A Bitcoin Core vulnerability has been disclosed publicly by a developer and according to reports, the vulnerability was seemingly being actively exploited on Bitcoin Cash.
The vulnerability was publicly disclosed by bitcoin developer and CTO at Purse Christopher Jeffrey. At the time of this writing the vulnerability is still not patched at Bitcoin Core. Some Bitcoin Core developers have strongly criticized the disclosure as being irresponsible because it had not yet been patched, but Jeffrey says: “This is already fixed in multiple implementations including bcoin and Bitcoin ABC.”
As it goes, there are some implementations that allow for the creation of special transactions that can spend many transactions from many outputs. As they are loaded onto memory, they can reach a size of 8GB, crashing nodes.
He added that BitcoinJ, libbitcoin, and Parity Bitcoin were never affected in the first place. According to the developer, the vulnerability shouldn’t be a huge problem considering that Bitcoin is a decentralized protocol where people should be using multiple different implementations. He went on to add that implementation centralization has the potential of killing bitcoin one day.
He continues that this particular vulnerability isn’t going to break bitcoin, but it is a reminder that single points of failure could happen if implementation centralization occurs. He adds that the vulnerability isn’t a zero-day as he had already disclosed the vulnerability to a number of different node implementers. These include Sipa (core), Jeff Garzik (btc1), Laolu (btcd), and deadalnix (bitcoin abc).
The vulnerability has not been patched in Bitcoin Core. The reason for their failure to do so remains unclear. Jeffrey says he informed them 2 months ago. Sachets took two days to implement the patch, he says, while Bitcoin Core still hasn’t at the time of writing.
Jeffrey says: “It was patched, in multiple implementations. Just not Core. It’s not my problem if one implementation is lagging behind when I warned them ages ago.”