Last week, the Bitcoin Core team came out with a brand-new update to its client which was supposed to address a major vulnerability on the chain. The vulnerability made it easy for hackers to execute a “denial of service” attack on the network, which could be a potentially devastating security problem. But in many ways, the release of this newest update only furthers the existing problem on the world’s most sophisticated and popular cryptocurrency, Bitcoin.
The bug initially affected both version 0.16.2 and version 0.14.0, and it was quickly picked up as a part of a much larger issue by developers in Bitcoin Core. The team quickly learned that an even bigger problem was affecting all versions above 0.15.0 which could allow for artificial inflation. The bug was patched almost immediately following the revelation, and few announcements were made to keep it as quiet and discrete as possible so as to avoid hackers taking advantage of the delay between patch and adoption to create havoc on the crucial network’s infrastructure.
But the problems appear to have only just begun for the Bitcoin Core community following these bug patches. According to experts, the reason that the Bitcoin Core network is still vulnerable is because, while the bugs affect the nodes specifically on the chain, many of the affected nodes are still running an earlier version of the software, a version still affected by the dangerous bug. In order for the vulnerability to be ineffective to nefarious hackers, all of the nodes using an older version of the technology must quickly update to the newest patch.
Further compounding the problem is the difficult of coming to consensus on the exact number of nodes which might be dangerous to use because of the vulnerability. As a consequence of the decentralized nature of the blockchain, it is unclear just which nodes might be at risk of being exploited using the vulnerability which was just recently patched. In any case, the presence of even one node with the vulnerability could potentially create ripples of problems across the Bitcoin Core network.
Cobra (stylized CØbra) is an anonymous online persona who owns the Bitcoin.org domain. From his (or her) official Twitter account, the expert tweeted that the removal of an “alert system” from the original Bitcoin Core configuration was a “bad move.” According to the tweet, a whopping 80% or more of the existing Bitcoin Core network is still running software that is vulnerable to the hack.
The number is disputed within the cryptocurrency security community. First, some argue that the actual number of nodes affected by the vulnerability is around 51%, and that the estimate of 80% or higher was a bit of an exaggeration. This might not be due to the fact that most of these nodes were updated to the latest software, however. Many of the nodes are actually running software that came before the 0.15.0 update. While this means that these nodes are protected from the current vulnerability, it does not mean that they are free from the problems associated with older software, which might have its own unsolved vulnerabilities.
But additionally, the opposition numbers fail ton include non-listening nodes, nodes that some argue make up a good majority of the overall Bitcoin Core network of nodes. Finally, it is important to remember that this latest software was patched for more reasons than simply inflation vulnerability, and will continue to be a problem for systems which might not have updated.
A Slow Update
Cobra was invariably correct in their argument that the system continues to be vulnerable as a result of non-updated nodes. But according to some security experts in the industry, the gradual adoption of any update is simply standard operating procedure within the community of developers. The new release of any regular update would be adopted relatively slowly, partly because those leading nodes might want to look into the logistics of the switch and the needs of their own node before deciding to update.
But this is no ordinary scenario. The inflation vulnerability presents a clear and direct danger to the general Bitcoin network, and the only way for nodes to avoid vulnerability is to update to the newest version of the software. This is not an easy thing to make happen, though. Like Cobra pointed out and subsequent discussions outlined, there is no easy button to press and alert all nodes that they need to immediately change software to the newest update.
Some people in subsequent discussions regarding the incident espoused their opinion that perhaps the community should implement some sort of a massive tree-based mailing list to try to expedite the upgrading process. But this would be nearly impossible to do, considering that the actors running nodes are often busy and not traditionally accessible by simple emails from random developers and concerned civilians via functional spam tree.
“Economically Worthless Nodes”
Not everyone in the Bitcoin Core community fears the lack of updates happening in many nodes. One Twitter personality and crypto expert wrote that the majority of non-updating nodes are “economically worthless,” basing his argument on the idea that if the nodes truly mattered, someone would have already upgraded them.
Twitter writer DashJr responded and was even asked by one user how many nodes should update to the newest version of the software before it can be considered no longer a vulnerable overall network. He responded promptly, saying that this number has already been reached. At least where money is concerned, the user hits the nail on the head. The nodes that have already changed constitute a surprising 85% of the overall economic activity of the network.
The future of the vulnerability is yet unclear. Though centralization has done a great many things for the stability and dependability of the Bitcoin blockchain, the nature of this setup means that it is harder than ever for key security updates to be taken in by enough of the community to make a difference. But developers are still hard at work trying to push the latest upgrades and make this dangerous vulnerability truly a thing of the past.