A ‘vulnerability’ that gave people the chance to spend Bitcoin twice was patched last week after being potentially open since March 2017.
The patch was issued by Bitcoin Core.
First of all, it’s important to note Bitcoin Core does not control Bitcoin. It’s a software implementation developed off the original code by Bitcoin creator Satoshi Nakamoto.
It is however, the most popular BTC client (TechRadar defines it as “the original and definitive” client). It’s a big download, because it uses a full, current version of blockchain that continually updates with all BTC transactions.
Users like that feature because it means transaction confirmations are much stronger. In a nutshell, it’s harder for someone to make you think you have been sent funds which have actually been spent elsewhere – the “Bitcoin double spend”.
There is some history with the so-called double spend. In fact, one of the reasons BTC took off is because Nakamoto found a way to solve cryptocurrency’s biggest problem – what stops someone spending a digital coin twice?
The answer lay in confirmations. Say someone has one BTC in their wallet and tries to buy an item for 1 BTC. At the same time they pay, they try to send that same 1 BTC to another wallet they own.
We’re not going to go too far down this rabbit hole. Hackaday has done a great job of that, if you want the full details. Suffice to say, Bitcoin’s confirmation system watches both transactions and the transaction that gains confirmations faster in turn gains more confirmations faster.
Eventually one transaction will resolve into a block, and the other one is tossed out. This is roughly the basis behind blockchain technology – the universal public ledger that stores every single transaction.
That means there is almost no chance the confirmation system will favour the transaction between your two wallets over the transaction between you and a merchant.
The chance exists in theory that an attacker who can control more than 50% of the network’s hashrate and can generate blocks faster, may be able to send the 1BTC to their own wallet and receive their goods from the unfortunate merchant at the same time.
But – especially at today’s rate – the resource cost of maintaining the effort to do that would most likely make it unprofitable.
Unless you could somehow trick the network into accepting Bitcoin that never existed.
Hits you right in the creds
Last week, Bitcoin Core admitted a vulnerability was introduced in Bitcoin Core 0.14.0 and affected “all subsequent versions though to 0.16.2” that theoretically allowed someone to do just that.
Bitcoin Core 0.14.0 was rolled out on March 8, 2017.
On September 20 this year, it sent out a message saying the vulnerability had been fixed two days before and users were “highly recommended” to immediately upgrade to version 0.16.3.
It sounds like Bitcoin Core only found the vulnerability because someone tried to “process a block containing a transaction that attempts to spend the same input twice”.
It caused older versions of Bitcoin Core to crash, but the fix now means the software will “quietly reject such invalid blocks”.
So now for the big question – did anyone succeed to double spend?
The best answer is “unlikely”, simply due to the cost involved.
Bitcoin Core says because the blocks are invalid, “they can only be created by a miner willing to sacrifice their allowed income for creating a block of at least 12.5 BTC (about $80,000 USD as of this writing)”.
Hackaday goes further to explain that even if a malicious block was created that could enable the double spend, the attack “was going to be noticed by different parties involved in the Bitcoin network”.
Crisis averted? Maybe not.
The bigger threat potential comes in the form of what kind of a blow these vulnerabilities can land on the credibility of the network.
No matter how expensive or what level of resources are required, we just learned that someone could potentially put a serious wobble in the $150 billion Bitcoin market for as little as $110,000.
Business Insider Emails & Alerts
Site highlights each day to your inbox.