Bitcoin Devs Community Is Worried after Major Software Vulnerability Is Discovered

Bitcoin 2 min, 49 sec READ

by Ricardo Carrasco

A bug that could potentially have destroyed Bitcoin as we know it was discovered last week. How does the Cryptosphere feel about this?

The Bitcoin community was hit hard last week as news of a major vulnerability in Bitcoin’s code became public, revealing that the Bitcoin network was unprotected for the last two years from a bug that could have allowed malicious actors to shut down significant parts of the Bitcoin Network, and even mint more Bitcoins than the system is designed to produce.

On September 20, a post was published in a public forum which provided a comprehensive overview of the full impact of the vulnerability. Although the post was soon retracted, the news spread quickly. Shortly after, the Bitcoin Core team published a post on Bitcoincore.org entitled “CVE-2018-17144 Full Disclosure” that stated:

CVE-2018-17144, a fix for which was released on September 18th in Bitcoin Core versions 0.16.3 and 0.17.0rc4, includes both a Denial of Service component and a critical inflation vulnerability. It was originally reported to several developers working on Bitcoin Core, as well as projects supporting other cryptocurrencies, including ABC and Unlimited on September 17th as a Denial of Service bug only, however we quickly determined that the issue was also an inflation vulnerability with the same root cause and fix.

Bitcoin prices were not affected by news of the vulnerability, possibly because most Bitcoin investors are not aware of the technical ins and outs of the cryptocurrency. According to the Bitcoin Core development team, the bug has already been solved after Bitcoin Core’s update to 0.16.3, but there have been reports that nodes running Lightning Network on the mainnet could still be vulnerable until they update their software.

What's Next for Bitcoin?

Despite the relief, many questions remain regarding other unknown bugs or vulnerabilities, and the possible consequences that would follow should malicious actors become aware of those before the dev community. 

Several users voiced their concerns about the subject on social media. Bitcointalk administrator “theymos” gave his opinion on the forum, adding he considers the Core release schedule being “too fast” among the possible causes behind such vulnerabilities,

The bug fixed in Bitcoin Core 0.16.3 was really bad. IMO it was the worst bug since 2010. If it had been exploited in a 0-day fashion, significant & widespread losses (due to acceptance of counterfeit BTC) would've been likely, and Bitcoin's reputation would've long been tarnished. Furthermore, since a ton of altcoins are based on Bitcoin Core, this would've affected a huge swath of the crypto space all at once.

Theymos added in defense of Core’s development,

Finger-pointing would not be constructive, but neither would it be sufficient to say "we just need more eyes on the code" and move on. This bug was very subtle, and I doubt that anyone would've ever found it by actually looking at the code. Indeed, the person who found it did so when they were doing something else and ended up tripping the assertion. Furthermore, this bug probably wouldn't have been found through standard unit testing, since this was a higher-level logic error.

Software engineer Pierre Rochard expressed his view in a series of Tweets, calling all Bitcoin hodlers to “take ownership” of the Bitcoin code review, adding that “[There are] no excuses not to”,