[bitcoin-dev] Fwd: [bitcoin-core-dev] On the initial notice of CVE-2018-17144

sickpig at gmail.com sickpig at gmail.com
Sat Sep 22 19:22:20 UTC 2018 

Gregory,

> For some reason I don't understand, Andrea Suisani is stating on
> twitter that the the report by awemany was a report of an inflation
> bug, contrary to the timeline we published.

guess that the fact you don't understand it, it's probably related to the fact
that you didn't read properly the tweet you are referring to, for reference this
the tweet URL https://twitter.com/sickpig/status/1043530088636194816

This is the text of such a tweet:

"He [awemany] *did not* mention the inflation bug in the email, still
he has proof
he was aware of that before sending out the report"

then tweet continue referring a reddit post where awemany while trying
to prove he  was the original author of the report, included a timestamped note
containing the following text:

    BitcoinABC does not check for duplicate inputs when processing a block,
    only when inserting a transaction into the mempool.

    This is dangerous as blocks can be generated with duplicate transactions
    and then sent through e.g. compact block missing transactions and avoid
    hitting the mempool, creating money out of thin air.

  /u/awemany

this the timeline of the timestamping process:

https://originstamp.org/s/5c45a1ba957362a2ba97c9f8c48d4d59d4fa990945b7094a8d2a98c3a91ed9b6

as you can see the note was submitted to originstamp.org before the
report email was sent.

>  This is not the case:
> the report specifically stated that inflation was not possible because
> the node crashed. It also described a reproduction of the crash, but
> not of inflation.

Furthermore as you should be aware, having been copied on the report,
awemany specifically
said that "[the assert(is_spent)] *seems* to prevent the worse outcome
of monetary inflation"

I guess that in the hurry of informing you and other people involved of the DoS
vector he identified and proved, he decided to give priority to
informing Core about that
rather than waiting and continue exploring the idea he had about exploiting the
code to create coins out of thin air.

More information about the bitcoin-dev mailing list