A dangerous flaw was contained in the cryptocurrency protocol that culminated in the depletion of available memory in an improperly conducted operation. The researcher who noticed it was quiet for two years, before his colleague identified the same flaw in the market.
Memory strong in fluidity
A significant flaw was contained in the fundamental protocols of the Bitcoin network, rife with overuse of RAM. The error, dubbed INVDoS (Out-of-Memory Denial-of-Service Bitcoin Inventory), was found in three separate Bitcoin implementations’ network code, as well as several other cryptocurrencies based on blockchain – Litecoin, Namecoin, and Decred.
Braydon Fuller, the researcher who found this flaw, told the Blockchain developers about it, but for two years, they did not disclose any information about it.
According to Fuller, cybercriminals may exploit the loophole to coordinate a system failure: when handled by the nodes of the blockchain network, an intentionally inaccurate Bitcoin transaction will induce memory overuse, which eventually contributes to a system collapse.
According to Fuller, it impacted 50 percent of the public Bitcoin nodes with incoming traffic at the time the issue was found, and, likely, several of the networks on which cryptocurrency generation was done. It has also influenced the crypto-exchanges.
In Bitcoin Corev 0.16.0, Bitcoin Corev 0.16.1, Bitcoin Knots v0.16.0, all Bcoin beta versions up to v1.0.0-pre, all Btcd versions up to v0.20.1-beta, Litecoin Core v0.16.0, Namecoin Core v0.16.1, and all Dcrd versions previous to v1.5.1 the weakness is verified.
The flaw is currently lacking in Bitcoin Core v0.16.2 and newer, Bitcoin Knots v0.16.2 and newer, Bcoin v1.0.2 and newer, Btcd v0.21.0-beta and newer, Litecoin Core v0.16.2 and newer, Namecoin v0.16.2 and newer, and Dcrd v1.5.2 and newer.
No exploitation detected
Fuller said this flaw could pose an elevated threat, as it can lead to extreme delays in the operation of the whole network, stagnation or transaction blocking, etc.
For two years, Fuller did not want to reveal any details on this weakness, but his colleague Javed Khan found the same weakness using an earlier variant of the Bitcoin protocol in another cryptocurrency.
Fortunately, there is no knowledge at the moment about the realistic exploitation by cybercriminals of this weakness.
“Vulnerability is risky mostly because of its manipulation consequences; but, it is not at all a fact that it would be really quick to run,”-says Oleg Galushkin, CEO of SEC Consult Services. — Currently this is demonstrated by the fact that no realistic attack cases have yet been reported, considering Bitcoin ‘s success and increased interest from security experts and hackers. By the way, since two professionals independently of each other and at different times found a flaw, there is no certainty that it was not noticed by anyone else-less well-meaning. However, there are yet to be any threats.