Bitcoin, Cryptocurrency and Fintech Headlines Blog

The Good, the Bad and the Ugly Details of One of Bitcoin’s Nastiest Bugs Yet 0

The Good, the Bad and the Ugly Details of One of Bitcoin’s Nastiest Bugs Yet

The Good, the Bad and the Ugly Details of One of Bitcoin’s Nastiest Bugs Yet

For well over a year, versions of Bitcoin Core — Bitcoin’s leading software implementation — contained a severe software bug. The bug was fixed with Bitcoin Core 0.16.3 (and 0.17.0rc4), released this week, and the status of the Bitcoin network now appears to be safe, with no harm done. The Bitcoin Core project has released a full disclosure report, revealing that the bug was even worse than previously thought.

These are the good, the bad and the ugly details about one of Bitcoin Core’s nastiest bugs to date. (But not in that order.)

The Bad

The bad, of course, is the bug itself, now documented as CVE-2018-17144 in the Common Vulnerabilities and Exposures databank.

The bug was introduced as part of a block relay-related performance upgrade deployed in Bitcoin Core 0.14.0, officially released in March of 2017. In short, the bug would fail to reject a block containing a transaction that spends the same coins (“inputs”) multiple times. Indeed, it would allow for an (irregular) form of double-spending: arguably the very thing Bitcoin was designed to prevent.

It posed a serious problem, which might have manifested in several ways.

First, Bitcoin Core versions 0.14.0 through 0.14.2 (and, in some cases, newer versions), would have accepted the block but, at the same time, recognized that something was wrong. However, they wouldn’t be able to tell what was wrong, exactly. As a result, the node would stop operating altogether and shut down. If an invalid block caused by this bug had made its way to such nodes, they would have, in effect, crashed. That’s bad.

But it gets much worse.

Bitcoin Core versions 0.15.0 through 0.16.2 included another performance improvement, making it such that, in some cases, these nodes would no longer have realized something was wrong. Specifically, if the double-spent coin had not been moved in the same block already (which is often the case), these nodes would have accepted the transaction and block as normal. In a hypothetical, worst-case scenario, a malicious miner could have inflated Bitcoin’s money supply by copying his own coins, and anyone relying on Bitcoin Core versions 0.15.0 through 0.16.2 would have accepted these coins as valid.

Technically, the bug could also have caused a blockchain fork between affected nodes (Bitcoin Core 0.15.0 through 0.16.2 and codebase forks of it) and unaffected nodes (most notably Bitcoin Core 0.13.2 and older, as well as some alternative Bitcoin implementations). This is unlikely, however, since the latter category probably doesn’t have sufficient hash power behind it to generate even a single block within a couple of days — let alone several blocks.

Still, the bug in question could have allowed for one of the worst attacks on Bitcoin in years. It’s sobering for many that this bug made it into a release of Bitcoin’s leading software implementation, as well as several codebase forks of it, and remained unnoticed for about 18 months.

The Good

Now, the good news.

The first and main piece of good news is that the bug has never been exploited in any way.

The second piece of good news is that it was not very likely the bug would ever have been exploited in the first place. This is because the attack could only have been exploited by a miner intentionally creating an “attack” block — not by a miner doing so by accident and also not by a regular user.

This means that a miner would have had to knowingly risk forfeiting a regular block reward worth some $80,000. An attack like this would have been noticed fairly quickly — everything happens on a public blockchain, while crash reports would probably have flooded chat rooms and forums. At that point, the Bitcoin user base would very likely agree that the added inflation was, in fact, caused by a bug — and should not be accepted as a new protocol rule.

Therefore, not unlike a bug that split the Bitcoin network in 2013, a majority of miners (by hash power) would have either upgraded or downgraded their software quickly to reject the “attack block” and mine on the “honest chain” instead. As soon as this honest chain overtook the “attack chain,” even vulnerable nodes would have switched to the honest chain and disregarded the attack chain, leaving the attacking miner without any block reward.

