From: "Luke-Jr" <luke@dashjr.org>
To: bitcoin-development@lists.sourceforge.net
Subject: Re: [Bitcoin-development] Full Disclosure: CVE-2012-2459 (block merkle calculation exploit)
Date: Wed, 22 Aug 2012 02:53:21 +0000 [thread overview]
Message-ID: <201208220253.24822.luke@dashjr.org> (raw)
In-Reply-To: <CAOCHLotLO8eaLJV2Kkm_YEvbDb80A1VzVGuvujm6NjjGraFEsQ@mail.gmail.com>
On Wednesday, August 22, 2012 2:25:20 AM Forrest Voight wrote:
> An unpatched Bitcoin installation can be permanently wedged at its
> current highest block using this and the fact that Bitcoin caches
> orphan blocks in a disk-backed database. To do so, the attacker must
> send it a valid block (that will eventually make it into the
> blockchain) made invalid by duplicating one of the transactions in a
> way that preserves the Merkle root. The attacker doesn't even need to
> mine their own block - instead, they can listen for a block, then
> mutate it in this way, and pass it on to their peers.
From the mining perspective, the unpatched install might not be simply wedged:
it will also follow a competing smaller blockchain. An attacker could have
used this exploit against a number of large miners (say about 40% or so) and
exchanges to pull off any number of double-spend attacks until the miners
noticed they had been forked and fixed their bitcoind. That is, the attacker
could easily hijack as much of the miners has he wanted for his own purposes
including phony 6+ confirmation transactions. On a more subtle level, the
attacker could target certain blocks they wanted orphans by performing this
attack on a majority of miners with the "tip" block he wanted orphaned.
This vulnerability is also the reason why Eloipool (the software behind
Eligius, EclipseMC, TripleMining, and other pools) has attempted to produce
blocks with only transaction counts that are powers of two; such blocks cannot
be used for an attack even against vulnerable clients.
Luke
next prev parent reply other threads:[~2012-08-22 2:53 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-22 2:25 [Bitcoin-development] Full Disclosure: CVE-2012-2459 (block merkle calculation exploit) Forrest Voight
2012-08-22 2:53 ` Luke-Jr [this message]
2012-08-22 8:10 ` Mike Hearn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201208220253.24822.luke@dashjr.org \
--to=luke@dashjr.org \
--cc=bitcoin-development@lists.sourceforge.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox