Author: Suhas Daftuar 2019-02-25 19:29:21
Published on: 2019-02-25T19:29:21+00:00
A consensus vulnerability has been reported affecting Bitcoin Core versions 0.13.0, 0.13.1, and 0.13.2 which have reached end-of-life on August 1, 2018. The vulnerability arises from a design flaw in the construction of Bitcoin's Merkle tree. A related attack could be used to cause a vulnerable full-node implementation to fall out of consensus. This issue involves finding a row of interior nodes in the Merkle tree that successfully deserializes as transactions to make a block appear invalid. It requires less than 22 bits of work to accomplish this. Malleating a block's transactions to produce the same Merkle root has long been recognized as a way to cause a node to fall out of consensus. Malleation by "going up" the Merkle tree and claiming that some interior row is, in fact, the set of (64-byte) transactions in a block could be used to cause the Bitcoin Core 0.13 branch to incorrectly mark as invalid a block that has a valid set of transactions. A bug fix that effectively reverted the change was made just before the release of the 0.14 version of Bitcoin Core, and no later versions of the software are affected. The vulnerability was introduced as an unintended side-effect of a change made by the author. The author has scanned the blockchain and found zero instances where the first two hashes in any row of the Merkle tree would deserialize validly as a 64-byte transaction, so there are no blocks on Bitcoin's main chain (as of this writing) that could be used to attack an 0.13 node. The report includes a write-up with more details on the Merkle tree issues, including the duplicate transactions issue from CVE-2012-2459 and the SPV issue. The attached PDF provides additional information on the vulnerability. Disclosure of this vulnerability had been withheld before a mitigation was in place for the related SPV-issue. Once that became public last summer and a mitigation deployed, that concern was eliminated. Thanks to Johnson Lau and Greg Maxwell for originally alerting the author to this issue.
Updated on: 2023-05-20T19:47:39.701803+00:00