Further, coins on the attack chain would presumably have dropped in value rather quickly: Markets are unlikely to value a coin that can be copied “out of thin air” by a malicious miner. As such, this miner would have immediately undermined the value of the same coins being copied, defeating the point of the attack. (Granted, the miner could also make money by shorting the markets, but this still comes with significant risks.)

The third piece of good news is that the bug was responsibly disclosed by an unknown person on Monday to several developers working on Bitcoin Core (as well as Bitcoin Cash implementations Bitcoin ABC and Bitcoin Unlimited). It was originally presented as a denial of service (DoS) bug which, as mentioned, is accurate for Bitcoin Core versions 0.14.0 through 0.14.2. But on further examination, Bitcoin Core contributor and Chaincode Labs employee Matt Corallo found that the same bug was also an inflation vulnerability.

The bug was quickly patched and released on Tuesday in a new Bitcoin Core minor release: Bitcoin Core 0.16.3. The bug is also patched in the fourth and latest release candidate for Bitcoin Core’s upcoming major release, 0.17.0. Meanwhile, the select group of Bitcoin Core contributors that were aware of the bug started reaching out to key players in the Bitcoin ecosystem, most notably miners and large businesses, asking them to upgrade to Bitcoin Core 0.16.3. Regular users were also urged to upgrade.

The fourth piece of good news is that a majority of miners on the network has probably upgraded to get rid of the bug by now. This means that even if an attacker were to try and exploit it, he wouldn’t get very far. The honest miners would overtake the attack chain sooner rather than later, at which point even non-upgraded nodes would accept the honest chain as the only valid chain. To err on the side of safety, users are currently recommended to wait for more confirmations before accepting a payment, however.

In technical terms, the effects on the Bitcoin protocol are as follows: Bitcoin Core 0.14.0 introduced an accidental hard fork “upgrade” that was never triggered or acted on by miners and, therefore, never led to a blockchain fork. This “accidental hard fork” has practically been undone by an intentional miner-enforced, soft-fork upgrade over the past couple of days, possibly also enforced by the economy at this point in time.

The Ugly

The severity of a bug like this can be tricky to deal with on an open, decentralized, continuously operating network, supported by open-source software. As exemplified when Bitcoin Unlimited patched a bug in early 2017, the very act of fixing a vulnerability in the code might reveal it to potential adversaries, opening a window of attack until the fix is widely deployed on nodes in the field.

To avoid such attacks, those Bitcoin Core contributors aware of the problem decided not to make the severity of the bug public right away. Initially omitting some information from miners, companies and the greater public, they opted to disclose the DoS vulnerability — but not the inflation vulnerability. They hoped that the DoS vulnerability (and some strong recommendations) would be enough reason for users to upgrade, without tipping off a potential attacker. A full disclosure would follow later.

However, not everyone shared this approach. As the bug came under the spotlight, more people started to figure out on their own that the bug was more severe than just a DoS vulnerability. While unconfirmed, it’s rumoured that some started to leak the full extent of the vulnerability, arguably putting the Bitcoin network at greater risk of attack. When the vulnerability was reported on Hacker News (though later retracted), there was little reason to keep it under the covers much longer.

Luckily, by then, it seemed to the Bitcoin Core contributors in the know that most miners had upgraded, meaning that the Bitcoin network was safe. While sooner than originally planned, the Bitcoin Core project opted to publish the full disclosure by Thursday evening.

However, this early disclosure does mean that a number of altcoins based on Bitcoin’s codebase could still be vulnerable to the attack. While the leading implementations of the biggest Bitcoin codebase-based cryptocurrencies — most notably Bitcoin Cash’s Bitcoin ABC — deployed fixes and are probably safe by now, smaller coins may not be.

For more details also see the CVE-2018-17144 Full Disclosure by the Bitcoin Core project. It is still recommended that users and miners upgrade to Bitcoin Core 0.16.3 (or Bitcoin Core 0.17.0rc4).

This article originally appeared on Bitcoin Magazine.

