The vulnerability, called CVE-2018-17144, existed in the Bitcoin code since the release of Bitcoin Core version 0.14.0 and could lead to a DoS attack and Bitcoin inflation. The Bitcoin developers received a report on it only a year and a half later from a mysterious anonymous source. We have restored the chronology of those events.
Tweets with bug mentions started appearing on September 18. In the evening of that day, a message appeared on the Twitter of Bitcoin Cash with the sarcastic hashtag #BestDevelopersInTheWorld "A critical consensus bug found in Bitcoin Core software (patched now) would have allowed a malicious actor to crash 95 percent of BTC nodes."
With the appearance of partial information about the detected bug, the community had to wait for the full official report for several days until it was published on the Bitcoin Core website on September 20.
One of the Core developers, Luke Dashjr, said that "there is: CVE-2018-17144, but only miners can exploit it, at a cost, so depending on your priorities, you may not want to interrupt your holiday." The cost of the attack would be only relatively large and equal to the current award of the miner (12.5 Bitcoins, or $80,600). But in return, a hacker could issue Bitcoins in excess of the set fixed emission and double-spend any amount.
In a post published on Bitcointalk on the weekend, the moderator of Bitcointalk and the subreddit r/Bitcoin Theymos called this bug the worst since 2010. Back then, the generated 74,638th block contained a transaction of 184.4 billion Bitcoins, which was 8,780 times higher than the total emission of Bitcoin. The hacker found that for checking transactions for spent coins, the code did not work for large transactions. Satoshi and other Bitcoin developers released a software update, but the network with billions of extra coins managed to survive for nine hours.
On September 20, the Bitcoin Core developers confessed that they decided to hide one of the two vulnerabilities discovered, "to release updates as soon as possible." "In order to encourage rapid upgrades, the decision was made to immediately patch and disclose the less serious Denial of Service vulnerability, concurrently with reaching out to miners, businesses, and other affected systems while delaying publication of the full issue to give times for systems to upgrade," the Bitcoin Core website stated.
The vulnerability was contained in versions of Bitcoin Core from 0.14.0, when optimization was added, which avoided costly checks that multiple inputs of one transaction did not use the same input twice. In Bitcoin Core 0.15, another change was made: instead of claiming that the output marked as expended was not previously consumed, the system simply claimed that it exists. Thus, in Bitcoin Core 0.15.X, 0.16.0, 0.16.1, and 0.16.2, when trying to double the transaction output within a single transaction within the block (the one in which the consumable output was created), the system would issue an approval error. If the output that was being attempted to be double spent was created in the previous block, the miners can request the amount already spent twice and thus create Bitcoin inflation.
On the night of September 17, Bitcoin Core published two client versions that do not contain the detected bugs: Bitcoin Core 0.17.0rc4 and Bitcoin Core 0.16.3. At the time of publication of the official announcement (September 20), the Core developers wrote that, according to their assumptions, more than half of the Bitcoin hash has already been updated with nodes.
Announcements with an appeal to update the software were published on Reddit, Bitcointalk, and Twitter. "You should not run any version of Bitcoin Core other than 0.16.3. Older versions should not exist on the network. If you know anyone who is running an older version, tell them to upgrade it ASAP," writes Theymos in a post pinned at the top of the subreddit r/Bitcoin.
On Monday, September 24, Luke Dashjr published a diagram showing that more than 87 percent of the network can still suffer from bugs. Such slowness of the miners caused a lot of questions to rise, including the very idea of decentralization. "Ugh, 87 percent of the #Bitcoin network is *still* vulnerable to CVE-2018-17144. Every day this goes on, we are trusting miner(s) and lose credibility with the decentralized network claim," Dashjr wrote. "This is what happens when people fetishize "decentralization" without considering what it's even there for. At this point, upgrade your own node and the problem is solved. Who cares about Bob's long-forgotten Raspberry Pi node?" wrote Matt Corallo.
And according to Emin Gun Sirer, "The percentage of the network not upgraded after a major patch corresponds to economically worthless nodes. If they did or affected something useful, someone would have bothered to upgrade them."
Coindesk noted that not even all the projects related to Bitcoin by blood ties quickly released a patch. The first to do so were Omni Layer, Bitcoin Cash, and Litecoin.
In addition to the obvious threat of attack, the non-updated software contains a threat of mining unacceptable blocks, invalid transactions, and even network forks (and when the resulting two branches merge back into one, the transactions from the "unextended" chain will be automatically canceled). Theymos noted that the last scenario is unlikely, but still advised taking precautions and "to take into account that any transaction with less than 200 confirmations can be canceled in the coming week."
