The Latest Bitcoin “Inflation” Bug Was So Bad, Developers Kept Its Full Details a Secret

Standard procedure for any serious bug.
Over half of bitcoin’s mining hash rate has upgraded to the patched software version,
meaning the attack can no longer be used.


This week’s major bitcoin bug was even worse than developers initially let on.

The bug originally rocked the bitcoin world when it was reported the vulnerability could be used to shut down a chunk of the network.

While this sounded bad enough for many, it turns out developers for Bitcoin Core kept a second, bigger part of the bug a secret. As disclosed through an official Common Vulnerabilities and Exposures (CVE) report, an attacker could have actually used it to create new bitcoin – above the 21 million hard-cap of coin creation – thereby inflating the supply and devaluing current bitcoins.

Such a perversion of the rules would, at worst, according to many, make users not trust the cryptocurrency anymore.

Because of the disastrous implications of the bug, developers decided to keep it a secret, buying themselves time to fix the exploit and urge miners and users to upgrade their software.

The CVE report written by Bitcoin Core developers explains:

“In order to encourage rapid upgrades, the decision was made to immediately patch and disclose the less serious denial of service vulnerability, concurrently with reaching out to miners, businesses and other affected systems, while delaying publication of the full issue to give time for systems to upgrade.”

And for now, the plan seems to have worked.

Over half of bitcoin’s mining hash rate has upgraded to the patched software version, meaning the attack can no longer be used, and developers are “unaware of any attempts to exploit this vulnerability,” the report states.

Who found it?

Finding such a serious bug was a stressful position for developers to be in.

According to the report, an anonymous user originally filed a report about the denial-of-service bug to top developers of Bitcoin Core and Bitcoin ABC, the main software implementation of bitcoin cash. About two hours later, Chaincode engineer and Bitcoin Core developer Matt Corallo realized the bug could have been exploited to print unlimited bitcoin.

Based on the seriousness of the vulnerability, the developers decided to keep those details secret at first.

Instead, beginning with Slush Pool, they started pushing miners to upgrade. And for bitcoin users running a full node, the call to action is the same.

“You should not run any version of Bitcoin Core other than 0.16.3. Older versions should not exist on the network. If you know anyone who is running an older version, tell them to upgrade it ASAP,” bitcoin subreddit moderator Theymos remarked in a post currently pinned to the top of the forum.

Yet, another problem exists now – the possibility of a bitcoin chain split.

Since users are now running different versions of the bitcoin software, there’s a risk the network will temporarily split into two, then come back together again. Transactions on the chain running old software, then, might ultimately be lost.

While the situation is being monitored closely, Theymos thinks the risk of this happening is small. But, he argued that people should still take precautions, such as waiting longer to make sure a bitcoin transaction actually gets verified.

Theymos added:

“For the next week or so you should consider there to be a small possibility of any transaction with less than 200 confirmations being reversed.”

Fake bitcoin?

What’s on some users’ minds, still though, is whether it’s possible the bug has already been exploited.

“How do we know if that vulnerability wasn’t exploited already and there is someone out there with a bunch of fake bitcoin?” asked one bitcoin user.

Luckily, Bitcoin Core contributor Pieter Wuille explained, due to the power of code, bitcoin users would have been able to detect suspicious activity by now.

When downloaded for the first time, full nodes double check every transaction made in bitcoin’s history. A node running the new software, 0.16.3, would detect the problem immediately.

Even so, questions remain regarding what would have happened if the bug wasn’t caught in time.

According to Theymos: “Even if the bug had been exploited to its full extent, the theoretical damage to stored funds would have been rolled back.”

Theymos continued, saying that rollback would be much like what happened during the so-called “value overflow incident” in 2010 when 187 billion bitcoins were created out of thin air but, ultimately, were destroyed.

Still, while Bitcoin Core, litecoin and several other coins that were based Bitcoin Core’s code have released a patch for the exploit, others have not – and might still be vulnerable to the inflation bug.




Full disclosure

CVE-2018-17144, a fix for which was released on September 18th in Bitcoin Core versions 0.16.3 and 0.17.0rc4, includes both a Denial of Service component and a critical inflation vulnerability. It was originally reported to several developers working on Bitcoin Core, as well as projects supporting other cryptocurrencies, including ABC and Unlimited on September 17th as a Denial of Service bug only, however we quickly determined that the issue was also an inflation vulnerability with the same root cause and fix.

