According to BlockBeats, on September 20, Protos reported that Bitcoin Core developers issued a new high-risk warning that one in six Bitcoin nodes has a software vulnerability. On Thursday, staff members of the open source Bitcoin Core project, which maintains software running on more than 98% of reachable full nodes, disclosed that software running on 17% of the network’s nodes had major security issues. Specifically, all software below Bitcoin Core version 24.0.1 is at risk. According to Bitnodes’ monitoring estimates, this denial of service vulnerability affects approximately 3,330 of the 19,200 self-proclaimed user agents of accessible Bitcoin full nodes.
In Bitcoin Core software prior to version 24.0.1, malicious actors could spam nodes with low-difficulty header chains. By forcing nodes to download and store extremely long header chains, the attack could crash nodes by taking up too much bandwidth or device storage. Developers fixed this vulnerability in Bitcoin Core pull request (PR) number 25717 and merged it into production with the release of v24.0.1 on December 12, 2022. The current Bitcoin Core node software version (now 27.1) contains fixes for this and other vulnerabilities.
While this vulnerability is fairly severe, there are few known attacks that have exploited it in the public record. Since the cost of generating and broadcasting a block header chain to perform a denial of service attack is quite high, this vulnerability has little financial benefit to the attacker.
