Bitcoin Developers Patch Five-Year-Old Bug

Reading Time: 2 minutes
  • Bitcoin Core developers have patched a bug that has remained in the codebase since 2019
  • The vulnerability could have caused some nodes to reject valid blocks under rare conditions
  • The issue was quietly disclosed and fixed in Bitcoin Core version 27.0 following internal review

Bitcoin developers have resolved a critical bug in the Bitcoin Core software that had gone undetected for five years and could have caused certain nodes to reject valid blocks. The bug, originally introduced in 2019, could have caused the issue under rare circumstances, depending on the sequence in which unconfirmed transactions were received. After being privately reported, the issue was quietly patched in the recent release of Bitcoin Core 27.0, ensuring the fix reached users without drawing premature attention to the potential risk.

A Hidden Threat

The bug, known as issue #28973, first appeared in Bitcoin Core version 0.19.0 and affected how nodes handled transaction packages containing both confirmed and unconfirmed transactions. Under specific and unusual conditions, nodes could misinterpret valid blocks as invalid if they had already received conflicting unconfirmed transactions due to an oversight in fee relay logic and package processing. In short, a node could wrongly reject a perfectly valid block if it had already seen another conflicting transaction that hadn’t been confirmed yet.

Bitcoin developer Ava Chow, who contributed to the bug’s analysis and resolution, explained that while the exploit was unlikely in practice, it could theoretically result in a chain split:

It’s a good example of how subtle interactions between different parts of the codebase, like mempool policy and consensus, can lead to unexpected consequences.

Silent Coordination Leads to Fix Deployment

The vulnerability was responsibly disclosed by developer Antoine Riard earlier this year, allowing Bitcoin Core maintainers to coordinate a fix without exposing the network to unnecessary risk. The corrected behavior was included in the July release of Bitcoin Core 27.0, which also added further safeguards to avoid similar issues in the future.

Developer Gloria Zhao, who has worked extensively on mempool policy, emphasized that “continuous review and testing are essential to preserving Bitcoin’s long-term reliability,” especially in areas where code complexity and edge cases intersect.

Although the bug never caused a known disruption in the wild, its discovery serves as a reminder of the careful balance required when developing Bitcoin’s critical infrastructure, underscoring the importance of conservative design choices, rigorous code review, and a strong culture of responsible disclosure in maintaining the trust and stability of the Bitcoin network.

Share