Back in 2018, cyber security specialist and engineer Braydon Fuller discovered a dangerous bug in Bitcoin Core (versions 0.16.0 and 0.16.1). The problem appeared in 2017 and was named INVDoS. Shortly after the discovery, CVE-2018-17145 was quietly eliminated, and Fuller kept his find a secret for two years, fearing activity from attackers who might be interested in the bug.
However, now the technical details of the vulnerability have been made public, as the problem has been re-discovered by other experts and threatened another cryptocurrency that is based on the old version of the Bitcoin code.
“The INVDoS problem is essentially a classic denial of service (DoS) attack. And while DoS attacks are often virtually harmless, they can pose a serious threat to Internet-accessible systems that process transactions and must be stable and reliable”, – said Braydon Fuller.
Fuller discovered that an attacker can generate special transactions, processing of which by nodes can lead to “uncontrolled waste of resources”, and ultimately to a complete failure of the vulnerable system.
The researcher notes that at the time the bug was discovered, more than 50% of Bitcoin nodes were vulnerable to INVDoS and, most likely, many miners and exchanges. Moreover, not only Bitcoin nodes working with Bitcoin Core, but also nodes working with Bcoin and Btcd, and other cryptocurrencies based on the original Bitcoin protocol, including Litecoin and Namecoin, were at risk.
The researcher writes that the exploitation of this problem could lead to the loss of funds or income:
“[Damage] could have been due to lost mining time or power consumption due to node shutdowns, block delays or temporary network separation. It could also cause interruptions and delays in fixed-term contracts or hamper economic activity. [Issue] could affect trade, exchanges, atomic swaps, escrow and HTLC payment channels in the Lightning Network.”
As mentioned above, in 2020 the vulnerability was re-discovered by another information security expert. The problem was “found again” by the developer of the Handshake protocol, Javed Khan, when he was looking for vulnerabilities in the Decred cryptocurrency.
Khan officially reported about the bug in the frameworks of the bounty program and eventually made it public. Now the detailed information about the bug is published on a special website.
Let me remind you that SWIFT says money is rarely laundered with cryptocurrencies.