Major Bug in Bitcoin Code Could Have Wrecked the Currency

On Tuesday, developers of Bitcoin Core – the software used to power the Bitcoin blockchain – released a note announcing that they'd patched a vulnerability that would have allowed a user to interfere with network and crash it, making the digital coins practically useless. The bug was described by a Bitcoin.org co-owner, whose Twitter handle is @CobraBitcoin, as “very scary.”

​“For less than $80,000, you could have brought down the entire network,” Emin Gün Sirer, an associate professor of computer science at Cornell University, told Vice. “That is less money than what a lot of entities would pay for a zero-day attack on many systems.”

The bug was found in the Bitcoin Core code itself, which is a software implementation used by several other cryptocurrencies. Litecoin, for example, patched it on Tuesday. The technical documentation described the bug as a “denial-of-service vulnerability.” The exploit allowed miners — who run computers to generate a number that adds a block of Bitcoin transactions to the blockchain, granting them new coins of the cryptocurrency — to create "poisonous" blocks that try to spend the same coin twice.

Bitcoin relies on a peer-to-peer network of “nodes” to enforce the blockchain’s rules, perhaps the most important of which disallows users from making multiple transactions with one coin. Normally, any such request would simply be rejected by the network, but the poisoned block, if added to the blockchain, would have crashed the software of any Bitcoin Core user who received it. If the exploit spread across the network, it could have fractured it into smaller parts, or even brought it down it entirely.

“There would have likely been a flurry of activity by the community to bring the system back online after such an attack, and it would not likely have been catastrophic but definitely disruptive,” Sirer said, noting that a miner who created a poisoned block would lose out on 12.5 Bitcoins — under $80,000 USD at the cryptocurrency’s current value. While that may seem like a lot of money down the drain, it would be a small price to pay for an attacker — or group of attackers — who wanted to render the blockchain unusable.

READ MORE: Iran Readies Own Digital Currency to Get Around US Sanctions – Reports

The patch was released for Bitcoin Core-based cryptocurrencies, but only in the newest version of the software, making smaller cryptocurrencies using older or copycat versions of the code still vulnerable to attacks using the exploit.