On Tuesday, developers of Bitcoin Core – the software used to power the Bitcoin blockchain – released a note announcing that they'd patched a vulnerability that would have allowed a user to interfere with network and crash it, making the digital coins practically useless. The bug was described by a Bitcoin.org co-owner, whose Twitter handle is @CobraBitcoin, as “very scary.”
A very scary bug in Bitcoin Core has just been fixed which could have crashed a huge chunk of the Bitcoin network if exploited by any rogue miners. https://t.co/fMrgRiDaTP— Cøbra (@CobraBitcoin) September 18, 2018
“For less than $80,000, you could have brought down the entire network,” Emin Gün Sirer, an associate professor of computer science at Cornell University, told Vice. “That is less money than what a lot of entities would pay for a zero-day attack on many systems.”
The bug was found in the Bitcoin Core code itself, which is a software implementation used by several other cryptocurrencies. Litecoin, for example, patched it on Tuesday. The technical documentation described the bug as a “denial-of-service vulnerability.” The exploit allowed miners — who run computers to generate a number that adds a block of Bitcoin transactions to the blockchain, granting them new coins of the cryptocurrency — to create "poisonous" blocks that try to spend the same coin twice.
“There would have likely been a flurry of activity by the community to bring the system back online after such an attack, and it would not likely have been catastrophic but definitely disruptive,” Sirer said, noting that a miner who created a poisoned block would lose out on 12.5 Bitcoins — under $80,000 USD at the cryptocurrency’s current value. While that may seem like a lot of money down the drain, it would be a small price to pay for an attacker — or group of attackers — who wanted to render the blockchain unusable.
The patch was released for Bitcoin Core-based cryptocurrencies, but only in the newest version of the software, making smaller cryptocurrencies using older or copycat versions of the code still vulnerable to attacks using the exploit.