- A new report claims that Bitcoin was saved from a potential chain split in 2018 after a vulnerability was detected
- The flaw was rated 7.8/10 in terms of severity, and was introduced in November 2017
- Some doubt the severity of the flaw, saying funds were never in danger
A report claims that Bitcoin was saved from an untimely death in 2018 by a developer who prevented the code from being split and funds being stolen after uncovering a vulnerability. The paper, called Bitcoin Inventory Out-of-Memory Denial-of-Service Attack, claims that the Bitcoin blockchain was at risk after a 7.8/10 severity rated vulnerability was discovered that could have allowed a malicious actor to cripple the network just six months after Bitcoin gained worldwide notoriety for hitting $20,000. Others believe however that the vulnerability is not as severe as has been reported, and that funds weren’t really at risk.
Bitcoin Vulnerability Discovered
The paper, which was published Wednesday, suggests that Braydon Fuller, an engineer at crypto shopping site Purse, uncovered the vulnerability in June 2018, but that news of its existence could not be revealed until now due to the length of time it has taken for it to be properly patched.
The paper describes the vulnerability as being an “uncontrolled resource consumption and out-of-memory (OOM) vulnerability” that could have affected Bitcoin, Litecoin, Namecoin, and Decred nodes. The vulnerability, which was introduced in November 2017, would have affected “more than 50% of publicly advertised Bitcoin nodes with inbound traffic, and likely a majority of miners and exchanges” and could have led to attackers stealing funds, delaying settlements, or even splitting blockchain into conflicting versions.
Such an eventuality would naturally have had a crippling effect on Bitcoin’s reputation as a secure blockchain, but fortunately there is no evidence that an attack was attempted using the vulnerability.
Severity Called into Question
Fuller worked with Bitcoin developer Javed Khan to patch the bug, with updates needing to be pushed out for all the impacted nodes, which was finally completed just two weeks ago. Some however doubt the severity of the bug, with Jameson Lopp claiming that the risk of theft of funds was minimal:
This was a Denial of Service exploit; I’m not seeing the “steals funds” part unless you stretch to assume the node operator would stay offline for days and allow lightning channels to be closed in stale states. Watchtowers also mitigate that issue.
Regardless of the intricacies, the fact that such a vulnerability existed ten years after the Bitcoin blockchain arrived on the scene is a reminder that we are still working with an experimental technology that has all too real flaws.