Bitcoin Core Bug - a retrospective

On September 17, the Bitcoin Core Team was told that their version of the Bitcoin client had a dangerous security vulnerability. Not only because attackers could use it to crash nodes, miners could have used it to create more coins. The core developers have fixed the bug with a bugfix, but this should be a lesson for everyone.

"There's Something Like Divine Justice," commented Emin Gün Sirer, professor at Cornell University and one of the minds behind the Avalance Protocol, of the dramatic revelations surrounding the Bitcoin Core Client. Specifically, he commented on the retrospective of Awemany with this invocation of higher powers, in which he explained his difficulties, a security vulnerability to the core team to pass. Whether Emin Gün Sirer, according to his Tweets rather friend of Bitcoin Cash, for the treatment of Awemany meant or the error in the Bitcoin Core Client, is unknown. The drama certainly describes well what happened.

What kind of mistake was discovered in the Bitcoin Core Client?

The bug, listed as CVE-2018-17144, would not only have allowed attackers to crash Bitcoin Core clients. Miners could have created coins from nothing through double inputs. So the bug could have caused all Bitcoin core nodes to crash. Bitcoin core nodes make up 95 percent of the Bitcoin network, so you could have paralyzed Bitcoin with it. But that's not all: Creating new bitcoins would be one of the key value propositions, that of a fixed, unmanageable amount of money.

The vulnerability existed since the Bitcoin Core Client 0.14.0 - ie since August 3, 2017. Concretely, nodes of the versions 0.14.0 to 0.14.2 would have "only" crashed, nodes with version 0.15.0 and newer would be for the generation new coins vulnerable. For over a year, an attacker could have caused lasting damage to the Bitcoin ecosystem.

How did this mistake happend?

Polemically expressed: By a time saving of half a millisecond. Matt Corallo, co-founder of Blockstream, wanted to make receiving a new block more efficient through pull request # 9049 by eliminating an audit of transaction input. So far, checking a block with Double Spending would cause the client to crash. In 0.15, the developers wanted to simplify the handling of unissued transactions, because they no longer checked whether the issued token had previously not been issued. As banal as that sounds, it opens the door to the creation of "money out of nothing".

Is only Bitcoin Core affected?

Unfortunately not. Also Litecoin and Bitcoin Gold are affected. Several smaller cryptocurrencies such as syscoin or paicoin are also affected. Even Bitcoin Cash, whose environment was made aware of the error, did not manage without damage. The BitcoinABC and BitcoinSV clients are vulnerable to the vulnerability, while Bitcoin Unlimited and BitcoinXT have failed to implement the core team's developments and have emerged accordingly.

Can we be sure that there is no fake Bitcoin?

Both Bitcoin Core and the various affected systems have written bug fixes and are calling on the community to update their systems. But the question that many ask is whether we can be sure that the Bitcoin Supply has not been artificially puffed up yet. Pieter Wuille, however, was able to dispel this concern. Furthermore, the Bitcoin.org team emphasized that it would have rolled back even in the event of an exploit. That would not be the first time in Bitcoin's history: in 2010, the value overflow incident created 187 billion bitcoins out of thin air, but was quickly destroyed.

So all right? Not so fast: It can come in the course of the update to 0.16.3 to disorder. Some nodes already have the update, others not. Theymos warns therefore on / r / bitcoin that isolated transactions could be withdrawn. During this update, he recommends 200 transactions, one to two days, to wait before considering a transaction as secure.

What's left of this story?

Emin Gün Sirer argued with "Divine justice". This comparison is a bit exaggerated, but one can speak of the classic "menetekel". The value proposition Bitcoins and various other crypto currencies was questioned. In the case of various price drops we have always pointed out that fundamentally nothing has changed in the value of Bitcoin - this vulnerability could have done so sustainably. So what's left? Not only does each one have to do his due diligence, take the phrase DYOR (Do Your Own Research) seriously and remain critical in the best sense.

Developers must, as it happened here, overlook the trenches that separate the various crypto communities and support each other. If one of the big cryptocurrencies falls, it's bad for the entire ecosystem. If Bitcoin falls, especially due to a bug that also exists in the Bitcoin-Cash network, the whole industry can break. This pointer, which came by finding the vulnerability, shows: Whether you're Bitcoin Maximalist, Bitcoin Cash fan or Ethereum fan, we need to support each other. There were two comments on this in / r / btc: One expressed his happiness that cooperation across the crypto borders is possible. Another took the bug as an opportunity to point out links between Blockstream, Bilderbergen and the CIA. Which way should the crypto community go? I would be for the first.