Published on: 2018-09-22T20:49:04+00:00
Andrea Suisani's claim on Twitter that the report by awemany was about an inflation bug is challenged by sickpig in an email thread. Sickpig suggests that Andrea may have misunderstood the tweet and did not read it properly. The tweet referenced a Reddit post where awemany included a timestamped note about BitcoinABC not checking for duplicate inputs, which could create money out of thin air. This note was submitted before the report email was sent. Gregory argues that the report explicitly stated that inflation was not possible because the node crashed. Furthermore, awemany mentioned in the report that the code seems to prevent monetary inflation. It is speculated that awemany prioritized informing Core about the identified DoS vector rather than exploring the idea of creating coins out of thin air.The discovered bug in Bitcoin Core and Bitcoin ABC can be exploited by miners, potentially inflating the cryptocurrency's supply. Awemany reported this vulnerability via email, although it is not classified as an inflation bug. Instead, it poses a problem by causing nodes to crash, necessitating a software update. The issue arises from the lack of duplicate input checks in CheckBlock, only being performed when transactions are accepted into the mempool. This allows transactions to bypass the mempool when included in a block. An assertion in SpendCoins appears to prevent the most severe outcome of monetary inflation by crashing the node. Despite existing in both clients, the vulnerability has not been exploited so far.To address doubts within the community regarding the authenticity of awemany's email, Gregory Maxwell shared the full text online. An updated version has been released, but many nodes may remain vulnerable until they apply the patch. Users of Bitcoin Core and Bitcoin ABC are strongly advised to upgrade to the latest version promptly. The patch for Core involves changes to its net_processing.cpp, validation.cpp, and tx_verify.cpp files. Notably, lines of code have been removed from the ProcessGetBlockData function in net_processing.cpp, which previously sent transaction messages to peers. Similarly, lines of code have been removed from the ProcessGetData function, which responded to peers' requests for transaction data. In both cases, vNotFound entries were added if no response was required or if the requested transaction was not in the mempool. Additionally, assertions in the SpendCoins and UpdateCoins functions in validation.cpp have been commented out. Lastly, a patch has been provided for Core, modifying the CheckTransaction function to skip the duplicate input check.Upgrading to the latest version of Bitcoin Core and Bitcoin ABC is crucial to mitigate potential vulnerabilities caused by this bug.
Updated on: 2023-08-01T23:55:07.308379+00:00