Bitcoin Core developers have issued a new, high severity warning about a software bug on one in every six Bitcoin nodes.
On Thursday, workers at the open source Bitcoin Core Project who maintain the software running on over 98% of reachable full nodes, disclosed that there is a major security problem with the software running on 17% of the network.
Specifically, all software prior to Bitcoin Core version 24.0.1 is at risk. This denial-of-service bug affects approximately 3,330 of the 19,200 self-declared user agents of reachable Bitcoin full nodes, according to surveillance estimates from Bitnodes.
In pre-24.0.1 Bitcoin Core software, a malicious actor can spam nodes with low-difficulty header chains. By forcing nodes to download and store extremely long chains of headers, the attack could crash the node by overwhelming bandwidth or storage on the device.
Developers patched this bug in Bitcoin Core pull request (PR) number 25717 and merged that into production on December 12, 2022 with the release of v24.0.1. The current version of Bitcoin Core node software, now at 27.1, includes this and other bug fixes.
Although quite serious, few known exploits of this bug exist on the public record. The bug has little financial benefit to the attacker, as it’s quite expensive to generate and broadcast header chains to execute the denial-of-service.
Nevertheless, it is a security vulnerability that could be exploited by an extremely wealthy, powerful, or sophisticated actor — such as a nation — who wanted to disrupt the operations of Bitcoin for non-financial or financially-deferred reasons.
Why Bitcoin Core developers are disclosing this bug
In early June, developers agreed to disclose serious bugs in Bitcoin’s Core software that had been patched for at least 18 months. Initially, they disclosed bugs in versions 20 and below. (For context, today’s version is 27.1.)
Every few weeks, however, they disclosed more software bugs. To their credit, the releases were in the interest of transparency and to thank developers’ voluntary, responsible disclosures.
Read more: Bitcoin Core developer proposes new type of pruned node
As months have gone by, however, the Bitcoin Core Project has disclosed bugs affecting more and more recent versions. Thursday’s release describes significant risks to software versions 24 and prior – including software as recent as May 18, 2023.
As a result, this transparency roll-out by Bitcoin Core developers, which many observers initially dismissed as a historical curiosity, is quickly making a present-day impact.
Unless Bitcoin node operators update their software, up to 17% of the network could be at risk of a denial-of-service attack.