Also covering Duplicate inputs vulnerability

CVE-2018-17144 was a bug that could have allowed an attacker to spend the same bitcoins more than once.

An optimization included in Bitcoin Core 0.14.0 skipped a check on newly-received blocks that was thought to be redundant, making the node willing to partly process blocks that tried to spend the same input more than once. This would trigger some code meant to catch unexpected node operation and cause the node to deliberately crash. This allowed a denial-of-service attack that could be exploited by miners.

The code meant to catch unexpected operation (an assert) was rewritten for Bitcoin Core 0.15.0, unintentionally allowing the node to continue operation in the case of duplication inputs. This allowed a miner to spend the same bitcoins more than once.

The vulnerability was discovered and responsibly disclosed by developer Awemany on 17 September 2018. Patches were available within hours, and a binary release for the current release branch within 36 hours—both only mentioning the DoS vulnerability. After several developers reviewing the patch were able to reverse engineer the bug and discover the inflation risk, a full disclosure was made by Bitcoin Core developers on 20 September 2018.

The bug was never exploited on Bitcoin mainnet and an overwhelming majority of full nodes subsequently updated to unaffected versions of Bitcoin Core.

After the full disclosure, the bug was exploited on Bitcoin testnet, causing any nodes still running Bitcoin Core 0.14.x to crash and nodes running 0.15.0 to 0.16.2 to accept a transaction that spent the same funds more than once. When testnet miners managed to produce a valid chain with more proof-of-work than the invalid chain, those non-upgraded nodes attempted to switch to the new chain but were unable to fully un-spend a double-spent input. This left the old testnet nodes stuck on a lower-proof-of-work block chain, requiring manual user intervention to fix them.

Primary code and documentation

Optech newsletter and website mentions



Previous Topic:
Cross-input signature aggregation (CISA)
Next Topic:
CVEs (various)

Edit page
Report Issue