In release notes for Bitcoin Core version 0.16.3, Wladimir van der Laan confirmed the vulnerability, known as CVE-2018-17144, had received an effective patch. The Bitcoin Core client remains the most popular comprising over 94% of all Bitcoin software implementations today.
“A denial-of-service vulnerability… exploitable by miners has been discovered in Bitcoin Core versions 0.14.0 up to 0.16.2,” he summarized.
“It is recommended to upgrade any of the vulnerable versions to 0.16.3 as soon as possible.”
CVE-2018-17144 could technically have allowed a malicious miner or group of miners to perform duplicate transactions and burn block rewards, forcing nodes off the network in the process.
Cobra, the creator of information resource Bitcoin.org, said the bug even had the potential to create chaos in a “huge chunk” of the ecosystem.
“A very scary bug in Bitcoin Core has just been fixed which could have crashed a huge chunk of the Bitcoin network if exploited by any rogue miners,” he wrote on Twitter.
A very scary bug in Bitcoin Core has just been fixed which could have crashed a huge chunk of the Bitcoin network if exploited by any rogue miners. https://t.co/fMrgRiDaTP
— Cøbra (@CobraBitcoin) September 18, 2018
Other than the official release notes, developers have yet to publicly explain the origin and circumstances around the offending code. On Github, fellow Core developer Andrew Chow remained brief, telling users only that a “third party” reported the bug.
“The bug was disclosed to other projects simultaneously to it being disclosed to us,” Matt Corallo added.
Bitcoin Core bugs rarely create a sense of urgency within the community, making the discovery of CVE-2018-17144 an unusual exception.