Bitcoin Core developers have issued a strong warning regarding a high-risk vulnerability in which a significant software bug affecting one in every six Bitcoin nodes.
This issue impacts approximately 17% of the network, specifically all versions of Bitcoin Core prior to 24.0.1, as revealed on Thursday by workers at the open source Bitcoin Core Project, which manage the software running on over 98% of accessible full nodes.
The vulnerability enables malicious actors to launch a denial-of-service (DoS) attack by flooding nodes with low-difficulty header chains. This may require nodes to download extremely long chains, exceeding their bandwidth or storage capacity and potentially crashing the node. Current estimates suggest around 3,330 of the 19,200 reachable full nodes are vulnerable, according to Bitnodes surveillance data.
Developers fixed this error in pull request (PR) 25717, which was merged into production on December 12, 2022, with the release of Bitcoin Core version 24.0.1. The most recent version, 27.1, incorporates this update as well as additional security enhancements.
Although this flaw is critical, there are just a handful of known exploits on public record. The flaw provides minimal financial advantage to the attacker because generating and broadcasting header chains to carry out the denial-of-service is highly costly.
However, it is a security flaw that might be used by a very strong, wealthy, or intelligent party (like a country) to interfere with Bitcoin’s operations for non-financial or financially-deferred purposes.
In early June, Bitcoin Core developers started disclosing serious bugs patched for at least 18 months, beginning with older versions like 20 and below. However, every few weeks, they revealed new software flaws. To their credit, the releases were intended to promote openness and praise developers for their voluntary, responsible disclosures.
Over time, these disclosures have focused on more recent versions, including Thursday’s release highlighting risks in versions 24 and earlier, even as recent as May 18, 2023. Once seen as historical, this transparency is now urging Bitcoin node operators to update their software to avoid vulnerabilities.
Also Read: Redditor Attempts Running a Full Bitcoin Node In China
