Critical Bug Would Have Allowed Hackers to Create Bitcoin, Detector Hints at Sabotage

Bitcoin Core developers acknowledged a potentially devastating vulnerability in the code of the original cryptocurrency and appealed to miners to upgrade to their newly issued patch with immediate effect.

If exploited, bug CVE-2018–17144 would have permitted bad actors to shut down entire nodes and create Bitcoin, supposedly debasing the largest cryptocurrency by market capitalization.

The issue has apparently existed since the March 2017 release of Bitcoin Core 0.14.0, and yet the coin’s developers assured that it has not been exploited, and that half of the network’s hashrate has already upgraded to the new fix.

Double-Banger

The bug, which was purportedly discovered Sept. 17th by Bitcoin Cash and Bitcoin Unlimited developer Awemany, was at first reported to have been a denial-of-service vulnerability only—it was not until days after its public disclosure that Bitcoin Core developers revealed its second, possibly catastrophic, “critical inflation” component in a report on their website, Sept. 20th.

Congratulations to awemany for making this important discovery and helping Core fix their software. Fake coins being mined into the blockchain would have threatened the legitimacy not only of BTC, but of cryptrocurrency in general.

— Peter R. Rizun (@PeterRizun) September 21, 2018

To Bitcoin Core, the omission was a calculated one, explaining they intended to remedy affected systems before disclosure — presumably to minimize the chance of exploitation. They wrote:

“In order to encourage rapid upgrades, the decision was made to immediately patch and disclose the less serious Denial of Service vulnerability, concurrently with reaching out to miners, businesses, and other affected systems while delaying publication of the full issue to give times for systems to upgrade.”

Whistle-Blower Explains Bug, Tables Foul Play

Having sounded the alarm, the pseudonymous developer has now come out with several stunning allegations drawing the integrity of Bitcoin and its development team into question.

The developer explained in a blog post that the bug was the outcome of fellow developer Matt Corallo’s November 2016 pull request, which shaved a cool 600 microseconds off Bitcoin block validation. To Awemany, that optimization spawned CVE-2018–17144, or what he describes as “one of the most catastrophic bugs in Bitcoin ever”.

Going on, Awemany pushed a number of Core developers into the firing line, blasting them with descriptions as colorful as “overblown egos”, and suggesting they had attempted to “handicap” Bitcoin with a 1MB block limit.

The developer did not stop there, however, going as far as to suggest the bug may have been a treasonous attempt to irreparably tarnish the reputation of Bitcoin and its worth as a store of value.

He wrote:

“I always feared that someone from the bankster circles, someone injected into the Bitcoin development circles with the sole goal of wreaking unsalvageable havoc, would do exactly what happened. Injecting a silent inflation bug. Because that is what would destroy one of the very core advantages that Bitcoin has over the current status quo.”

Despite priming readers with such a grave hint, Awemany explained that the “sheer arrogance and hubris” of a Core developer was a more likely explanation for the bug, however, and called for bipartisan efforts to stomp out bugs in Bitcoin and its offshoot, Bitcoin Cash.

Where crisis appears to have been largely averted—with Bitcoin Core still calling for all affected parties to apply the patch—the issue would prove that there may be far more pressing hurdles facing the original cryptocurrency than regulatory approval.