Subscribe
January 24, 2026
Sign In

Capitalizations Index – B ∞/21M

Menu
Breaking
Understanding Bitcoin ETFs: Funds That Track BTC Price Understanding the Bitcoin Genesis Block Explained Bitcoin’s Official Launch: The Genesis Block of 2009 Enhancing Bitcoin Privacy with CoinJoin Techniques Understanding Bitcoin BIPs: How Changes Are Proposed

CVE-2018-17144 Full Disclosure

CVE-2018-17144 Full Disclosure

Cve-2018-17144 full disclosure

CVE-2018-17144, a fix for which was released on September 18th in bitcoin Core versions 0.16.3 and 0.17.0rc4, includes both a Denial of Service component and a critical inflation vulnerability. It was originally reported to several developers working on bitcoin Core, as well as projects supporting other cryptocurrencies, including ABC and Unlimited on September 17th as a Denial of Service bug only, however we quickly determined that the issue was also an inflation vulnerability with the same root cause and fix.

In order to encourage rapid upgrades, the decision was made to immediately patch and disclose the less serious Denial of Service vulnerability, concurrently with reaching out to miners, businesses, and other affected systems while delaying publication of the full issue to give times for systems to upgrade. On September 20th a post in a public forum reported the full impact and although it was quickly retracted the claim was further circulated.

At this time we believe over half of the bitcoin hashrate has upgraded to patched nodes. We are unaware of any attempts to exploit this vulnerability.

However, it still remains critical that affected users upgrade and apply the latest patches to ensure no possibility of large reorganizations, mining of invalid blocks, or acceptance of invalid transactions occurs.

In bitcoin Core 0.14, an optimization was added (bitcoin Core PR #9049) which avoided a costly check during initial pre-relay block validation that multiple inputs within a single transaction did not spend the same input twice which was added in 2012 (PR #443). While the UTXO-updating logic has sufficient knowledge to check that such a condition is not violated in 0.14 it only did so in a sanity check assertion and not with full error handling (it did, however, fully handle this case twice in prior to 0.8).

Thus, in bitcoin Core 0.14.X, any attempts to double-spend a transaction output within a single transaction inside of a block will result in an assertion failure and a crash, as was originally reported.

In bitcoin Core 0.15, as a part of a larger redesign to simplify unspent transaction output tracking and correct a resource exhaustion attack the assertion was changed subtly. Instead of asserting that the output being marked spent was previously unspent, it only asserts that it exists.

Thus, in bitcoin Core 0.15.X, 0.16.0, 0.16.1, and 0.16.2, any attempts to double-spend a transaction output within a single transaction inside of a block where the output being spent was created in the same block, the same assertion failure will occur (as exists in the test case which was included in the 0.16.3 patch). However, if the output being double-spent was created in a previous block, an entry will still remain in the CCoin map with the DIRTY flag set and having been marked as spent, resulting in no such assertion. This could allow a miner to inflate the supply of bitcoin as they would be then able to claim the value being spent twice.

Timeline for September 17, 2018: (all times UTC)

  • 14:57 anonymous reporter reports crash bug to: Pieter Wuille, Greg Maxwell, Wladimir Van Der Laan of bitcoin Core, deadalnix of bitcoin ABC, and sickpig of bitcoin Unlimited.
  • 15:15 Greg Maxwell shares the original report with Cory Fields, Suhas Daftuar, Alex Morcos and Matt Corallo
  • 17:47 Matt Corallo identifies inflation bug
  • 19:15 Matt Corallo first tries to reach slushpool CEO to have a line of communication open to apply a patch quickly
  • 19:29 Greg Maxwell timestamps the hash of a test-case which demonstrates the inflation vulnerability (a47344b7dceddff6c6cc1c7e97f1588d99e6dba706011b6ccc2e615b88fe4350)
  • 20:15 John Newbery and James O’Beirne are informed of the vulnerability so they can assist in alerting companies to a pending patch for a DoS vulnerability
  • 20:30 Matt Corallo speaks with slushpool CTO and CEO and shares patch with disclosure of the Denial of Service
  • 20:48 slushpool confirmed upgraded
  • 21:08 Alert was sent to bitcoin ABC that a patch will be posted publicly by 22:00
  • 21:30 (approx) Responded to original reporter with an acknowledgment
  • 21:57 bitcoin Core PR 14247 published with patch and test demonstrating the Denial of Service bug
  • 21:58 bitcoin ABC publishes their patch
  • 22:07 Advisory email with link to bitcoin Core PR and patch goes out to Optech members, among others
  • 23:21 bitcoin Core version 0.17.0rc4 tagged

September 18, 2018:

  • 00:24 bitcoin Core version 0.16.3 tagged
  • 20:44 bitcoin Core release binaries and release announcements were available
  • 21:47 Bitcointalk and reddit have public banners urging people to upgrade

September 19, 2018:

  • 14:06 The mailing list distributes an additional message urging people to upgrade by Pieter Wuille

September 20, 2018:

  • 19:50 David Jaenson independently discovered the vulnerability, and it was reported to the bitcoin Core security contact email.

