This week the cryptocurrency community has been discussing and dealing with the critical vulnerability that was found in the Bitcoin Core (BTC) reference client. Many observers are calling the bug one of the worst issues BTC has had in years, comparing the exploit to the March 2013 mandatory hard fork. In fact, in the eyes of many, the network is still vulnerable to massive inflation from an attack that costs a mere 12.5 BTC ($83,000).
Peter Todd: ‘The Most Dangerous Time Is Not *Prior* to It Being Patched, but Rather *While* It Is Being Patched’
The Bitcoin Core (BTC) community has been dealing with a critical vulnerability over the past few days. News.Bitcoin.com reported on the bug two days ago and some BTC supporters said because the exploit was patched now, “it wasn’t a big deal” anymore. However, if one was to observe social media and forums they would find that CVE-2018-17144 was a very big deal, and still to this day the bug poses a threat to the BTC network because not everyone has upgraded. Throughout yesterday and today, there are many subjective valuations from crypto-devs and well-known community members. For instance, the software developer Peter Todd explains the network can be the most vulnerable while the community is in the process of upgrading the recent patch.
“The recent DoS vulnerability in Bitcoin, the most dangerous time is not *prior* to it being patched, but rather *while* it is being patched,” explains Todd. “Why? Because we have multiple implementations with different behavior, and thus potential chain splits — A 100% DoS crash is safer.”
So take the time this weekend to upgrade your nodes if you haven’t already, to get us back to ~%100 of the nodes running essentially the same implementation, and (hopefully!) the same protocol.
Theymos: ‘Updating to 0.16.3 is REQUIRED, and Anything Less Than 200 Confirmations Has a Low Probability of Being Reversed’
On the Reddit forum r/bitcoin, Theymos explains that new information on the Core bug has escalated the importance of upgrading. “Updating to 0.16.3 is REQUIRED,” Theymos emphasizes in a stickied Reddit post. Moreover, Theymos says transactions with less than 200 confirmations have more of a probability they could be reversed. The stickied post written by Theymos stirred up an argument online on whether or not the upgrade was “forced.”
“For the next week, consider transactions with fewer than 200 confirmations to have a low probability of being reversed (whereas usually there would be essentially zero probability of eg. 6-conf transactions being reversed),” explains Theymos.
“Watch for further news. If a chain split happens, action may be required,” Theymos adds.
Furthermore, the Core contributor Matt Corallo explains that he believes most of the companies and mining pools have upgraded to the latest Core release that contains the patch.
“Now I can breathe — No attempts to exploit,” Corallo explains on Twitter. “Most hash power upgraded — Most companies upgraded.”
Luke Jr: ‘It’s Not Too Late for Bitmain to Exploit It — the Network Has a Long Way to Go Until We’re Safe Again’
Even the Core developer Luke Jr says it’s not too late for miners to exploit the vulnerability, but also smears the mining pool Bitmain while he explains the network is still not safe.
“Unfortunately, it’s not too late for Bitmain to exploit it — The network has a long way to go until we’re safe again,” Luke Jr states on Twitter. When asked what he thinks Bitmain would do if they chose between “option A: create inflation and destroy the bitcoin network, and dump the price, or option B: fix the bug and maintain network and price stability.” Luke Jr believes Bitmain might choose option A.
“Considering the situation Bitmain is in, option A might be very tempting,” explains the Core developer.
Jameson Lopp: ‘[Upgrade] Optional, but Recommended if You Disagree With Unbounded Inflation and Crashes’
Some developers seemed to think the upgrade was not considered “forced.” Jameson Lopp says to the r/bitcoin moderator ‘Bashco,’ that maybe some people were triggered by the phrase “forced upgrade.” “I think some of them are triggered by the “forced” upgrade — Perhaps you should rephrase it as “optional, but recommended if you disagree with unbounded inflation and crashes,” Lopp states on Twitter.
“Exactly — Nobody is required to upgrade, anyone can audit the code before doing so,” Core contributor Eric Lombrozo explains in a response. “Critically, there are no deviations from expected consensus behavior — Language matters.”
The recent 2018 Core CVE is still being debated ferociously online in regard to whether or not the network is safe, if people really need to upgrade, and if the bug was handled correctly. As far as everyone saying it wasn’t a “big deal” most of the comments online from both developers and crypto-luminaries suggest the vulnerability was and still is an issue until everyone updates.
What do you think about the critical bug found in the Bitcoin Core client? What do you think about the debate over whether or not it was a big deal? Do you think this is a forced upgrade? Let us know your thoughts on this subject in the comment section below.
Images via Shutterstock, Pixabay, Bitcoincore.org, and Twitter.
Need to calculate your bitcoin holdings? Check our tools section.