Informed Crypto News
No auto-update in Bitcoin Core means 13% of nodes could crash
Headline "No Auto Update in Bitcoin Core" means 13% of nodes could crash, published at 5.52 PM UTC, October 10, 2024 on Prodos.com. Bitcoin developers today disclose details of another high-severity software bug. According to senior core developers, over 13% of the home and business computers around the world that enforce Bitcoin's rules are vulnerable to a remote shutdown. The bug, named CVE-2024-35202, affects Bitcoin nodes running core software prior to version 25.0. Nodes that have not updated to at least 25.0 allow an attacker to remotely exploit an assertion in the software logic that handles block transaction, block TXN, messages. Specifically, the vulnerability stems from core's compact block protocol, which uses shortened transaction identifiers to reduce internet bandwidth use. An attacker can trigger a collision in these identifiers, causing the node to request a full block. Although requesting a full, unabridged block is a safety precaution, software versions prior to 25.0 have a flaw in their handling logic of subsequent block TXN messages. In short, the node can be forced into an invalid state through manipulating logic gates, causing it to crash entirely. Subheading, bug-patched since May 2023, but Bitcoin core does not auto-update. Credit for discovering and disclosing the vulnerability goes to Nicholas Goga, who also provided the patch implemented in Bitcoin core version 25.0. He patched this bug in Bitcoin core pull request number 26,898, and other developers had merged it into production by May 26, 2023. According to self-declared values declared by internet accessible nodes tracked by bitnodes.io, 13.7% of the 18,843 nodes operating the Bitcoin network are vulnerable to the attack. Developers encourage all node operators to update their software to patch this vulnerability. The latest version of Bitcoin core software is 28.0. Although quite serious, the bug has little financial benefit to an average attacker, as it requires sophisticated manipulation of the compact block protocol and does not allow for double-spending of Bitcoin without coordinating a variety of other financial and social engineering schemes. Nevertheless, it is a security vulnerability that could be exploited by a corporate or governmental actor who wants to disrupt the operations of Bitcoin for financially deferred reasons. The disclosure of this bug follows a recent trend of Bitcoin core developers revealing serious vulnerabilities in older software versions. Because core software does not automatically update by default, node operators must manually choose to download, verify, and update their software. Unless Bitcoin node operators update their software, a portion of the network could be at risk of a shutdown. This recording was AI-generated. Get more crypto news at protos.com.