📅 Original date posted:2019-02-25
📝 Original message:Hi,
I'm writing to report a consensus vulnerability affecting Bitcoin Core
versions
0.13.0, 0.13.1, and 0.13.2. These software versions reached end-of-life on
2018-08-01.
The issue surrounds a fundamental design flaw in Bitcoin's Merkle tree
construction. Last year, the vulnerability (CVE-2017-12842) around 64-byte
transactions being used to trick light clients into thinking that a
transaction
was committed in a block was discussed on this mailing list
(
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-June/016091.html
).
There is a related attack resulting from the ambiguity around 64-byte
transactions which could be used to cause a vulnerable full-node
implementation
to fall out of consensus.
The attack on light clients discussed previously was centered on the idea of
claiming the Merkle tree has one more level in it than it actually has, to
prove that a candidate transaction is in the chain by having its hash match
one
side of a 64-byte transaction. The vulnerability I am describing here
involves
going the other direction: find a row of interior nodes in the Merkle tree
that successfully deserialize as transactions, in order to make a block
appear
to be invalid. (This is of a similar character to the attack described by
Sergio Demian Lerner on
https://bitslog.wordpress.com/2018/06/09/leaf-node-weakness-in-bitcoin-merkle-tree-design/
,
in the section titled "An (expensive) attack to partition Bitcoin".)
It has long been recognized that malleating a block's transactions in a way
that produces the same Merkle root could be used to cause a node to fall
out of
consensus, because of the logic in Bitcoin Core to cache the invalidity of
blocks (ie to avoid re-validation of known-invalid ones, which would
otherwise
make the software vulnerable to DoS). Malleation by "going up" the Merkle
tree,
and claiming that some interior row is in fact the set of (64-byte)
transactions in a block, could be used to cause the Bitcoin Core 0.13
branch to
incorrectly mark as invalid a block that in fact has a valid set of
transactions. Moreover, this requires very little work to accomplish -- less
than 22 bits of work in all.
I have attached a writeup that I put together for my own memory and notes
which
goes into more detail (along with a summary of other Merkle tree issues,
including the duplicate transactions issue from CVE-2012-2459 and the SPV
issue); please see sections 3.1 and 4.1 for a discussion. The bug in 0.13
was
introduced as an unintended side-effect of a change I authored
(https://github.com/bitcoin/bitcoin/pull/7225). Once I learned of this
category of Merkle malleation issues, I realized that the change
inadvertently
introduced a vulnerability to this issue that did not previously exist (in
any
prior version of the software, as far as I can tell). A bug fix that
effectively reverted the change (
https://github.com/bitcoin/bitcoin/pull/9765)
was made just before the 0.14 version of Bitcoin Core was released, and no
later versions of the software are affected.
Also, I have scanned the blockchain looking for instances where the first
two
hashes in any row of the Merkle tree would deserialize validly as a 64-byte
transaction, and I have found zero such instances. So in particular there
are
no blocks on Bitcoin's main chain (as of this writing) that could be used to
attack an 0.13 node.
I thought it best to withhold disclosure of this vulnerability before a
mitigation was in place for the related SPV-issue (which I assumed would
become
obvious with this disclosure); once that became public last summer and a
mitigation deployed (by making 64-byte transactions nonstandard), that
concern
was eliminated.
Thanks to Johnson Lau and Greg Maxwell for originally alerting me to this
issue.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20190225/a27d8837/attachment-0001.html>;
-------------- next part --------------
A non-text attachment was scrubbed...
