A recent research paper by Braydon Fuller and Javed Khan revealed the Bitcoin Inventory Out-of-Memory Denial-of-Service Attack. The out of memory vulnerability was exploited in many platforms like Bitcoin, Litecoin, Namecoin and Decred using the Denial of Service (DoS) attack. Braydon Fuller is a Protocol Engineer at the cryptocurrency e-commerce website, Purse. Khan on the other hand, is one of the contributors of the Handshake protocol.
Fuller Found the First Vulnerability in 2018
The vulnerability was first detected by Braydon Fuller back in 2018 and as per the Report was fixed back in 2018 secretly. Again on 26th June 2020, Javed discovered that the vulnerability also prevailed in the Btcd platform. Soon after it was found that Dcrd was also affected by the vulnerability on Tuesday, July 7th, 2020. The discovered vulnerability reportedly to the typical Decred Bug Bounty program. It was found that at the time of discovery the vulnerability represented more than 50% of the publicly advertised BTC nodes and the majority of them are expected to be miners and cryptocurrency exchanges.
List of the Affected Versions That Were and are Still Affected by the Vulnerability
All the versions which included the vulnerability were Bitcoin Core v0.16.0, Bitcoin Core v0.16.1, Bitcoin Knots v0.16.0, all beta versions of Bcoin up to v1.0.0-pre, all versions of Btcd up to v0.20.1-beta, Litecoin Core v0.16.0, Namecoin Core v0.16.1, and all versions of Dcrd up to v1.5.1. These versions are still affected by the vulnerability. However, it was patched in the follow-up versions including Bitcoin Core v0.16.2+, Bitcoin Knots v0.16.2+, Bcoin v1.0.2+, Btcd v0.21.0-beta+, Litecoin Core v0.16.2+, Name-coin v0.16.2+, and Dcrd v1.5.2+.
The Vulnerability has a Severity of 7.8 Could Potentially Lead to Hacking Activities
Other protocols like Zcash, Bitcoin ABC, Bitcoin Gold, Bitcoin Unlimited, Bitcoin XT were not affected by the vulnerability as per the research. However, the vulnerability was ranked 7.8 on a scale of 1 to 10, it was a preliminary estimate, however it has not been given a CVSS v2 or v3 rating by a third-party at this time yet. This would mean that the hackers can easily cause delayed settlements and may even attack and steal the funds from the nodes of the Lightning Network.
