Inflation Bug Still a Danger to More Than Half of All Bitcoin Full Nodes

Published at: May 19, 2019

Figures published by bitcoin core developer Luke Dashjr show that more than half of the full nodes in the bitcoin network are still running client software vulnerable to the inflation bug discovered in September 2018.

This revelation poses some danger to the network, as software vulnerabilities are a clear and present danger to the fidelity of bitcoin (BTC). Now that the top-ranked cryptocurrency is in the midst of a positive price run, it is perhaps important that steps are taken to eradicate the inflation bug problem for good.

Most bitcoin full nodes still vulnerable to the inflation bug

As reported by Cointelegraph on May 8, research by Dashjr shows that more than 50% of full nodes on the bitcoin network are still running software versions of the bitcoin client that are susceptible to the inflation bug.

However, from that time, the figure has fallen slightly from about 60% to 54%. This means that, in the last few days, some full nodes have upgraded to a more recent client software update.

Back in September 2018, developers first discovered the inflation bug — which, in theory, could allow miners to inflate the total bitcoin supply beyond the 21 million BTC by spending multiple unspent transaction outputs (UTXOs) in the same transaction.

Given the nature of the bug, the developers kept it a secret, quietly releasing a new version of the client. An excerpt from the September 2018 common vulnerabilities and exposures (CVE) report released by Bitcoincore.org reads:

“In order to encourage rapid upgrades, the decision was made to immediately patch and disclose the less serious Denial of Service vulnerability, concurrently with reaching out to miners, businesses, and other affected systems while delaying publication of the full issue to give times for systems to upgrade. On September 20th a post in a public forum reported the full impact and although it was quickly retracted the claim was further circulated.”

One key takeaway from Dashjr’s analysis is the total number of full nodes on the bitcoin network. Most bitcoin literature sources put the number of full-node numbers at somewhere approaching 10,000.

However, Dashjr opines that this number is closer to 100,000 and that the reason for this discrepancy lies in the fact that many sources only account for nodes actively listening on the network.

Called listening nodes, these full nodes have open port connections that can be probed. However, not all full-nodes are listening nodes; some, hidden behind firewalls or configured to not actively listen for new connections, don’t have easily discoverable open port connections.

The severity of the inflation bug

To understand the severity of the inflation bug, it is important to know the mechanism by which the problem could be exploited. This process would involve a summary explaining of the double-spend attack, the inflation bug itself and the problems that could arise if left unchecked.

Bitcoin’s early success lends itself greatly to Satoshi Nakamoto’s — the creator of bitcoin — brilliant solution to the double-spending problem that had prevented the successful deployment and implementation of prior virtual currency systems.

By creating an immutable ledger with nodes validating transactions, it became almost theoretically impossible to spend the same UTXO in two different transactions.

However, what happens when, instead of spending the UTXO in two different transactions, a malicious actor tries to use one transaction to spend UTXO multiple times? Because of the way bitcoin is engineered to work, this action would mean creating new coins virtually out of thin air, thus inflating the total supply — ergo, the inflation bug.

Several successive updates to the bitcoin software have tried to improve the blockchain’s immunity to the first type of double-spend attack. However, by the Core 0.14.x version of the bitcoin software client, developers began to notice there was a possibility of a distributed denial of service (DDoS) vulnerability in the software client.

The bug allowed a malicious attacker to crash nodes running the 0.14.x software version by attempting to spend the same UTXO twice. In this iteration of the bug, the objective would have been to crash as many nodes as possible and not necessarily inflate the total bitcoin supply.

In trying to fix the problem, the next released update, 0.15.0, included features that inadvertently allowed a malicious attacker to double spend the same UTXO in one transaction. Instead of causing a system crash, this new bug caused older software clients to recognize such double-spend transactions as valid.

Upon discovery, developers again released a new version of software before announcing it to the wider cryptocurrency community. However, several months after the issue ought to have been solved, it appears that more than half the full nodes on the network are still running client implementations vulnerable to the bug.

Cointelegraph spoke with Dashjr about the implication of the inflation bug, to which the bitcoin developer replied:

“The inflation bug is in practice a network-wide risk. It would allow a 51% miner attack to cause inflation (something such attacks can't normally do). The inflationary chain would only be accepted by vulnerable nodes and light wallets.”

Expanding further on the dangers posed by the bug, Dashjr went on to say:

“It makes what was thought to be a full node, actually just a light wallet in that one respect. If more than a small minority use light wallets, miners get to make up the rules.”

All nodes have to do is upgrade

Whenever developers discover a bug of this nature, the solution is always to get nodes to upgrade to a newer version of software that hopefully has features that eliminate the problem. Sometimes, this process may lead to the emergence of another problem — as seen in 2018, when solving the DDoS bug caused the inflation bug to manifest.

When asked by Cointelegraph what should be done about the situation, Dashjr’s answer was simple and straight to the point:

“Everyone upgrading to a fixed full node.”

While this process is ongoing, does the bitcoin network face any credible risk stemming from the fact that half of the full nodes are vulnerable to the inflation bug? The answer to the question might lie in who really holds the true power in the network: miners or developers?