Name: BitcoinMerkle.pdf
Type: application/pdf
Size: 200880 bytes
Desc: not available
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20190225/a27d8837/attachment-0001.pdf>;
Suhas Daftuar [ARCHIVE] /
npub1ss…e0am4
2023-06-07 18:16:33
in reply to nevent1q…p5jp
Author Public Key
npub1ss2s89s938xfh3zzz0j2mhp25tlrlcrj0duljr0ne0t8v2r4cv0q5e0am4Published at
2023-06-07 18:16:33Event JSON
{
"id": "e513699e7625ff5b6c01946bb64483c7208ed89b5630eefc70b6694076686b24",
"pubkey": "841503960589cc9bc44213e4addc2aa2fe3fe0727b79f90df3cbd6762875c31e",
"created_at": 1686161793,
"kind": 1,
"tags": [
[
"e",
"3bb7e3719b903bbd0143c13fc36274398361ca746b433bf3d8f41bca6f3c6bdc",
"",
"reply"
],
[
"p",
"a23dbf6c6cc83e14cc3df4e56cc71845f611908084cfe620e83e40c06ccdd3d0"
]
],
"content": "📅 Original date posted:2019-02-25\n📝 Original message:Hi,\n\nI'm writing to report a consensus vulnerability affecting Bitcoin Core\nversions\n0.13.0, 0.13.1, and 0.13.2. These software versions reached end-of-life on\n2018-08-01.\n\nThe issue surrounds a fundamental design flaw in Bitcoin's Merkle tree\nconstruction. Last year, the vulnerability (CVE-2017-12842) around 64-byte\ntransactions being used to trick light clients into thinking that a\ntransaction\nwas committed in a block was discussed on this mailing list\n(\nhttps://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-June/016091.html\n).\nThere is a related attack resulting from the ambiguity around 64-byte\ntransactions which could be used to cause a vulnerable full-node\nimplementation\nto fall out of consensus.\n\nThe attack on light clients discussed previously was centered on the idea of\nclaiming the Merkle tree has one more level in it than it actually has, to\nprove that a candidate transaction is in the chain by having its hash match\none\nside of a 64-byte transaction. The vulnerability I am describing here\ninvolves\ngoing the other direction: find a row of interior nodes in the Merkle tree\nthat successfully deserialize as transactions, in order to make a block\nappear\nto be invalid. (This is of a similar character to the attack described by\nSergio Demian Lerner on\nhttps://bitslog.wordpress.com/2018/06/09/leaf-node-weakness-in-bitcoin-merkle-tree-design/\n,\nin the section titled \"An (expensive) attack to partition Bitcoin\".)\n\nIt has long been recognized that malleating a block's transactions in a way\nthat produces the same Merkle root could be used to cause a node to fall\nout of\nconsensus, because of the logic in Bitcoin Core to cache the invalidity of\nblocks (ie to avoid re-validation of known-invalid ones, which would\notherwise\nmake the software vulnerable to DoS). Malleation by \"going up\" the Merkle\ntree,\nand claiming that some interior row is in fact the set of (64-byte)\ntransactions in a block, could be used to cause the Bitcoin Core 0.13\nbranch to\nincorrectly mark as invalid a block that in fact has a valid set of\ntransactions. Moreover, this requires very little work to accomplish -- less\nthan 22 bits of work in all.\n\nI have attached a writeup that I put together for my own memory and notes\nwhich\ngoes into more detail (along with a summary of other Merkle tree issues,\nincluding the duplicate transactions issue from CVE-2012-2459 and the SPV\nissue); please see sections 3.1 and 4.1 for a discussion. The bug in 0.13\nwas\nintroduced as an unintended side-effect of a change I authored\n(https://github.com/bitcoin/bitcoin/pull/7225). Once I learned of this\ncategory of Merkle malleation issues, I realized that the change\ninadvertently\nintroduced a vulnerability to this issue that did not previously exist (in\nany\nprior version of the software, as far as I can tell). A bug fix that\neffectively reverted the change (\nhttps://github.com/bitcoin/bitcoin/pull/9765)\nwas made just before the 0.14 version of Bitcoin Core was released, and no\nlater versions of the software are affected.\n\nAlso, I have scanned the blockchain looking for instances where the first\ntwo\nhashes in any row of the Merkle tree would deserialize validly as a 64-byte\ntransaction, and I have found zero such instances. So in particular there\nare\nno blocks on Bitcoin's main chain (as of this writing) that could be used to\nattack an 0.13 node.\n\nI thought it best to withhold disclosure of this vulnerability before a\nmitigation was in place for the related SPV-issue (which I assumed would\nbecome\nobvious with this disclosure); once that became public last summer and a\nmitigation deployed (by making 64-byte transactions nonstandard), that\nconcern\nwas eliminated.\n\nThanks to Johnson Lau and Greg Maxwell for originally alerting me to this\nissue.\n-------------- next part --------------\nAn HTML attachment was scrubbed...\nURL: \u003chttp://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20190225/a27d8837/attachment-0001.html\u003e\n-------------- next part --------------\nA non-text attachment was scrubbed...\nName: BitcoinMerkle.pdf\nType: application/pdf\nSize: 200880 bytes\nDesc: not available\nURL: \u003chttp://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20190225/a27d8837/attachment-0001.pdf\u003e",
"sig": "3ec071d3b175bc1138ab867d689fabbe36089f871d6db2b32efcf5e5f796f0949d40dbce5b275af0ab05a5ae72737170db09ff2f74e5bca6b65b39ba5de7be95"
}