[Bitcoin-development] Full Disclosure: CVE-2012-2459 (block merkle calculation exploit)

Luke-Jr luke at dashjr.org
Wed Aug 22 02:53:21 UTC 2012

On Wednesday, August 22, 2012 2:25:20 AM Forrest Voight wrote:
> An unpatched Bitcoin installation can be permanently wedged at its
> current highest block using this and the fact that Bitcoin caches
> orphan blocks in a disk-backed database. To do so, the attacker must
> send it a valid block (that will eventually make it into the
> blockchain) made invalid by duplicating one of the transactions in a
> way that preserves the Merkle root. The attacker doesn't even need to
> mine their own block - instead, they can listen for a block, then
> mutate it in this way, and pass it on to their peers.

From the mining perspective, the unpatched install might not be simply wedged: 
it will also follow a competing smaller blockchain. An attacker could have 
used this exploit against a number of large miners (say about 40% or so) and 
exchanges to pull off any number of double-spend attacks until the miners 
noticed they had been forked and fixed their bitcoind. That is, the attacker 
could easily hijack as much of the miners has he wanted for his own purposes 
including phony 6+ confirmation transactions. On a more subtle level, the 
attacker could target certain blocks they wanted orphans by performing this 
attack on a majority of miners with the "tip" block he wanted orphaned.

This vulnerability is also the reason why Eloipool (the software behind 
Eligius, EclipseMC, TripleMining, and other pools) has attempted to produce 
blocks with only transaction counts that are powers of two; such blocks cannot 
be used for an attack even against vulnerable clients.


More information about the bitcoin-dev mailing list