflate the supply of bitcoin through a specific type of double spend transaction.
The developers explain:
“Thus, in Bitcoin Core 0.15.X, 0.16.0, 0.16.1, and 0.16.2, any attempts to double-spend a transaction output within a single transaction inside of a block where the output being spent was created in the same block, the same assertion failure will occur (as exists in the test case which was included in the 0.16.3 patch). However, if the output being double-spent was created in a previous block, an entry will still remain in the CCoin map with the DIRTY flag set and having been marked as spent, resulting in no such assertion. This could allow a miner to inflate the supply of Bitcoin as they would be then able to claim the value being spent twice.”
Initially, developers had disclosed a lesser but still serious DoS bug that would have allowed miners to crash nodes and disrupt the Bitcoin network. However, doing so would cause them to forfeit their block reward, which is currently 12.5 BTC (~$83,500 as of Friday).
According to the statement, this bug had been present in the Bitcoin Core software since version 0.14, though it had not been discovered until this week. Version 0.15 introduced the inflation vulnerability.
Core Waited for Upgrade to Reach Critical Mass
Developers said that they waited to disclose the full extent of the bug to prevent malicious miners from exploiting it prior to the upgraded client reaching critical mass.
From the statement:
“In order to encourage rapid upgrades, the decision was made to immediately patch and disclose the less serious Denial of Service vulnerability, concurrently with reaching out to miners, businesses, and other affected systems while delaying publication of the full issue to give times for systems to upgrade.”
However, Core developers decided to disclose the full extent of the vulnerability — which they do not believe was ever exploited — after a majority of the BTC hashrate upgraded to the patched software. Nevertheless, full node operators who have not yet upgraded to the latest version of Core should do so as soon as possible.
“At this time we believe over half of the Bitcoin hashrate has upgraded to patched nodes. We are unaware of any attempts to exploit this vulnerability,” the statement said. “However, it still remains critical that affected users upgrade and apply the latest patches to ensure no possibility of large reorganizations, mining of invalid blocks, or acceptance of invalid transactions occurs.”