Bitcoin: Over 2500 Nodes Vulnerable To A Critical Bug!

The Bitcoin network is currently facing a discreet but serious threat. About 13% of the nodes that maintain and secure the blockchain are vulnerable to a critical flaw that could cause them to crash. This vulnerability, identified in May 2023, persists in several nodes that have not yet been updated with the latest version of the Bitcoin Core software. While Bitcoin’s security is often praised for its robustness, this issue reveals systemic flaws related to the management of the essential software ensuring the network’s proper functioning.

A critical vulnerability unpatched in 13% of Bitcoin nodes

In May 2023, Bitcoin developers discovered a major vulnerability in the Bitcoin Core software. The bug, named CVE-2024-35202, affects nodes running versions earlier than 25.0. More than 13.7% of active nodes worldwide have not yet installed this critical update, thus exposing a significant portion of the network to a crash risk. According to the developers, the flaw is located in the compact block protocol, a system designed to optimize data transmission by reducing the size of transactions sent between nodes. Such a bug can lead to the collapse of individual nodes, thus compromising the network’s stability. “Affected nodes can be forced into an invalid state, causing a complete shutdown,” the developers explain in an official report.

Although the bug is fixed in version 25.0, the fact that Bitcoin Core does not offer automatic updates leaves many node operators vulnerable. Updating requires manual intervention, which seems to be an obstacle for several of them. According to BitNodes.io, nearly 2,582 active nodes, out of a total of 18,843, continue to operate without protection against this flaw. The issue is significant because although the exploit does not allow for bitcoins to be stolen or for double spending to occur, it could be used by actors seeking to destabilize the network. A large-scale attack could create significant disruption to the Bitcoin network.

Why aren’t so many nodes updated?

The lack of automatic updates in the Bitcoin Core software raises questions about the management and security of nodes in an essential network like Bitcoin’s. Indeed, each node operator is responsible for maintaining and updating their software, a choice linked to Bitcoin’s decentralized philosophy. However, this manual management is currently at the root of the vulnerability of nodes that have not yet integrated the latest version. “Bitcoin Core does not force users to update their software, leaving some functional nodes with obsolete vulnerable versions,” the developers point out. How then can the network’s security be ensured while respecting its founding principle of decentralization?

Among the reasons why some operators delay updating their nodes, there is often distrust of new versions or a lack of technical knowledge to understand the importance of these updates. Thus, a model of automatic or semi-automatic updates could be a solution to prevent such risks in the future. If some actors succeeded in exploiting this flaw on a large scale, it could have a destabilizing impact on the network technically, but also in terms of user confidence in Bitcoin’s security.

This issue reveals a deep dilemma in the management of the Bitcoin network. Although decentralization is one of its strengths, it also complicates security management, especially when it comes to critical updates. If no action is taken to encourage or facilitate node updates, the network could remain exposed to future attacks. The question remains open: should the total freedom of node operators be preserved, or should stricter security measures be imposed to ensure the network’s stability? One thing is certain, the Bitcoin community will need to quickly consider these challenges to avoid further vulnerabilities in the future.