Thanks to a culture of responsible disclosure, Bitcoin developers have managed to keep their major coding bugs secret. For years, senior developers simply patched security holes while keeping their mouths shut, and this silence prevented hackers from exploiting those vulnerabilities.
However, a new move toward transparency is revealing a fascinating history of coding errors in Bitcoin.
On January 14, 2021, Aaron van Wirdum announced the release of Bitcoin Core 0.21.0, a major update to the Bitcoin Core software. Wladimir van der Laan, then the main Bitcoin maintainer and second successor to Satoshi Nakamoto, signed the software release that merged over 600 pull requests into production, and over the following weeks miners and node operators manually upgraded their full nodes.
Fast forward to today, three and a half years after developers recommended node operators upgrade to version 0.21.0. The current Core version is 27.1.
Since so much time has passed, they decided to reveal the truth about that update which not only enabled a number of positive features but also fixed important bugs. including bugs that could have allowed hackers to steal bitcoins.
Wisely, the developers remained silent while most node operators upgraded to 0.21.0 or higher.
Currently, Core versions like 21.0 and earlier are considered “end of life” in developer parlance. That means they are no longer maintained and have minimal use by node operators. In fact, over 90% of Bitcoin nodes are running software version 0.21.1 or higher. There are still roughly 400 reachable nodes still running version 0.21.1 (just above the version revealed this week) and they have refused to upgrade for years.
Read more: Is it illegal to operate a Bitcoin Lightning node?
A new vulnerability disclosure policy
Many Bitcoin Core developers have adopted a new security vulnerability disclosure policy. In early June, many agreed that it is safe to disclose major security issues that have been fixed for at least a year and a half. That policy allows them to disclose security bugs up until Bitcoin Core version 24.
They are proceeding deliberately from the beginning, starting with this week’s disclosure of major bugs affecting version 20 and earlier.
This disclosure affects approximately 426 nodes that are accessible today on the public Bitcoin network. This curious cohort runs Core version 0.20.1, which is four years old, and is Affected by recently revealed security bugs.
Here are 10 mistakes Bitcoin developers have admitted to this week.
- Remote code execution due to a bug in miniupnpc, patched with Core 0.12.
- Denial of service due to multi-peer node failure with large messages, patched with Core 0.10.1.
- Unconfirmed transaction censorship patched with Core 0.21.0.
- Unbounded CPU/Memory Denial of Service banlist, patched with Core 0.20.1.
- Network split due to excessive time adjustment, patched with Core 0.21.0.
- CPU denial of service and node crash due to orphan handling, patched with Core 0.18.0.
- Memory denial of service due to large ‘inv’ messages, patched with Core 0.20.0.
- Memory denial of service via low difficulty headers, patched with Core 0.15.0.
- CPU-intensive denial of service due to malformed requests, patched with Core 0.20.0.
- Memory leak when parsing BIP72 URIs, patched with Core 0.20.0.
Read more: Bitcoin Optech celebrates years of major Bitcoin vulnerability fixes
Old but serious mistakes
Most of these bugs, if a node were running old versions of the Core software, would allow direct theft of funds. Yeah That node had bitcoins on the Lightning Network. For example, denial of service and transaction censorship attacks would allow a hacker to prevent a node from broadcasting a fair transaction, allowing them to close a Lightning channel with that node and steal all of its bitcoins.
One bug (netsplit due to excessive time adjustment) was even more serious, as it could allow an attacker to fork a node’s version of Bitcoin and thus possibly introduce a double-spending problem.
Later this month, the developers plan to reveal bug fixes prior to Bitcoin Core v22.0, and in August they will reveal bug fixes prior to Core v23.0.
Do you have any information? Send us an email or ProtonMail. For more informed news, follow us on X, Instagram, Blue skyand Google Newsor subscribe to our Youtube channel.
(tags to translate) Bitcoin