[Bitcoin-development] Full Disclosure: CVE-2012-2459 (block merkle calculation exploit)
Luke-Jr
luke at dashjr.org
Wed Aug 22 02:53:21 UTC 2012
On Wednesday, August 22, 2012 2:25:20 AM Forrest Voight wrote:
> An unpatched Bitcoin installation can be permanently wedged at its
> current highest block using this and the fact that Bitcoin caches
> orphan blocks in a disk-backed database. To do so, the attacker must
> send it a valid block (that will eventually make it into the
> blockchain) made invalid by duplicating one of the transactions in a
> way that preserves the Merkle root. The attacker doesn't even need to
> mine their own block - instead, they can listen for a block, then
> mutate it in this way, and pass it on to their peers.
From the mining perspective, the unpatched install might not be simply wedged:
it will also follow a competing smaller blockchain. An attacker could have
used this exploit against a number of large miners (say about 40% or so) and
exchanges to pull off any number of double-spend attacks until the miners
noticed they had been forked and fixed their bitcoind. That is, the attacker
could easily hijack as much of the miners has he wanted for his own purposes
including phony 6+ confirmation transactions. On a more subtle level, the
attacker could target certain blocks they wanted orphans by performing this
attack on a majority of miners with the "tip" block he wanted orphaned.
This vulnerability is also the reason why Eloipool (the software behind
Eligius, EclipseMC, TripleMining, and other pools) has attempted to produce
blocks with only transaction counts that are powers of two; such blocks cannot
be used for an attack even against vulnerable clients.
Luke
More information about the bitcoin-dev
mailing list