Researcher kept a major Bitcoin bug secret for two years to prevent attacks

InvDos

In 2018, a security researcher discovered a major vulnerability in Bitcoin Core, the software that powers the Bitcoin blockchain, but after reporting the issue and having it patched, the researcher opted to keep details private in order to avoid hackers exploiting the issue.

Technical details were published earlier this week after the same vulnerability was independently discovered in another cryptocurrency, based on an older version of the Bitcoin code that hadn’t received the patch.

Bitcoin Inventory Out-of-Memory Denial-of-Service Attack

Called INVDoS, the vulnerability is a classic denial-of-service (DoS) attack. While in many cases, DoS attacks are harmless, they are not for internet-reachable systems, which need to have stable uptime in order to process transactions.

INVDoS was discovered in 2018 by Braydon Fuller, a Bitcoin protocol engineer. Fuller found that an attacker could create malformed Bitcoin transactions that, when processed by Bitcoin blockchain nodes, would lead to uncontrolled consumption of the server’s memory resources, which would eventually crash impacted systems.

“At the time of the discovery, this represented more than 50% of publicly-advertised Bitcoin nodes with inbound traffic, and likely a majority of miners and exchanges,” Fuller said in a paper [PDF] published on Wednesday.

Furthermore, INVDoS also impacted more than Bitcoin nodes (servers) running the Bitcoin Core software. Bitcoin nodes running Bcoin and Btcd were also impacted by the same bug as well.

Other cryptocurrencies that were built on the original Bitcoin protocol were also impacted, such as Litecoin and Namecoin.

Fuller said the bug was dangerous because it could “contribute to a loss of funds or revenue.”

“This could be through a loss of mining time or expenditure of electricity by shutting down nodes and delaying blocks or causing the network to temporarily partition,” he said.

“It could also be through disruption and delay of time-sensitive contracts or prohibiting economic activity. That could affect commerce, exchanges, atomic swaps, escrows and lightning network HTLC payment channels,” Fuller added.

Bug re-discovered two years later

The INVDoS bug was reported to all the responsible parties and patched, at the time, under the generic identifier of CVE-2018-17145, which didn’t include that many details, so as not to tip off attackers.

However, the same bug was re-discovered over the summer by Javed Khan, another Bitcoin protocol engineer, while hunting bugs in the Decred cryptocurrency.

Khan reported the bug to the Decred bug bounty program and was eventually disclosed to the broader world last month.

Full details about the entire INVDoS vulnerability were published earlier this week, so other cryptocurrencies that forked older versions of the Bitcoin protocols could check and see if they were impacted as well.

“There has not been a known exploitation of this vulnerability in the wild,” Fuller and Khan said. “Not as far as we know.”


[promo keywords="" brand="" category="" rows="" start=""]