Summary
-
The developer discovered a loophole in the Bitcoin blockchain in 2018;
-
The vulnerability may cause hackers to shut down the entire network;
-
This year, the developer discovered this vulnerability again in some other blockchains and published a paper.
Two years later, two Bitcoin engineers again discovered several loopholes that could lead to the shutdown of the entire blockchain network-and two years ago they thought this problem had been resolved.
Bitcoin engineers Braydon Fuller and Javed Khan fixed a bug named "INVDoS" on the Bitcoin blockchain in 2018. The two published a research paper this week detailing how they discovered the vulnerability in some other blockchain iterations (Btcd and Decred).
The working principle of the attack is as follows: a malicious blockchain node (a member of the blockchain network that verifies the transaction) sends a request for non-existent transactions to another node, thereby performing a spamming attack.
In this way, the attacked node will be flooded with spam transactions, and its memory will "grow indefinitely," the researchers wrote, "This will crash the process and may freeze the process and the computer until the process terminates."
The two engineers said in the report that this vulnerability, known as a "denial of service" attack, is "easy to be exploited by hackers" and may be used to crash the entire Bitcoin node network. According to the report, this may delay transaction processing and lead to "loss of funds or income."
In June 2020, Khan noticed that the old attack applies to Btcd, which is an alternative Bitcoin blockchain node that does not allow users to send or receive payments. A month later, Khan discovered this vulnerability in another blockchain network, Decred.
Together with other blockchain engineers, Khan launched a bug fix at the end of August. Fortunately, “the outside world has not discovered the use of this vulnerability,” Fuller and Khan wrote in the report.
In fact, such a network shutdown has not happened for many years. The report states: “For the Bitcoin network, there are only two vulnerabilities that cause such downtime, and they have not appeared since 2013.”
Nevertheless, the impact of this vulnerability is still very large, at least there is a possibility. According to the report, in 2018, more than 50% "have inbound and publicly promoted Bitcoin nodes, and possibly most miners and exchanges" have this vulnerability and are at risk of attack.
The report also pointed out that the Litecoin and Namecoin blockchains were also at risk. Although the report added that the vulnerability is unlikely to help hackers steal bitcoin, but the Lightning Network (a protocol for faster processing of bitcoin transactions) may be at risk.
The developer added that miners and exchanges running older versions of Bitcoin software may still be at risk, but most node operators should be running the latest software. "You may have been protected. Otherwise, you must upgrade." The report prompts.
Original: Decrypt, original author: Mathew Di Salvo
Translator: Nian Yin Si Tang