In 2018, bitcoin developer, Jimmy Song expressed the view that rogue miners trying to take advantage of the inflation bug would find it nearly impossible to succeed. For one, Song said that not every full node runs the bitcoin core, a large number prefer to deploy custom iterations of the bitcoin client.

The fact that some nodes do not run the core client already diminishes the attack because such nodes will reject the block containing the inflated UTXOs. If a significant number of miners reject the tainted block, then a chain split likely occurs.

Back in 2010, during the “value overflow incident” discovered in block 74,638, developers published a new update to the client in less than five hours, solving the problem. The block in question contained a transaction that created about 184 billion BTC for three addresses, with two addresses receiving 92.2 billion BTC and the miner responsible for solving the block getting 0.01 BTC.

The discrepancy only lasted for the next 53 blocks, and by block height 74,691, all traces of the value of overflow no longer existed on the network. Nodes that initially accepted the chain split with the tainted block soon began to revert to the chain split that didn’t contain the inflated block.

The same applies to the inflation bug: Once the split occurs, developers and others on the network would begin to notice, as Song explained in this excerpt of his blog post, which reads:

“Because of these irregularities, people on the network would soon have tracked this down, probably have alerted some developers and the core developers would have fixed it. If there was a fork, the social consensus at that point about which is the right chain would start getting discussed and the chain creating unexpected inflation would have likely lost out. If there was a stall, there likely would have been a voluntary rollback to punish the attacker.”

For Song, given the economics of the attack, it is unlikely that rogue miners would want to employ such a tactic. However, the bitcoin educator said that hackers working for countries with anti-bitcoin sentiments could exploit the bug to destroy the network.

Tags
Related Posts
Research: 60% of All Bitcoin Full-Nodes Are Still Vulnerable to Inflation Bug
According to bitcoin (BTC) node stats reported on the website of bitcoin core developer Luke Dashjr, 60.22% of the coin’s full-nodes are running software still vulnerable to the inflation bug at press time. According to the reported data, the software running on 60,101 bitcoin full-nodes is vulnerable to the CVE-2018-17144 bug. As Cointelegraph reported at the end of September last year, the bug allows malicious miners to artificially inflate bitcoin’s supply via a simple type of double input. According to a Cointelegraph analysis, at the time — likely because of the possible catastrophic consequences of the presence of the bug …
Decentralization / May 6, 2019
Bitcoin network node count sets new all-time high
The number of reachable Bitcoin network nodes has crossed the 13,000 mark for the first time. As previously reported by Cointelegraph, the previous all-time high was 11,613 achieved back in January. According to data from Bitcoin network statistics dashboard Bitnodes.io, this milestone was reached back on July 5 when the number of reachable nodes clocked in at 13,374. At the time of writing, Bitnodes’ data puts the current network node count at about 12,835, Coin.Dance, another tracking website, also has Bitcoin’s node count at a new all-time high of 12,825. Nodes running the Bitcoin Core software make up 98.77% of …
Decentralization / July 15, 2021
Bitcoin node count hits new all-time high
The number of Bitcoin nodes is at an all-time high, with 11,558 reachable nodes currently active, according to Bitnodes.io. Another Bitcoin network statistics tracker, coin.dance, calculates the total number of Bitcoin nodes at 11,613, which is just above the previous high of 11,250 set one year ago this month. The Bitcoin Core software update 0.21.0 was released for public download on Jan. 14 2021 and is currently the fourth most utilized version of the software among nodes There are currently 619 nodes running this version of the software, which represents about 5.5% of all nodes running some version of Bitcoin …
Decentralization / Jan. 20, 2021
Binance CEO Suggests Crypto Exchanges Are Safer Than Keeping One’s Keys
Changpeng Zhao, the co-founder and CEO of cryptocurrency exchange Binance, suggested that for most, keeping crypto assets on an exchange is safer than keeping the keys themselves. Zhao gave his comments in a tweet on Jan. 19 after famous crypto skeptic and gold bug Peter Schiff complained that he lost access to his Bitcoin (BTC). Invoking the phrase “SAFU” — a slanger term in the crypto community for “safe,” Zhao said: “Many hardcore crypto [organizations] advocate storing your own keys. But the truth is, today most people are not able to secure a key even from themselves (losing it). A …
Bitcoin / Jan. 20, 2020
Bitcoin in the Palm of Your Hand — Crypto Hardware Wallets Review
A hardware wallet may just be the safest way to store cryptocurrency for average users. Nowadays, many different devices are trying to tackle the challenges of secure crypto asset storage. In this article, Cointelegraph will review some of the most well-known hardware wallets and compare their features. The cryptocurrency wallets that will be covered in this article are Ledger’s Nano X and Nano S, SatoshiLabs’s Trezor One and Trezor Model T, ShapeShift’s KeepKey, and Coinkite’s Coldcard and Opendime. It is also important to point out that all the wallets tested in this article, other than the Ledger Nano S (which …
Bitcoin / March 26, 2020