BU software code exposed remote DOS crash vulnerability, nearly 70% of nodes were attacked and offline

Today, Bitcoin Unlimited software was exposed to have a remote DOS crash vulnerability, and nearly 70% of BU nodes crashed and went offline due to the attack.

The vulnerability allows an attacker to knock nodes offline by sending them a certain type of message. Nodes are responsible for validating blockchain transactions and maintaining a copy of the entire transaction history.

The issue was initially flagged on GitHub by BU developer Peter Tschipper, and details spread on social media, sparking widespread discussion among both supporters and critics of the project.

After the number of BU nodes dropped significantly, discussions about this vulnerability became increasingly heated.

According to data from cryptocurrency website Coin.Dance, during the attack, the number of BU nodes dropped to as low as 252.

After the attack, about 780 BU nodes were offline, and as of press time, only 240 BU nodes were online. In comparison, there are about 6,100 full nodes in the entire Bitcoin network.

BU is an alternative bitcoin software that claims to increase bitcoin's transaction throughput through onchain scaling. It has attracted strong supporters and sharp critics, with some arguing that it provides a way to expand the size of the network, while others criticize it for causing the bitcoin network to split.

Bitcoin Core developer Peter Todd commented on his personal Twitter:

" BU remote DOS crash vulnerability: https://github.com/BitcoinUnlimited/BitcoinUnlimited/pull/371/files
What a ridiculous bug: assert(0) in and an if branch are clearly being manipulated by untrusted network input. #Check code It looks like this remote DOS crash has been in BU for a year, maybe longer. ”

As of press time, BU developer Andrew Stone has released the latest 1.0.1.1 version of the BU software, claiming to have resolved this vulnerability:

https://github.com/BitcoinUnlimited/BitcoinUnlimited/releases/tag/1.0.1.1

In addition, he also gave an explanation for this vulnerability:

BUIR-2017–2–23: Network-wide Bitcoin Client Failure Announcement

On February 23, 2017 and March 6, 2017, about 5% of the "Satoshi" Bitcoin clients (Bitcoin Core, Bitcoin Unlimited, XT) temporarily lost access to the network (see 1, 2, click here to see the data range around February 23). Analysis of the logs of the full nodes during this period showed repeated "PROCESSMESSAGE: INVALID MESSAGESTART" error messages. These messages (PROCESSMESSAGE: INVALID MESSAGESTART) appear when the node connects and sends some bad data to another node. Our analysis of the impact of the PROCESSMESSAGE: INVALID MESSAGESTART code path showed rare node crashes. This is why the node was temporarily lost.

While we cannot be sure that this information was intentional, we found that an unusual, hard-to-create input resulted in a negative result, so we attributed it to a network attack. Although the negative impact of this attack has been minimal so far, we have chosen to follow responsible disclosure procedures and ask miners, Bitcoin businesses, and client developers to keep this information to themselves until patches and upgrades are completed.

We have implemented 2 categories of fixes in the Bitcoin Unlimited 1.0.1.0 release. First, we have identified the root causes of node crashes and fixed them. Second, we have added a 4-hour ban to any node that causes the "INVALID MESSAGESTART" error. Since the attack appears to be probabilistic (potentially requiring several hundred "INVALID MESSAGESTART" errors for a single failure), the 4-hour ban will limit the ability of an attacker to cause the error, even if we cannot fix it at the root.

This is not a critical issue, as the probability of node failure appears to be only 5%. However, an attacker could potentially increase this failure rate by developing more efficient attack sequences or using more machines to attack the network. Therefore, we urge you to upgrade to Bitcoin Unlimited 1.0.1.0 or a patched version of a different client as soon as possible.