public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: "Luke-Jr" <luke@dashjr.org>
To: bitcoin-development@lists.sourceforge.net
Subject: Re: [Bitcoin-development] Full Disclosure: CVE-2012-2459 (block merkle calculation exploit)
Date: Wed, 22 Aug 2012 02:53:21 +0000	[thread overview]
Message-ID: <201208220253.24822.luke@dashjr.org> (raw)
In-Reply-To: <CAOCHLotLO8eaLJV2Kkm_YEvbDb80A1VzVGuvujm6NjjGraFEsQ@mail.gmail.com>

On Wednesday, August 22, 2012 2:25:20 AM Forrest Voight wrote:
> An unpatched Bitcoin installation can be permanently wedged at its
> current highest block using this and the fact that Bitcoin caches
> orphan blocks in a disk-backed database. To do so, the attacker must
> send it a valid block (that will eventually make it into the
> blockchain) made invalid by duplicating one of the transactions in a
> way that preserves the Merkle root. The attacker doesn't even need to
> mine their own block - instead, they can listen for a block, then
> mutate it in this way, and pass it on to their peers.

From the mining perspective, the unpatched install might not be simply wedged: 
it will also follow a competing smaller blockchain. An attacker could have 
used this exploit against a number of large miners (say about 40% or so) and 
exchanges to pull off any number of double-spend attacks until the miners 
noticed they had been forked and fixed their bitcoind. That is, the attacker 
could easily hijack as much of the miners has he wanted for his own purposes 
including phony 6+ confirmation transactions. On a more subtle level, the 
attacker could target certain blocks they wanted orphans by performing this 
attack on a majority of miners with the "tip" block he wanted orphaned.

This vulnerability is also the reason why Eloipool (the software behind 
Eligius, EclipseMC, TripleMining, and other pools) has attempted to produce 
blocks with only transaction counts that are powers of two; such blocks cannot 
be used for an attack even against vulnerable clients.

Luke



  reply	other threads:[~2012-08-22  2:53 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-08-22  2:25 [Bitcoin-development] Full Disclosure: CVE-2012-2459 (block merkle calculation exploit) Forrest Voight
2012-08-22  2:53 ` Luke-Jr [this message]
2012-08-22  8:10 ` Mike Hearn

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=201208220253.24822.luke@dashjr.org \
    --to=luke@dashjr.org \
    --cc=bitcoin-development@lists.sourceforge.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox