Bitcoin is often said to be the gold standard for cryptocurrencies, but even the OG blockchain-based money has potentially disastrous flaws lurking in the software that supports it.
On Tuesday, the developers of Bitcoin Core—the software that effectively powers the Bitcoin blockchain—released a new version that patched a vulnerability that allowed a malicious user to crash the network, making everyone’s digital coins effectively useless. The bug has been variously described as “very scary,” “major,” and one of the “top three or four” most serious bugs ever discovered in Bitcoin.
“For less than $80,000, you could have brought down the entire network,” Emin Gün Sirer, an associate professor of computer science at Cornell University told me over the phone. “That is less money than what a lot of entities would pay for a 0-day attack on many systems. There are many motivated people like this, and they could have brought the network down.”
Notably, the bug was not in the Bitcoin protocol itself but in its most popular software implementation. Some cryptocurrencies built using Bitcoin Core’s code were also affected—for example, Litecoin patched the same vulnerability on Tuesday.
Documentation describes the bug as a “denial-of-service vulnerability” that was introduced into Bitcoin Core in an update last year. The vulnerability essentially allowed miners—the people who run computers 24/7 to guess a number that adds a block of Bitcoin transactions to the blockchain for a reward—to create a kind of poisoned block by including a transaction that attempts to spend the same coins twice. This poisoned block could then be sent around the Bitcoin network, crashing the software of any user that receives it.
Bitcoin is a peer-to-peer network that works thanks to a network of “nodes” all making sure that transactions conform to the blockchain’s rules (for example, that you can’t spend the same coins twice). Roughly 95 percent of users running Bitcoin nodes use Core, and the now-fixed bug meant that any Core node receiving the poisoned block would have been instantly killed instead of simply rejecting it for being invalid.
This could, in a worst-case scenario, crash the entire network or fracture it so that clusters of nodes are split off from each other. According to Sirer, there would have likely been a flurry of activity by the community to bring the system back online after such an attack and it would not likely have been catastrophic but definitely disruptive.
By exploiting this vulnerability, the malicious miner would lose out on the reward for creating the poisoned block—12.5 bitcoins, or just under $80,000 USD at the current value of Bitcoin—but presumably attacking Bitcoin would be worth it for them.
“The fact that lots of people are using something doesn’t mean they’re critically looking at its code, or that they’re not blind to fundamental mistakes” Sirer said. “The one thing that does help is to have multiple versions of the same software.”
“Another lesson from this episode is that monocultures are very dangerous.”