More than a week after Bitcoin Core released a client update that addressed a denial-of-service vulnerability and consensus bug in its software, most nodes are still running old software. That’s a problem.
Over a week ago, someone found a bug in Bitcoin Core software – a denial-of-service vulnerability affecting versions 0.14.0 to 0.16.2. Several Bitcoin Core developers took a look and saw that there was an additional problem in 0.15.0 and above: a consensus bug that could have allowed inflation. They quickly and quietly patched the bug and released 0.16.3 on September 18. Problem solved, right?
Not quite. For the vulnerabilities to stop being, well, vulnerable, nodes running the software need to upgrade. And not nearly enough are. To be clear, this isn’t like ignoring the app update on your phone that features some aesthetic fixes. Cornell professor Emin Gün Sirer told Motherboard that a malicious actor could have used the vulnerability to crash the Bitcoin network with just $80,000.
Exact numbers are hard to come by – that’s one of the things about a decentralized network no one is in charge of (although it’s likely preferable to a centralized one in which you just have to take their word for it).
In a tweet on September 23, Cøbra, the anonymous co-owner of Bitcoin.org, claimed that over 80 percent of the bitcoin network was still running vulnerable software:
Bad move that the alert system was removed from Bitcoin Core. Currently 80%+ of the network is running vulnerable software, but there's no way to reach them and tell them to update, we can only pray they check Reddit, Twitter, https://t.co/OsFgRFRRZb or Bitcointalk, etc.
— Cøbra (@CobraBitcoin) September 23, 2018
Further down the comment thread (read on, I dare you), there’s some speculation that Cobra’s numbers are off. Which is true, but only kind of.
To clarify, according to Coin Dance, as of today, 49 percent of all nodes were protected from the inflation vulnerability. But there are a couple of reasons for this. First, Coin Dance’s numbers don’t include non-listening nodes, which constitute much of the network. Second, the inflation vulnerability wasn’t the only problem with the implementation software.
Moreover, not all of the “protected nodes” listed on Coin Dance are due to updates: Many are running software from pre-0.15.0 (released in September of last year) and pre-0.14.0 (released in March 2017) and some are using nodes outside of Bitcoin Core. (Unlike Ethereum, which has two major clients – Geth and Parity – the Bitcoin network is dominated by Bitcoin Core, but there are a handful of smaller nodes, including Bitcoin Knots and btcsuite.)
Look closer at the numbers, though, and you’ll see that Coin Dance has not classified 0.14.x nodes as vulnerable, even though Bitcoin Core specifically says 0.14.x is vulnerable.
Conversely, Bitcoin Core developer Luke Dashjr, who keeps his own numbers (which take into account any node in use within the last month), sees the overwhelming majority of nodes as vulnerable, including any Bitcoin Core implementation before 0.16.3, though not necessarily to the inflation bug. He explains the reason for the different statistics: “0.14.x is not vulnerable to the inflation issue, but will crash if it is attempted. 0.13 is vulnerable to unrelated exploits.”
So, why aren’t people updating?
Dashjr told ETHNews that gradual adoption is standard:
“The current upgrade trend looks more or less like what one would normally expect to see when there is a new release (although bit faster). In ordinary circumstances, this would be reasonably healthy, but since there is a serious publicly disclosed vulnerability, it leaves the network open to attack in this case.”
The fact is that disclosure may not have gotten to all the relevant parties. Apparently, not everyone reads coin journals, subreddits, or crypto Twitter. As evidence, Cøbra’s Sunday tweet quickly turned into a discussion over the use of an announcement mailing list for just such an occasion, which some people are supposedly subscribed to but not receiving emails from. It’s a phone tree, but instead of trying to get ahold of Suzie and Darryl about the baked sale, they’re trying to reach multiple actors in a $111 billion market…and their phones have been turned off.
Still, what are these nodes that haven’t updated? Sirer opined in a tweet yesterday that they were “economically worthless nodes.”
The percentage of the network not upgraded after a major patch corresponds to economically worthless nodes. If they did or affected something useful, someone would have bothered to upgrade them. https://t.co/TSc0eRfB7a
— Emin Gün Sirer (@el33th4xor) September 24, 2018
How much chaff is there amongst the Bitcoin wheat? When asked how many nodes would need to update to version 0.16.3 to comfortably put the vulnerability in the rearview mirror, Dashjr conjectured that enough nodes have updated when they constitute 85 percent of the economic activity. And he’s hoping the network isn’t as centralized as Sirer suggests it is:
“If 5% of nodes (~4000 nodes) make up 85% of economic activity, Bitcoin is in a REALLY bad place generally.”