Bitcoin Core Developers Issue High-Severity Warning: One in Six Nodes Vulnerable

ChainCatcher reports that Bitcoin Core developers have issued a high-severity warning, stating that one out of every six Bitcoin nodes is vulnerable to a software flaw. On Thursday, staff working on the open-source Bitcoin Core project, which maintains the software running on over 98% of reachable full nodes, revealed a significant security issue present in the software running on 17% of nodes in the network. Specifically, all software versions below Bitcoin Core version 24.0.1 are at risk. According to monitoring estimates from Bitnodes, this denial-of-service vulnerability affects approximately 3,330 out of 19,200 self-reported user agents of accessible Bitcoin full nodes.

In Bitcoin Core software versions prior to 24.0.1, malicious actors could send spam to nodes using low-difficulty header chains. By forcing nodes to download and store extremely long header chains, the attack could crash nodes by consuming excessive bandwidth or device storage space. Developers fixed this vulnerability in Bitcoin Core pull request (PR) number 25717, which was merged into production on December 12, 2022, with the release of version 24.0.1. The current Bitcoin Core node software version (currently 27.1) contains a fix for this vulnerability and others.

While the vulnerability is quite serious, there have been few known attacks exploiting it in the public record. Due to the high cost of generating and broadcasting block header chains to execute a denial-of-service attack, the vulnerability offers little economic incentive for attackers.