Recently Discovered Bitcoin Vulnerability Is Even Worse Than Previously Thought

Siamak Masnavi

On Monday (17 September 2018), a vulnerability (known as CVE-2018-17144) in Bitcoin Core (Bitcoin's reference implementation), which had existed since version 0.14.0 of Bitcoin Core (released on 8 March 2017), was reported to developers working on Bitcoin Core as well as some projects supporting other cryptocurrencies that use this code (such as "Bitcoin ABC" and "Bitcoin Unlimited", the two leading full node implementations of the Bitcoin Cash protocol). This vulnerability was reported anonymously as a "Denial of Service" (DoS) bug. 

As covered by CryptoGlobe, Bitcoin Core developers came up with a fix for this bug the next day (18 September 2018), and released it as part of Bitcoin Core versions 0.16.3 and 0.17.0rc4. They urged anyone running vulnerable versions of Bitcoin Core (i.e. 0.14.0 up to and including 0.16.2) to upgrade to version 0.16.3 as soon as possible.

However, shortly after fixing the vulnerability, the Bitcoin Core developers discovered that the bug in the code causing the DoS problem was even more serious than previously thought because it also created a second problem: the same vulnerability could be exploited to inflate the Bitcoin supply (i.e. create new bitcoins, beyond the 21 million limit placed by Satoshi, which would have the effect of devaluing existing bitcoins). 

This meant that the code fix for the DoS bug would also take care of the supply inflation bug. But, probably in order not to cause panic, and to encourage quick upgrades, the developers decided to only disclose the DoS bug.

On September 20th, after a post in a public forum revealed the full impact of the vulnerability, the Bitcoin Core Developers decide to come clean and publish a full disclosure report for CVE-2018-17144.

Over half of the Bitcoin hashrate has upgraded to patched nodes (running version 0.16.3). The developers say that although they are "unaware of any attempts to exploit this vulnerability", it is still critical that "affected users upgrade and apply the latest patches to ensure no possibility of large reorganizations, mining of invalid blocks, or acceptance of invalid transactions occurs."

Featured Image Credit: Photo via "Crypto360" via Flickr.com; licensed via "CC BY 2.0"

Russia Will Not Legalize Facebook's Libra Says Top Official

A top Moscow official has said that Facebook's planned new cryptocurrency Libra will not be legalized Russia, according to a report this week from Russia's state-run news agency TASS.

Anatoly Aksakov, Chairman of the State Duma Committee on Financial Markets, said Russia would not legalise the Libra stablecoin, due for launch next year, as it may pose a threat to the country's financial system.

No Russian Liberty for Libra

While Aksakov acknowledged Russians would be able to buy Libra on international cryptocurrency exchange platforms, he warned that the creation of any domestic mechanisms of exchange would be limited, or even prohibited.

TASS quoted Aksakov as saying:

With regard to the use of Facebook cryptocurrency as a payment instrument in Russia at this stage - my opinion is that in our country it will be banned.

He added that in Russia there were no plans to adopt legislation that "gives space for active use of crypto-tools created in the framework of open platforms and blockchains" that may pose a threat to Russia's financial system.

International Ministers Speak Out

Aksakov is not the first financial minister to express concerns over Facebook's cryptocurrency plans and their potential to damage sovereign currency markets and financial stability.

On Tuesday, French economy minister Bruno Le Maire, said that global governments must ask Facebook for "guarantees" that Libra will not be aimed as a disruptive force against sovereign currencies.

Facebook's plans have US government and regulatory officials so rattled that a Senate hearing by the Banking, Housing and Urban Affairs Committee has been scheduled for July 16. The government has asked Facebook to halt work on the project until the hearings have been held.

Sherrod Brown, senior Senator for Ohio and the Democratic Party's ranking member of the Senate Banking Committee, said on his Twitter feed on Tuesday: "Facebook is already too big and too powerful, and it has used that power to exploit users’ data without protecting their privacy. We cannot allow Facebook to run a risky new cryptocurrency out of a Swiss bank account without oversight."

While Aksakov has major concerns about the growth of the cryptocurrency sector, Deputy Finance Minister Alexei Moiseev said on Wednesday that the Russian government was set to adopt the country's crypto bill "On Digital Financial Assets" in the next two weeks.