[bitcoin-dev] Trusted merkle tree depth for safe tx inclusion proofs without a soft fork

Peter Todd pete at petertodd.org
Sat Jun 9 12:50:58 UTC 2018

On Sat, Jun 09, 2018 at 01:03:53PM +0200, Sergio Demian Lerner wrote:
> Hi Peter,
> We reported this as CVE-2017-12842, although it may have been known by
> developers before us.

It's been known so long ago that I incorrectly thought the attack was ok to
discuss in public; I had apparently incorrectly remembered a conversation I had
with Greg Maxwell over a year ago where I thought he said it was fine to
discuss because it was well known.

My apologies to anyone who thinks my post was jumping the gun by discussing
this in public; cats out of the bag now anyway.

> There are hundreds of SPV wallets out there, without even considering other
> more sensitive systems relying on SPV proofs.
> As I said we, at RSK, discovered this problem in 2017. For RSK it's very
> important this is fixed because our SPV bridge uses SPV proofs.
> I urge all people participating in this mailing list and the rest of the
> Bitcoin community to work on this issue for the security and clean-design
> of Bitcoin.

My post is arguing that we *don't* need to fix the attack, because we can make
pruned nodes invulerable to it while retaining the ability to verify merkle
path tx inclusion proofs.

As for SPV, there is no attack to fix: they can be attacked at much lower cost
by simply generating fake blocks.

https://petertodd.org 'peter'[:-1]@petertodd.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20180609/14afa2c5/attachment.sig>

More information about the bitcoin-dev mailing list