Published on: 2018-06-09T13:02:55+00:00
A vulnerability in Simplified Payment Verification (SPV) wallets and nodes has been discussed in an email thread among members of the Bitcoin community. The attack can bypass thousands of confirmations without a Sybil attack, impacting SPV wallets. However, the protections needed for SPV nodes are different and should be considered separately. One way to prevent accepting payments is by checking if any Merkle node is also a valid transaction. This reduces the problem, with false positive rates kept under one in a billion. It has been reported that an attacker with $1.3 million could perform a brute-force attack on 72 bits in four days using ASICs. Therefore, it is advised not to accept more than $1 million using an SPV wallet. However, it has been pointed out that a fake block can be created at a lower cost along with a sybil attack to fool SPV wallets. The attack can be repeated, allowing for multiple parties to be attacked without additional computation.RSK reported a vulnerability affecting hundreds of SPV wallets and systems relying on SPV proofs. They discovered the vulnerability in 2017 and emphasize the need to fix it as their SPV bridge depends on SPV proofs. However, Peter Todd argues that pruned nodes can be made invulnerable to the attack while still being able to verify merkle path tx inclusion proofs. He suggests that fixing the attack for SPV may not be necessary as they can be attacked at a much lower cost by generating fake blocks. Sergio Lerner apologizes for discussing the issue publicly earlier and urges the Bitcoin community to work towards ensuring the security and clean-design of Bitcoin.The vulnerability in the Bitcoin Merkle tree algorithm, which fails to distinguish between inner nodes and 64-byte transactions, was discussed in an email chain. This poses a potential problem for transaction inclusion proofs, as a miner could create a transaction committing to one not in the blockchain. One solution is to compare the length of the Merkle path to the known depth, avoiding the issue. It has been suggested to use version bits to indicate the tree depth or ban transactions with a size lower than or equal to 64. The possibility of maintaining validation of old transactions by caching the number of transactions in previous blocks has also been discussed.In summary, a vulnerability in SPV wallets and nodes has been reported, which can be bypassed without a Sybil attack. Measures to prevent the attack are different for SPV wallets and nodes. An attacker could perform a brute-force attack on 72 bits with $1.3 million, making it advisable not to accept more than $1 million using an SPV wallet. However, a fake block can be created at a lower cost along with a sybil attack to fool SPV wallets. RSK discovered a vulnerability in 2017 and urges the Bitcoin community to fix it. The Bitcoin Merkle tree algorithm fails to distinguish between inner nodes and 64-byte transactions, causing a problem for transaction inclusion proofs. Solutions such as comparing the length of the Merkle path to the known depth or using version bits have been proposed.
Updated on: 2023-08-01T23:26:26.925936+00:00