An abnormally severe bug was discovered in bitcoinâs software, prompting developers to put together and release a fix on Tuesday.
Fixed and revealed to the wider public by way of Bitcoin Core software version 0.16.3, the vulnerability is a denial-of-service bug. If exploited, it can be used to take out nodes and at worst, temporarily crash a significant segment of the network.
However, not everyone has the power to take advantage of the bug. Only miners â those that run hardware and spend energy ordering transactions on the network â can exploit the vulnerability by double spending a transaction and placing it in a block.
But, itâs not exactly painless for them to execute, either. If they try the attack, they would lose their block reward, which is worth more than $75,000 at todayâs prices.
The vulnerability was introduced in Bitcoin Core version 0.14.0, which was first released in March 2017. But the issue wasnât found until just two days ago, prompting contributors to the codebase to take action and ultimately release a tested fix within 24 hours.
And luckily, most bitcoin users donât have to do anything to be protected from the vulnerability now.
Developers stressed that âstoredâ bitcoins are not at risk. Yet, it could impact those using the Lightning network, an in-development transaction layer that seeks to allow faster and cheaper transactions.
Still, because the bug is potentially dangerous for the network, developers strongly advise users who are running so-called âfull nodesâ that store bitcoinâs complete transaction history to upgrade their software. Moderator Theymos also pinned a notice to the top of the bitcoin subreddit.
The Bitcoin Core notes describing the software patch state:
âWe urge all network participants to upgrade to [the new software] as soon as possible.â
As it turns out, a popular quote in tech circles aptly applies to this kind of bug.
âA distributed system is one in which the failure of a computer you didnât even know existed can render your own computer unusable,â said famous computer scientist Leslie Lamport.
In this particular circumstance, a miner making a faulty transaction can impact nodes running across the network. As noted in the Bitcoin OpTech newsletter, a miner would need to try to double spend some bitcoin in order to crash bitcoin nodes.
Bitcoinâs code is set up to largely to guard against this kind of problem, but this bug shows how a way around such measures managed to seep through.
Perhaps the biggest impact is on bitcoin-tied technology that isnât ready for primetime. If this attack were to be executed, bitcoin users running Lightning on the mainnet could be impacted.
âIf youâre reckless enough to be running lightning, you should really update ASAP, or close your channels. Updating is easy enough luckily,â Blockstream engineer Gregory Sanders urged on reddit.
Since Lightning is in such an early stage, it requires users to watch their âchannels,â which hold their bitcoins in the experimental layer. That way they can stop a party theyâve established a channel with if that party attempts to cheat. Of particular concern here though: if a userâs node is crashed by a miner exploiting this bug, a malicious actor could use the opportunity to cheat other Lightning users.
Even so, some developers argue that successfully doing all of this would be pretty hard to accomplish.
âI find it highly unlikely it has much of an impact,â developer Justin Camarena told CoinDesk.
Thatâs why some argue that regular users donât need to worry about it, although thereâs been a general sense of urgency in light of the overall risk.
âUnless youâre running a business or lightning network node you really have no funds at risk,â Sanders added later.
Yet how significant this bug is in the context of bitcoinâs history remains difficult to figure out.
Blockchain.info data engineer Antoine Le Calvez tallied up a list of similar exploits made over the years, showing that they were more common in bitcoinâs earlier years.
But Bitcoin Core contributor Luke Dashjr responded by arguing that exploits might not be decreasing over time as the data suggests.
âSadly, I think recent years suffer from lack of disclosure rather than having fewer exploits,â he said.
He went on to admit he doesnât know why this is the case, but he nonetheless argued that some bugs in the bitcoin software are found and patched up, yet are never publicly disclosed.
Meanwhile, others are drawing other conclusions from the bug â namely that bitcoin programmers are mere mortals. OpenBazaar lead developer Chris Pacia went as far as to argue that while many users argue that bitcoin developers are among the best in the world, this proves theyâre actually normal developers who run into obstacles.
âBugs happen. This is a fact of life,â he remarked on Twitter. âIâm not criticizing them for having a bug. Iâm criticizing the idiot minimalists who insist Core developers are God-like individuals.â
Still, Camarena thinks that because of the bugâs nuances and how difficult the attack is to execute, people are making too big of a deal out of the bug.
He told CoinDesk:
âItâs a serious bug, but not as bad as some are making it to believe.â
TV without signal image via Shutterstock
