As initially reported by Decrypt, Braydon Fuller and Javed Khan released their report titled ‘Bitcoin Inventory Out-of-Memory Denial-of-Service Attack’ which outlined the vulnerabilities in the two blockchains.
The same vulnerability was identified in the Bitcoin blockchain in 2018 which was then patched by developers, as outlined in the beginning of Fuller and Khan’s report:
“The vulnerability was discovered on Friday, June 22nd, 2018 by Braydon Fuller of the Bcoin protocol team at Purse. At the time of the discovery this represented more than 50% of publicly advertised Bitcoin nodes with inbound traffic and likely a majority of miners and exchanges.”
The vulnerability was disclosed on July 9, 2018 to Bitcoin Core and Litecoin Core maintainers and was ‘covertly’ patched the next day.
The same threat was then picked up by Khan in June 2020, noting the vulnerability in the Btcd blockchain before research identified that the Decred blockchain was also at risk in July 2020. The latter could have been particularly devastating as 100% of Decred nodes were at risk, as well as nodes serving block filters to Bitcoin Lightning wallets.
While the main threat of the vulnerability would allow an attacker to essentially shut down the blockchains in question, the report also claims that the denial-of-service vulnerability could have had direct financial consequences.
An attack through this method could result in a loss of mining time, or excessive electricity consumption by shutting down certain nodes, delaying blocks or causing the blockchain to partition. Contracts could also be disrupted which could affect ‘affect commerce, exchanges, atomic swaps, escrows and lightning network HTLC payment channels.’
How it works
This vulnerability could be exploited by an attacker, which would be a node in the given network sending a huge amount of transaction inv messages with different hashes below the maximum threshold of 49,999 items while omitting the necessary transaction data.
This could be further exacerbated by using multiple peers into what would effectively be a dedicated-denial-of-service (DDoS) attack.
“With a 1Gbps (125 MB/s) connection it would be possible to send around 83 inv messages with 49,999 items per second, giving a maximum rate of 4,166,584 inv items per second. Memory will grow as fast as it’s possible to send data to the node, until it crashes or locks up the machine in swap disk usage in several minutes.”
According to the report the vulnerabilities in these various blockchains were never exploited due to the speed in which they were patched.
The latest Dcrd and Btcd blockchains versions were released at the end of August and patched out the vulnerabilities.