A vulnerability considered to be of high severity affected Bitcoin Core until May 2023. This vulnerability and two more, considered to be of medium severity, affected the Bitcoin Core project until version 25.0.
The public disclosure of these flaws and their resolutions are due to Niklas Gögge, a developer who announced them through the poste restante of Bitcoin developers.
The first, higher risk, allows attackers “lock Bitcoin Core nodes remotely by triggering an assertion in the message handling logic blocktxn”.
Message handling logic blocktxn refers to how nodes on the Bitcoin network handle and process messages containing requested block transactions.
In short, this message handling allows you to request missing transactions in the most recent block and reconstruct entire blocks to ensure their integrity on the chain. This message encoding logic It is crucial to ensure the synchronization of the nodes and the data contained therein.
The exploitation of this vulnerability, which is still possible in versions of Bitcoin Core prior to 25.0, was that attackers were able to collide (make two different blocks share the same identifier) nodes on purpose, intervening in the management logic blocktxn .
Node collisions have important consequences, none of which involve the possibility of stealing bitcoin. Among them, blocking the nodes. Blocking them causes that the number of active nodes decreases, which reduces the decentralization and resilience of the network. In turn, this could potentially slow down the network.
Two other vulnerabilities in old versions of Bitcoin Core
Another vulnerability, this one of medium severity, affected the propagation of blocks in the Bitcoin chain. According to Bitcoin Core, before version 25.0 “a peer that sent mutated blocks could delete the download status of other peers that also announced the block to us, making it difficult for the block to propagate.”
The Bitcoin node client claims that this vulnerability was fixed by ensuring that a participant can only affect its own block download stateand not the download status of other nodes. Mutated blocks are invalid blocks that contain altered information that does not correspond to the transactions contained therein.
A third error, also of medium severity, produced a denial of service in the propagation of blocks in the chain. That is, an overload of inventory messages that grew too large.
This caused (and still does in older versions of Bitcoin Core) an increase in the time needed to sort inventory messages that announce transactions to other nodes. This affected the ability of the involved nodes to communicate with their peers.
Recently, Bitcoin Core updated its security notice policy about vulnerabilities in Bitcoin. This difference between four types of vulnerabilities: low, medium, high and critical, that are revealed from two weeks to a year after they are found.
As CriptoNoticias reported in this note, none of the three vulnerabilities presented have the maximum risk status.
