No auto-update in Bitcoin Core means 13% of nodes could crash
Bitcoin developers today disclosed details of another high-severity software bug. According to senior Core developers, over 13% of the home and business computers around the world that enforce Bitcoin’s rules are vulnerable to a remote shutdown.
The bug, named CVE-2024-35202, affects Bitcoin nodes running Core software prior to version 25.0. Nodes that have not updated to at least 25.0 allow an attacker to remotely exploit an assertion in the software logic that handles block transaction (‘blocktxn’) messages.
Specifically, the vulnerability stems from Core’s compact block protocol, which uses shortened transaction identifiers to reduce internet bandwidth use. An attacker can trigger a collision in these identifiers, causing the node to request a full block.
Although requesting a full, unabridged block is a safety precaution, software versions prior to 25.0 have a flaw in their handling logic of subsequent blocktxn messages. In short, the node can be forced into an invalid state through manipulating logic gates, causing it to crash entirely.
Read more: Bitcoin devs finally admitting to major mistakes in Core software
Bug patched since May 2023, but Bitcoin Core does not auto-update
Credit for discovering and disclosing the vulnerability goes to Niklas Gögge, who also provided the patch implemented in Bitcoin Core v25.0. He patched this bug in Bitcoin Core pull request number 26898 and other developers had merged it into production by May 26, 2023.
According to self-declared values declared by internet-accessible nodes tracked by BitNodes.io, 13.7% of the 18,843 nodes operating the Bitcoin network are vulnerable to the attack. Developers encourage all node operators to update their software to patch this vulnerability. The latest version of Bitcoin Core software is 28.0.
Although quite serious, the bug has little financial benefit to an average attacker, as it requires sophisticated manipulation of the compact block protocol and does not allow for double-spending of bitcoin without coordinating a variety of other financial and social engineering schemes.
Nevertheless, it is a security vulnerability that could be exploited by a corporate or governmental actor who wants to disrupt the operations of Bitcoin for financially-deferred reasons.
The disclosure of this bug follows a recent trend of Bitcoin Core developers revealing serious vulnerabilities in older software versions. Because Core software does not automatically update by default, node operators must manually choose to download, verify, and update their software.
Unless Bitcoin node operators update their software, a portion of the network could be at risk of a shutdown.