Bitcoin Core developers urged all nodes to implement a patch on Friday, September 21, in order to prevent the exploitation of a recently discovered bug in the Bitcoin protocol. The bug, called CVE-2018-17144, was originally reported to the Bitcoin Core team by Bitcoin Cash developer Awemany on September 17.
A Bug in the System
The discovery of the bug and the Core developers attempts to address it have caused ruffled feathers in the crypto community. Allegations of incompetence and bad-faith have been leveled by members of both the Bitcoin (BTC) 00 and Bitcoin Cash community as developers attempt to patch the bug.
CVE-2018-17144 was initially reported as a potential denial of service bug, but developers on the Core team discovered the root issue impacted both denials of service and inflation vulnerability. The Bitcoin Core team has released a timeline in its announcement about the bug, showing the steps undertaken as the team went from being made aware of the bug’s existence to releasing a patch.
The CVE-2018-17144 bug originated in Bitcoin Core .15, originating as part of a change which was designed to help simplify the tracking of unspent transaction output. This change left Bitcoin versions .15X through .16.2 vulnerable to the bug — as well as any altcoins or forked versions of Bitcoin that were still using code containing the bug.
Crucially, the implantation of the code which caused the bug was led by the same developer who was integral in implementing the fix. This has added to suspicions that the release of the patch was not handled correctly.
Lying in Wait
Worryingly for many, the bug had been sitting undiscovered in the code for two years, raising concerns about what other issues may be lurking in Bitcoin just waiting to be exploited. In a post from Medium contributor Awemany, it’s noted that it would have been just as easy for him to short BTC — and exploit the bug — as it was for him to report the bug the Core team.
The Bitcoin Core team has been heavily criticized for the manner in which they rolled out the announcement about both the bug and the patch. For Bitcoin and many of the altcoins which rely on the same code, the decision to announce the bug and patch without consulting members of the altcoin networks that would have been impacted by a successful exploit was seen by some as political and mean-spirited.
Despite the promise of decentralization and transparency promised by crypto advocates, the CVE-2018-17144 episode illustrates just how dependent many projects are on the decisions made by a relatively small number of members of the community. If the actors in this saga had made a handful of decisions differently, billions of dollars of value could have been wiped out. Hopefully, this episode leads to clearer standards around bug discovery and patching, and a more harmonious culture between various developer teams.
What are your thoughts on Bitcoin bugs? Let us know in the comments below!
Images courtesy of Shutterstock.
