The developers of autonomous cryptocurrency Decred have clarified details of a vulnerability that could have allowed malicious actors to carry out dedicated denial-of-service (DDoS) attacks on nodes.
Earlier this week The Daily Chain published an article which referred to a recently released report from software developers that had identified a potential vulnerability in the Bitcoin blockchain that could have been exploited on Decred and Btcd.
Bitcoin software engineers Braydon Fuller and Javed Khan released their report titled ‘Bitcoin Inventory Out-of-Memory Denial-of-Service Attack’ which outlined the the discovery of the initial problem, described as ‘an uncontrolled resource consumption and out-of-memory (OOM)
Vulnerability’ which could have been exploited by a DDoS attack.
This was first identified back in July 2018 and was covertly patched the day after Bitcoin Core and Litecoin Core maintainers were notified by Fuller of the Bcoin protocol team at Purse.
Khan then identified that the same vulnerability could potentially be exploited on Decred and Btcd, the latter being an alternative full node implementation of the Bitcoin blockchain written in the go programming language. This follows the same blockchain as Bitcoin Core.
The Daily Chain had erroneously described Btcd as a blockchain in its previous report.
Decred clarifies risks
Dave Collins, lead developer at Decred.org, clarified the findings and some of the conclusions drawn from Fuller and Khan’s report to the Daily Chain this week.
While the report claimed that ‘100% of Decred nodes’ were at risk of the vulnerability, Collins told the Daily Chain that its previous assertion that the risk could ‘have been particularly devastating’ was not factually correct.
“That is not true. Only nodes that accept inbound P2P messages would be at risk, but there are nodes that are not easily reached via P2P and would be unaffected,’ Collins said.
Collins also explained how the vulnerabilities were communicated to the various teams and developers working on Decred and Btcd and then patched.
“Bitcoin engineers” did not patch it in Decred. Javed Khan identified the issue in btcd and Decred and submitted it to the bug bounty program. David Hill patched it for Decred in PR (https://github.com/decred/dcrd/pull/2253) and those changes were then ported to btcd by Khan in PRs https://github.com/btcsuite/btcd/pull/1599 and https://github.com/btcsuite/btcd/pull/1603,” Collins added.