Two Bitcoin engineers have discovered several vulnerabilities that could shut down blockchains—two years after they thought they patched the issue.
Bitcoin engineers Braydon Fuller and Javed Khan fixed the vulnerability, named INVDoS, on the Bitcoin blockchain in 2018, but published a research paper this week detailing how they found it in a number of other blockchain iterations: Btcd and Decred.
The attack works like this: one hostile blockchain node—a member of the blockchain network that validates transactions—floods another one by spamming them with calls for non-existent transactions.
As a result, the node would become overwhelmed and its memory would “grow endlessly,” wrote the researchers. “This will crash the process and potentially freeze the process and computer until the process is terminated.”
The engineers said in the report that the vulnerability, known as a “denial-of-service” attack, was “easily exploitable” by hackers and could be used to crash an entire network of Bitcoin nodes. This could lead to a delay in processing transactions, in turn causing a “loss of funds or revenue,” said the report.
In June 2020, Khan noticed that the old attack applied to Btcd, an alternative Bitcoin blockchain node that doesn’t let its users send or receive payments. A month later, Khan discovered the vulnerability in another blockchain network, Decred.
Khan, in tandem with other blockchain engineers, rolled out fixes to the vulnerabilities in late August. Luckily, “There has not been a known exploitation of this vulnerability in the wild,” wrote Fuller and Khan in the report.
In fact, such a shutdown of a network hasn’t happened for years. “For the Bitcoin network there have only been two vulnerabilities that have led to such downtime events, and there hasn’t been one since 2013,” the report noted.
Still, the vulnerability is pretty massive—at least in its potential. In 2018, over 50% of “publicly-advertised Bitcoin nodes with inbound traffic, and likely a majority of miners and exchanges” had the vulnerability and were at risk of attacks, said the report.
The Litecoin and Namecoin blockchains were also at risk, added the report. While the report added it was unlikely the vulnerability could have helped hackers steal Bitcoin, funds from the Lightning Network—a protocol to process Bitcoin transactions quicker—may have been at risk.
Miners and exchanges running older versions of Bitcoin software may still be at risk but most people running nodes will have the most up-to-date software, the developers added. “You are likely already protected. Otherwise, make sure to upgrade,” the report said.