Chronology of Events
September 17, 2018 (UTC time):
2:57 PM Someone anonymously reports a critical vulnerability (about the DoS-bug) to Bitcoin developers from different projects: Peter Wuille, Gregory Maxwell, and Wladimir van der Laan from Bitcoin Core; a developer under the name deadalnix from Bitcoin ABC, and developer sickpig from Bitcoin Unlimited. As Theymos notes, "since tons of altcoins are based on Bitcoin Core, this would simultaneously affect a large part of the crypto space."
Later, the "responsibility" for the message about the bug was taken over by the developer of Bitcoin Cash and Bitcoin Unlimited under the nickname Awemany. His Medium profile contains only one story published on September 22 called "600 microseconds." That is exactly how much one of the Core-developers Matt Corallo wanted to optimize the validation of blocks by publishing a corresponding offer on GitHub in 2016. Awemany blames this change for "definitely the most catastrophic bug in recent years and one of the most catastrophic bugs in the entire existence of Bitcoin."
3:15 PM Gregory Maxwell tells of the bug to Corey Fields, Suhasu Daftaru, Alex Mokros, and Matt Corallo.
5:47 PM Matt Corallo discovers another bug, an inflationary one, which can allow malicious attackers to release any number of new Bitcoins. "We quickly determined that the problem was also in an inflationary vulnerability and it had the same roots and the same solution," the report said.
7:15 PM Matt Corallo is trying to contact the CEO of the Slushpool mining pool so he will be given the patch that eliminates the vulnerability as soon as possible.
8:15 PM John Newbury and James O'Byrne, Bitcoin Optech developers, are informed of the vulnerability and help alert companies that a patch will soon be released to fix the DoS vulnerability.
8:30 PM Matt Corallo speaks with the CTO and CEO of Slushpool and passes them a patch, reporting only on the DoS vulnerability.
8:48 PM Slushpool confirms that it carried out an upgrade.
9:30 PM An anonymous informant received a reply with gratitude.
9:57 PM A patch is published on Github along with a test demonstration of the DoS-bug.
9:58 PM Bitcoin ABC publishes its patch.
10:07 PM Bitcoin Optech members and other developers are sent an email with a link to Github and a patch.
11:21 PM The version of Bitcoin Core 0.17.0rc4 with bug fix is added.
September 18, 2018:
12:24 AM The version of Bitcoin Core 0.16.3 with a bug fix is added.
8:44 PM Bitcoin Core release binary files and announcements.
9:47 PM Bitcointalk and Reddit publish banners calling for software updates.
September 19, 2018:
2:06 PM Newsletter from Peter Wuille with another call to upgrade the software.
Not the Best in the World?
Many developers and Bitcoin enthusiasts took responsibility for not detecting the bug. "I take full responsibility for having run a node that included the CVE-2018-17144 bug. No one forced me to use buggy software," Michael Goldstein, president of the Nakamoto Institute, wrote. "I am responsible for the CVE-2018-17144 bug," wrote John Newbery. "Bugs happen. This is a fact of life. I'm not criticizing them for having a bug. I'm criticizing the idiot minimalists who insist Core developers are God-like individuals and certainly The Best Devs in the World," said Chris Pacia, a leading developer of OpenBazaar.
Theymos also notes that the Core-developers have "done a good job" in recent years and, in the case of the latest bug, were able to provide updated software that protected the network. "I am thankful for their work and diligence," writes Theymos, while noting that "the fact that the bug . . . could exist from 0.14.0 to 0.16.2 was undeniably the main mistake," and if the Bitcoin Core policy is not changed, in the future the situation will inevitably be repeated. "We may not be so lucky next time," writes Theymos.
He assigns responsibility not only to the main developers, but also to the entire community, and first of all, to the numerous projects that are connected with Bitcoin and use it in their activities, but did not help the Core developers. "It will not be very constructive to finger-point, but it will also not be enough to say ‘you just need to keep track of the code’ and move on. This bug was very complicated, and I doubt that it could be found just by looking at the code . . . Moreover, this bug might not have been detected with standard unit testing, because the error was in higher-order logic. Perhaps all major Bitcoin companies should allocate qualified specialists for the Core. This vulnerability could be detected with sophisticated testing methods, and, at the moment, many companies do not contribute to the development of Core . . . I do not know exactly how you can prevent this from happening again, but I know that for the community, it will be a mistake to brush off this bug simply because it ended mostly painlessly this time."