In order to encourage rapid upgrades, the decision was made to immediately patch and disclose the less serious Denial of Service vulnerability, concurrently with reaching out to miners, businesses, and other affected systems while delaying publication of the full issue to give times for systems to upgrade. On September 20th a post in a public forum reported the full impact and although it was quickly retracted the claim was further circulated.

At this time we believe over half of the Bitcoin hashrate has upgraded to patched nodes. We are unaware of any attempts to exploit this vulnerability.

However, it still remains critical that affected users upgrade and apply the latest patches to ensure no possibility of large reorganizations, mining of invalid blocks, or acceptance of invalid transactions occurs.

Technical Details

In Bitcoin Core 0.14, an optimization was added (Bitcoin Core PR #9049) which avoided a costly check during initial pre-relay block validation that multiple inputs within a single transaction did not spend the same input twice which was added in 2012 (PR #443). While the UTXO-updating logic has sufficient knowledge to check that such a condition is not violated in 0.14 it only did so in a sanity check assertion and not with full error handling (it did, however, fully handle this case twice in prior to 0.8).

Thus, in Bitcoin Core 0.14.X, any attempts to double-spend a transaction output within a single transaction inside of a block will result in an assertion failure and a crash, as was originally reported.

In Bitcoin Core 0.15, as a part of a larger redesign to simplify unspent transaction output tracking and correct a resource exhaustion attack the assertion was changed subtly. Instead of asserting that the output being marked spent was previously unspent, it only asserts that it exists.

Thus, in Bitcoin Core 0.15.X, 0.16.0, 0.16.1, and 0.16.2, any attempts to double-spend a transaction output within a single transaction inside of a block where the output being spent was created in the same block, the same assertion failure will occur (as exists in the test case which was included in the 0.16.3 patch). However, if the output being double-spent was created in a previous block, an entry will still remain in the CCoin map with the DIRTY flag set and having been marked as spent, resulting in no such assertion. This could allow a miner to inflate the supply of Bitcoin as they would be then able to claim the value being spent twice.


Timeline for September 17, 2018: (all times UTC)

  • 14:57 anonymous reporter reports crash bug to: Pieter Wuille, Greg Maxwell, Wladimir Van Der Laan of Bitcoin Core, deadalnix of Bitcoin ABC, and sickpig of Bitcoin Unlimited.
  • 15:15 Greg Maxwell shares the original report with Cory Fields, Suhas Daftuar, Alex Morcos and Matt Corallo
  • 17:47 Matt Corallo identifies inflation bug
  • 19:15 Matt Corallo first tries to reach slushpool CEO to have a line of communication open to apply a patch quickly
  • 19:29 Greg Maxwell timestamps the hash of a test-case which demonstrates the inflation vulnerability (a47344b7dceddff6c6cc1c7e97f1588d99e6dba706011b6ccc2e615b88fe4350)
  • 20:15 John Newbery and James O’Beirne are informed of the vulnerability so they can assist in alerting companies to a pending patch for a DoS vulnerability
  • 20:30 Matt Corallo speaks with slushpool CTO and CEO and shares patch with disclosure of the Denial of Service
  • 20:48 slushpool confirmed upgraded
  • 21:08 Alert was sent to Bitcoin ABC that a patch will be posted publicly by 22:00
  • 21:30 (approx) Responded to original reporter with an acknowledgment
  • 21:57 Bitcoin Core PR 14247 published with patch and test demonstrating the Denial of Service bug
  • 21:58 Bitcoin ABC publishes their patch
  • 22:07 Advisory email with link to Bitcoin Core PR and patch goes out to Optech members, among others
  • 23:21 Bitcoin Core version 0.17.0rc4 tagged

September 18, 2018:

  • 00:24 Bitcoin Core version 0.16.3 tagged
  • 20:44 Bitcoin Core release binaries and release announcements were available
  • 21:47 Bitcointalk and reddit have public banners urging people to upgrade

September 19, 2018:

  • 14:06 The mailing list distributes an additional message urging people to upgrade by Pieter Wuille

September 20, 2018:

  • 19:50 David Jaenson independently discovered the vulnerability, and it was reported to the Bitcoin Core security contact email.