CVE-2024-38365 public disclosure (btcd `FindAndDelete` bug)

This test, intended for Core v27.0, underscores the nuanced differences in how transactions and scripts are validated across different Bitcoin implementations. The author of the document expresses concerns about publicizing this information, fearing it might enable those with malicious intentions, specifically "script kiddies," to exploit these discrepancies to their advantage. This hesitation reflects a broader debate within the software development community on balancing the need for openness and the potential risks of misuse of detailed technical insights.

A significant portion of the conversation is dedicated to the FindAndDelete function within Bitcoin's scripting language, which is crucial for understanding script execution nuances between Bitcoin Core and Btcd. This function does not alter the script being executed but modifies a copy for the purpose of committing to it in the sighash, specifically removing stack elements like signatures and public keys after executing verification operations. The discussion clarifies a misunderstanding about the extent of data push removal by FindAndDelete and its Btcd equivalent, highlighting the differences in how both implementations handle script execution and signature verification. This includes an in-depth analysis of OP_CODESEPARATOR behavior and its implications on transaction validation, particularly in the context of Segregated Witness (SegWit) transactions.

The email also explores theoretical discrepancies in script execution between btcd and Bitcoin Core, focusing on how specific script operations could lead to divergent outcomes. This analysis provides insight into the complexities of script verification and the potential for creating conditions where scripts execute differently across implementations. Additionally, it delves into the importance of public key recovery in achieving distinct script outcomes and the limitations of current signature modes, including ANYPREVOUT.

Niklas Gögge and Antoine Poinsot from Brink and Wizardsardine, respectively, identified a critical flaw in Btcd versions before 0.24.2, related to legacy signature verification consensus rules. Their discovery revealed a deviation in Btcd's removeOpcodeByData function that could allow the crafting of scripts accepted by Bitcoin Core but rejected by vulnerable Btcd nodes, posing a significant security risk. This issue was meticulously documented and reported, culminating in a bug bounty recognition and the resolution of the vulnerability through a covert fix in version 0.24.2 of Btcd.

This discussion not only highlights the collaborative efforts within the cryptocurrency development community to identify and address vulnerabilities but also illustrates the intricate details of Bitcoin's script execution mechanisms. It underscores the challenges and considerations involved in maintaining consistency across different implementations and the continuous vigilance required to safeguard the integrity of blockchain networks.