Published at Thu, 20 Sep 2018 04:00:00 +0000

Previous Article

The Blockchain Effect On Healthcare: How #Blockchain Will Transform Healthcare In 25 Years

 Next Article

How To Start a Blog And Make Money Online – Webinar – Murcia

You might be interested in …

Crypto money laundering cases in japan are through the roof

Crypto Money Laundering Cases In Japan Are Through The Roof

Crypto Money Laundering Cases In Japan Are Through The Roof Since the very first time that cryptocurrencies were massively adopted in Japan, a massive jump in illegal and crime-related transactions was noted. In most cases, […]

China’s Central Bank Will Soon Regulate ICO’s

The People’s Bank of China is turning its attention Initial Coin Offerings (ICO), seeking to regulate the new form of crowdfunding.

China to Regulate ICOs

Although cryptocurrency withdrawals are back on the big three Chinese exchanges, the People’s Bank of China (PBoC) isn’t quite through with the cryptoworld. Now it seems like it’s going after Initial Coin Offerings (ICOs), seeking to regulate the new phenomena in the crowdfunding world.

Chinese publication Weixin reports that Yao Qian, head of Digital Currency Research Institute at PBoC, has stated that the PBoC will soon regulate ICOs.

//platform.twitter.com/widgets.js

Initial Coin Offerings or ICOs are a way to fund projects or companies crowdfunding methods. This typically includes selling project tokens for fiat currency, bitcoin, Ethereum, and other popular cryptocurrencies. These tokens are usually required in order to use the platform or they can also represent equity through a dividend or buy-back program.

Current ICO Landscape

The news comes at a time where ICOs are extremely popular, gathering millions of dollars every week and amassing higher and higher market caps.

Most recently, the Basic Attention Token (BAT) ICO, gathered $30million in a matter of seconds, while the Aragon project gathered $20million in roughly 15 minutes. The MobileGo ICO gathered over $53 million in the course of its month-long ICO.

Poloniex

While most ICOs currently take place through the use of the Ethereum network, other projects are also getting in on the action, as is the case of the Waves Platform, Wings DAO, and Ethereum Classic.

Although some of these crowdfunding campaigns have had exorbitant returns for investors, many members of the community are also raising questions about the validity of some of these projects and if they are really worth tens of millions of dollars before having even built their project/platform or an MVP (minimum viable product).

Regulatory Clarity Could Boost Industry

Although the moratorium on cryptocurrency withdrawals has come to an end, the PBoC has stated that they are not yet done with bitcoin exchanges.  Now, bitcoin miners in the country are starting to shut down their operations in fear of future regulatory pressure like the one applied to exchanges.

Some bitcoin miners in the Szechuan province, a place with cheaper electricity prices due to abundant hydropower resources, have decided to shut down in fear of regulation. One miner told YiCai Global:

The price is so high at the moment. Shutting down costs mine owners hundreds of thousands of yuan every day.

In China, the pressure from the PBoC has resulted in a weakened bitcoin market, strict KYC policies and may now also affect mining and ICOs as well. However, regulation can also be helpful. In Japan, the new regulatory framework built around cryptocurrencies has allowed their popularity to grow in the country.

Can the new stance on Initial Coin Offerings by the PBoC change the ICO landscape? 

Images courtesy of CryptoCompare, Twitter, Shutterstock

The post China’s Central Bank Will Soon Regulate ICO’s appeared first on Bitcoinist.com.

Golos(golos) e golosgold(gbg): rede social monetizada russa.

Golos(GOLOS) e GolosGold(GBG): Rede Social Monetizada Russa.

Golos(GOLOS) e GolosGold(GBG): Rede Social Monetizada Russa. A rede social monetizada Golos.io é bastante semelhante a rede Steemit, mas as Criptomoedas usadas nesta rede russa são: Golos(GOLOS) que é a principal e a GolosGold(GBG) que […]

Close Menu