Bitcoin engineers have rediscovered a major blockchain vulnerability found in 2018 on the software that powers the Bitcoin blockchain, Bitcoin Core. The vulnerability was discovered on Decred (DCR).
The vulnerability was first found by Bitcoin protocol engineer Brandon Fuller. Called INVDoS, short for inventory out-of-memory denial-of-service attack, it could see an attacker create malformed Bitcoin transactions that, when processed by nodes, would lead to an uncontrolled consumption of the server’s memory resources, leading to an eventual crash of affected nodes.
In a paper, Fuller wrote:
At the time of the discovery, this represented more than 50% of publicly-advertised Bitcoin nodes with inbound traffic, and likely a majority of miners and exchanges
INVDoS, according to ZDNet, also impacted Bcoin and Btcd servers, as well as cryptocurrencies built using the original Bitcoin protocol. These include Litecoin, Namecoin, and Decred. Per Fuller, the bug was dangerous as it could “contribute to a loss of funds or revenue.”
This, he added, could be through a loss of mining time or expenditure of electricity by shutting down nodes. It could also be through the “disruption and delay of time-sensitive contracts or prohibiting economic activity.” Exchanges, e-commerce, atomic swaps, escrows and lightning network payment channels could be hit.
In 2018 the vulnerability was quietly patched and kept a secret, to avoid hackers exploiting it on other blockchains build using the original Bitcoin protocol, such as Litecoin and Namecoin. At the time, the generic identifier CVE-2018-17145 so it would not tip off attackers.
INVDoS was, however, rediscovered by another Bitocin protocol engineer earlier this year, as Javed Khan found it while looking for bugs in the Decred cryptocurrency. The bug was reported to its bug bounty program, and later on disclosed so other cryptocurrencies using the same protocol could patch it.
Both Fuller and Khan asserted that, as far as they know, the vulnerability has not been exploited.
Featured image via Pixabay.