As you know, the Bitcoin blockchain is an open-source system. On the one hand, it makes it easier to involve the programming community in the process of improving system performance. But on the other hand, open-source is much easier for hackers to analyze for vulnerabilities that can be used for their own purposes. To somehow counter this, the developers created a special program for issuing rewards for vulnerabilities found - Decred. Any programmer who discovers an error or a method that disrupts the normal operation of the system can report their discovery and receive an award for it. This is exactly what Javed Khan did.
He found that the system is vulnerable to one kind of classic DoS attacks (or "denial of service" attacks. With its help, it was possible to "overload" individual nodes or even clusters of nodes so that they could cause their temporary shutdown. Which is extremely dangerous for systems requiring a stable and trouble-free operation.
In the situation with the Bitcoin blockchain, this would mean that some of the miners will be cut off from the main network. And some of the transactions that went through the cut nodes would not be added to the main blockchain and would be invalidated in the future. That could be used for fraudulent purposes. Also, many exchanges can “fall”, which would lead to the cancellation of many transactions and large losses for traders.
The attackers only had to create several specially distorted bitcoin transactions, which, when processed by nodes, would lead to an uncontrolled increase in resource consumption, and then to a banal shutdown of nodes.
This vulnerability was called INVDoS and turned out to be dangerous not only for the Bitcoin blockchain, but also for the associated nodes operating on the basis of Bcoin and Btcd. Some other cryptocurrencies - Bitcoin hard forks - Litecoin and Namecoin were also under threat.
Fortunately, it quickly became clear that the danger of INVDoS is only potential, and that the protocol is already able to cope with it. It turned out that two years ago, Braydon Fuller, a Bitcoin protocol engineer, discovered this vulnerability and quietly fixed it. This really had to be done quietly, since the protocol update process requires confirmation from most of the network participants, and if someone found out that one of the "add-ons" was designed to deal with the possibility of fraud, he could have time to use it to his advantage. Fortunately, no one noticed anything until the change was made. And only after 2 years the attentive user realized that such an opportunity, in principle, could be used.
Vulnerabilities are still there
According to BeInCrypto, two researchers at the Jewish Institute in Jerusalem - John Harris and Aviva Zohar - have discovered another potential vulnerability that could be used by cybercriminals to steal coins. This is also a systemic attack, but this time the object is not the Bitcoin protocol, but an additional extension of the Lightning Network.
The essence, however, is the same - to overload the system with requests, and then - to use the "fall" time in order to withdraw coins from other people's wallets by forging transactions. The experiment was successful. However, in their article, the researchers also proposed a number of ways to eliminate this vulnerability. Developers need to do a little - just implement them in the basic protocols.
Another problem is the so-called "double spending", or rather BigSpender. Its meaning is that attackers can cancel bitcoin transactions that banks cannot identify. And many wallets are not ready for this, because by default they believe that such transactions are irreversible. The RBF (Replace by Fee) function, which was recently added to Bitcoin Core at the protocol level, also makes this easier. And this problem has not yet been fully eliminated.
There is no perfect software, especially when it has to be constantly updated to keep up with the latest trends. And each such update can hide a number of potential vulnerabilities. Does this mean that using blockchains for transactions is dangerous? No. Almost all existing "security issues" are identified by competent specialists who have a very deep understanding of the peculiarities of the protocols.
Most scammers will never reach this level. Yes, there is some risk - but no more than the failure of traditional banking systems. However, all this means that even ordinary blockchain users must follow the news regarding network security. To be able to quickly respond to discovered but not yet fixed vulnerabilities. For example, by quickly transferring their assets to other blockchains that are more resistant to detected threats.
Published on the EXBASE based on materials from beincrypto.ru