Stellar XLM Surges 17% Amidst Market Recovery and Increased Adoption 0

Stellar XLM Surges 17% Amidst Market Recovery and Increased Adoption

Stellar’s XLM surged 17% on Friday as the overall cryptocurrency markets posted gains, led by XRP, which was up 55% on a 24-hour trading period at the time of writing. The price rise of Stellar comes as the cryptocurrency is seeing increased adoption, specifically through IBM’s new cross-border settlement system – World Wire. On Friday,

The post Stellar XLM Surges 17% Amidst Market Recovery and Increased Adoption appeared first on NewsBTC.

China Updates Crypto Rankings, Downgrades Bitcoin 0

China Updates Crypto Rankings, Downgrades Bitcoin

China Updates Crypto Rankings, Downgrades BitcoinThe China Center for Information Industry Development has updated its crypto rankings. The list contains 33 crypto projects, ranked overall and in three separate categories. High up in the overall ranking are EOS, Ethereum, and Bitshares. Bitcoin, however, has been downgraded. Also read: 160 Crypto Exchanges Seek to Enter Japanese Market, Regulator Reveals China’s Fifth Ranking […]

The post China Updates Crypto Rankings, Downgrades Bitcoin appeared first on Bitcoin News.

US Navy Explores Blockchain to Enhance Tracking of Aviation Parts 0

US Navy Explores Blockchain to Enhance Tracking of Aviation Parts

The U.S. Navy Naval Air Systems Command (NAVAIR) is currently exploring the blockchain technology for tracking aviation parts throughout its lifecycle, according to its press release. For NAVAIR, changing the way it currently tracks the lineage of parts is a critical step into reducing the high costs it takes to operate a military aircraft. The

The post US Navy Explores Blockchain to Enhance Tracking of Aviation Parts appeared first on CCN

Top 6 Cryptocurrency Exchanges With the Highest Weekly Trading Volume – 2018 Week 40 Edition 0

Top 6 Cryptocurrency Exchanges With the Highest Weekly Trading Volume – 2018 Week 40 Edition

NullTX Exchanges Trading Volume

A lot of people consider Binance to be the world’s leading cryptocurrency exchange. In reality, that is not exactly true, primarily because BitForex generates more volume. CoinMarketCap excludes this exchange, but these are the “official” exchanges ranked by ascending trading volume in the past seven days. The results may look different from what one expected […]

The post Top 6 Cryptocurrency Exchanges With the Highest Weekly Trading Volume – 2018 Week 40 Edition appeared first on NullTX.

PR: iCoinbay Rolls Out Trading Premium Gain Plan 0

PR: iCoinbay Rolls Out Trading Premium Gain Plan

iCoinbay Rolls Out Trading Premium Gain PlaniCoinbay released a new trading campaign entitled [Trading Premium Gain]; iCoinbay is a tokenized, community-based digital asset exchange. This new campaign allows traders who use the platform to increase their earnings through normal trading activities. According to publicly released information, the plan can be summarized as follows:

1.Issuance of TPG tokens worth 100% the value of transaction fees
According to their released “TPG White Paper”, iCoinbay thinks that users’ normal usage of the platform should count as contribution to the community. With each transaction, a corresponding amount of the platform’s token, TPG, will be issued to the trader(s).

The post PR: iCoinbay Rolls Out Trading Premium Gain Plan appeared first on Bitcoin News.

Bank Of America Show That Bitcoin Transfers Are 6000 x Cheaper Than Their Own 0

Bank Of America Show That Bitcoin Transfers Are 6000 x Cheaper Than Their Own

The Bank of America have released data that shows how Bitcoin transfers equate to around 6000 times cheaper than the traditional transfer of FIAT currencies at the banks own standard rates. Many do argue that Bitcoin transactions carry a ridiculous expense, however with these findings in mind, Bitcoin is still proving to be a far […]

The post Bank Of America Show That Bitcoin Transfers Are 6000 x Cheaper Than Their Own appeared first on Digital Money Times.