The Bitcoin’s bug from this week appears to be worse than the developers admitted early on.
The bitcoin world was shaken when the vulnerability was reported to be possibly adopted for shutting down a network chunk.
Although this seemed bad enough, it is revealed that the Bitcoin Core developers has kept the remaining part of the tip-of-the-iceberg as a secret. According to the official Common Vulnerabilities and Exposures (CVE) report, this could have been employed for creating new bitcoins other than the 21 million hard-cap of coin creation and inflate the supply, and thus devalue current bitcoins.
Apparently, such breach results in users not to trust to this cryptocurrency anymore.
This tragical bug made the developers resolve to keep it as a secret to buy some time to fix the problem and encourage miners and users to upgrade their software.
Bitcoin Cash (BCH)
Bitcoin Gold (BTG)
According to the CVE report issued by Bitcoin Core developers:
“In order to encourage rapid upgrades, the decision was made to immediately patch and disclose the less serious denial of service vulnerability, concurrently with reaching out to miners, businesses and other affected systems, while delaying publication of the full issue to give time for systems to upgrade.”
For now, this plan appears to function.
According to this report, the patched version has been adopted by more than the half or Bitcoin’s mining hash rate; hence, the attack is not a thread anymore, and the developers are “unaware of any attempts to exploit this vulnerability.”
How did this come out?
For developers, this critical bug results in a lot of stress.
The report indicates that an anonymous user reported the denial-of-service bug to top Bitcoin Core and Bitcoin ABC developers, which is the main bitcoin cash software implementation. Matt Corallo, who is a Chaincode engineer and Bitcoin Core developer, realized that this bug could have been used for printing unlimited bitcoin, after around two hours.
The developers resolved initially to keep the details as a secret, given the severity of the vulnerability.
Rather they encouraged miners to upgrade, starting with Slush Pool. The action call remains the same for full note runner bitcoin users.
Theymos, bitcoin subreddit moderator, commented on the topic in a pinned post that “You should not run any version of Bitcoin Core other than 0.16.3. Older versions should not exist on the network. If you know anyone who is running an older version, tell them to upgrade it ASAP.”
Now, there is another problem: is a bitcoin chain split possible?
Users are using different versions of the bitcoin software; so, the network may temporarily split into two and come back together. The old software transactions may turn out to get lost ultimately.
Theymos believes that this risk can be ruled out although the case is under close surveillance. However, he advocated that people should be aware of such risks and take measures, e.g., wait more for transaction verifications.
“For the next week or so you should consider there to be a small possibility of any transaction with less than 200 confirmations being reversed,”
Yet, users may think of the possibility of that the bug has been already exploited.
A bitcoin user ask a question, a rightful one, though: Is there any possibility to make sure that this vulnerability was not exploited yet? Are there any fake bitcoins out?”
Fortunately, Pieter Wuille, who is a Bitcoin Coin contributor, remarked that such a suspicious activity would have been detected long since by bitcoin users thanks to the power of code.
If you download for the first time, the full notes check each and every transaction throughout bitcoin’s history. The problem would be immediately detected by any node running 0.16.3, the new software.
Still one may ask what would happen if this bug was not realized on time.
Theymos added: “Even if the bug had been exploited to its full extent, the theoretical damage to stored funds would have been rolled back.”
According to Theymos, the recovery period would be similar to the “value overflow incident” in 2010, the time that 187 billion fake bitcoins were created, and, in turn, destroyed.
Although the potential exploit has been cared for with a patch shared by Bitcoin Core, Litecoin, and some other coins, some might be still in danger in terms of the inflation bug.