Over the last 24 hours, the cryptocurrency community has been discussing a critical vulnerability that was found in the Bitcoin Core (BTC) reference client. A bug introduced in Bitcoin Core version 0.14, that also affects all subsequent versions, could have caused a great majority of current Core nodes to crash. According to the developer’s Optech newsletter, Core contributors released a patch that fixes Core version 0.16.2 and the latest 0.16.3 fix requires an immediate upgrade.
An Anonymous Individual Discloses a Critical Bug Found in Bitcoin Core Clients
The whole community is talking about a vulnerable bug that was introduced into the Bitcoin Core reference client two years ago. The issue found in Bitcoin Core software (patched now) versions 0.14 and above has brought about another heated discussion concerning the fallibility of developers, and using a single reference client as opposed to using multiple implementations. The bug in question went unnoticed for two years when it was introduced in November of 2016 and a great majority of Core contributors accepted (ACK) the change without many questions.
According to developers, the bugs’ patch release notes, and the Optech newsletter, an anonymous individual reported the bug to Core contributors. Essentially, the vulnerability found in Bitcoin Core software would have allowed a malicious actor with a mere 12.5 BTC to crash roughly 90 percent of Core nodes. The Fast Internet Bitcoin Relay Engine (FIBRE) baked into Core would have made matters worse because of the way FIBRE propagates blocks.
“[CVE-2018-17144] A bug introduced in Bitcoin Core 0.14.0 and affecting all subsequent versions through to 0.16.2 will cause Bitcoin Core to crash when attempting to validate a block containing a transaction that attempts to spend the same input twice,” explains the Optech newsletter.
Such blocks would be invalid and so can only be created by miners willing to lose the allowed income from having created a block (at least 12.5 XBT or $80,000 USD).
Are Bugs and Exploits a Compelling Argument for Multiple Clients?
Of course, the bug started a ferocious debate in regard to the BTC community putting Core developers up high on a pedestal all these years. Further, the bug re-invoked a compelling argument for multiple clients. For example, Bitcoin ABC released a patch for the vulnerability two days ago, but both Bitcoin XT and Bitcoin Unlimited were unaffected by the issue. On Reddit Bitcoin Unlimited’s Peter Rizun has emphasized this is why having multiple implementations is a good idea.
“Wow, isn’t this one of the most serious consensus bugs ever? It affects all BTC Core nodes and the only thing preventing unbound inflation is the fact that the nodes crash, taking down the entire BTC Core network instead,” Rizun says on September 19.
Maybe multiple implementations aren’t such a bad idea, after all, Greg Maxwell? I think only ABC is affected for Bitcoin Cash.
The issue people have with a majority dependence on one reference client, is because some people say history has shown that alternative clients can be very beneficial when critical bugs are discovered, like the one introduced in Bitcoin Core 0.14. For instance, when over the last couple of years consensus bugs were found in Ethereum’s Geth, the network still had Parity clients to rely on and vice versa.
At the time of writing, there are 9628 nodes running on the BTC network and 9135 are Bitcoin Core nodes. That’s 94 percent of the BTC network running one reference client and every node is affected by any issues found within Core’s codebase. This means bugs not only have to be fixed fast, but mandatory upgrades have to be speedy too. In contrast to the BTC network dominated by Core nodes, there are currently 2006 nodes running on the BCH network but only 59 percent are Bitcoin ABC nodes. So much like the ETH network, client diversity gives BCH 738 Bitcoin Unlimited (BU) nodes covering 39 percent of the network.
Additionally, according to a comment on r/bitcoin, Lightning Nodes could also be vulnerable to attacks due to the recent Bitcoin Core bug.
The recent bug confirms to many cryptocurrency proponents that being dependent on one development team’s QA process, as opposed to client diversity and multiple development teams, can be extremely risky — Especially when an exploit like this is found in production and tethered to a $100 billion dollar system.