A bug was recently discovered in Bitcoin Unlimited (BU), a competing Bitcoin node client, thus allowing a malicious user to crash nodes remotely. The bug was disclosed in an email on the morning of March 14, and later shared via social media.
Bug Leaked Over Social Media after Disclosure
“We were in the process of releasing when [bitcoin developer] Peter Todd took someone else’s exploit and irresponsibly tweeted,” says Bitcoin Unlimited lead developer Andrew Stone. He references a tweet sent March 14 by Mr. Todd, an applied cryptography consultant, who has coded for another Bitcoin node client; Bitcoin Core.
Mr. Stone adds: “We have committed a fix. It took five minutes. We just need to validate some inputs that nodes send us.”
After the BU bug went viral on Bitcoin social media, there was a massive drop in the number of nodes running the Bitcoin Unlimited software. As of 3:45 PM Pacific Standard Time, the number of BU nodes had decreased to levels not seen since autumn last year. Before the bug, BU node deployment had reached an all-time high.
Emil Oldenburg, CTO at the Unlimited-capable pool.Bitcoin.com commented on the events as follows: “It did not affect anything, in fact, we even mined a block during the attack. Our nodes did crash, but they restart very fast.”
Bitcoin blockchain monitor site Coin.dance showed a continued strong support for the Bitcoin Unlimited client after fix had been released, with the Unlimited client hitting a new all time high, now responsible for more than 34% of the network’s total mining hashrate.
“Remote crashes is a common exploit in software in general,” says Mr. Stone, who doesn’t know how many remote crash CVEs there have been in Bitcoin’s history. What effect this will have long-term on Bitcoin Unlimited, he does not know.
“We will see,” he tells Bitcoin.com. “We are pushing images to miners right now, although many of them are using a variety of masking techniques to protect their infrastructure.”
Bitcoin Developments Efforts Splintered
Bitcoin developers have heretofore generally worked together in large groups on the Bitcoin project. For instance, recent updates to the dominant client ‘Bitcoin Core’ have featured the work of dozens of contributors. But, over time, efforts have seemingly splintered into competing open-source creation communities working around the modern Bitcoin protocol. As has become increasingly apparent in past months, there has been a breakdown in relationships between many developers.
Some also look to sabotage Bitcoin Unlimited, some feeling it is an attempt to hijack the Bitcoin network. “Running my fuzzer on the diffs BU have from Core, and have already some crashes. Hopefully some of them are exploitable,” an internet user using the handle ‘ciphera’ stated on Reddit. “Going to collect as many zero-days to release at the most opportune time possible.”
Another user stated: “I will personally exploit any flaw in [Bitcoin Unlimited] and not disclose.”
What do you think about the development process? Let us know in the comments below.
Images courtesy of Shutterstock, Coin Dance
Do you want to talk about bitcoin in a comfortable (and censorship-free) environment? Check out the Bitcoin.com Forums — all the big players in Bitcoin have posted there, and we welcome all opinions.