delvingbitcoin

Non-disclosure of a consensus bug in btcd

Non-disclosure of a consensus bug in btcd

Original Postby AntoineP

Posted on: October 3, 2024 14:19 UTC

In March of 2024, Niklas Gögge and the author discovered a consensus bug in btcd, which was subsequently fixed with the release of btcd v0.24.2.

The project awarded them a bounty for identifying this flaw, which, despite its minor impact on the overall network, presents a critical vulnerability for btcd users by enabling attackers to hard fork btcd nodes through a simple standard transaction. This discovery underscores the importance of upgrading to the latest version to ensure security.

The decision to publicly disclose this information on the 23rd of September was initially agreed upon with the maintainer. However, requests to delay disclosure came in the last two weeks prior to the planned date, citing increasingly tenuous justifications. The authors advocate for transparency in the handling of security vulnerabilities, emphasizing that trust in both the software and its release process is paramount. They believe that unless there are compelling reasons, the scheduled public disclosure dates should be adhered to.

Analysis of the current state of the Bitcoin network revealed that approximately 70,000 full nodes are operational, with around 60 running btcd. Of these, 20 nodes were identified as running versions known to be vulnerable according to a previous disclosure by Niklas. Following the fix for the newly discovered consensus bug, 24 out of the remaining 40 nodes upgraded to the latest version, leaving 16 nodes potentially at risk. Considering these 16 nodes constitute a mere 0.022% of the entire Bitcoin network, the authors determined that this did not justify an exceptional delay in the announcement. However, they have chosen to exercise caution by withholding full details until October 10th, while strongly urging all btcd users to upgrade to btcd v0.24.2 immediately to protect against this vulnerability.