Bitcoin Core Proved to be Susceptible to Double Spending Attack for Years

The Bitcoin Core software for the Bitcoin network had a severe double-spending vulnerability for a year, which in theory could have even led to a blockchain fork of affected nodes and bug-free nodes. The vulnerability has not been exploited.

The vulnerability, labeled CVE-2018-17144, was fixed last week with the release of Bitcoin Core 0.16.3 and 0.17.0rc4. Initially, developers were notified of a denial-of-service bug, but closer inspection revealed an inflation vulnerability, according to Bitcoin Core’s full disclosure.

Optimizations in Bitcoin Core 0.14, which came out in March last year, had the unintended side effect that nodes could crash when processing blocks of transactions that attempted to spend coins multiple times. With the arrival of Bitcoin Core 0.15.0, a little over a year ago, the problems got worse. The adjustments ensured that nodes accepted the double-spend transactions in some cases.

Bitcoin Magazine describes that in the worst case scenario, a malicious person could increase the amount of currency by copying his own coins. Nodes with the vulnerable Bitcoin Core versions would accept these coins, theoretically creating a fork. In practice, this would be unlikely, as the older, unaffected nodes would likely have too low a hashrate.

By now, more than half of the hashrate would have been upgraded to Bitcoin Core 0.16.3, which would no longer allow an attacker to successfully displace the valid blockchain. Bitcoin Core is the name of the software client for the Bitcoin network.