According to PANews, Bitcoin Core developers have issued a high severity warning, revealing that one in six Bitcoin nodes has a software vulnerability. On Thursday, the open-source Bitcoin Core project, which maintains the software running on over 98% of reachable full nodes, disclosed a significant security issue affecting software on 17% of the network's nodes. Specifically, all software versions below Bitcoin Core 24.0.1 are at risk. Bitnodes' monitoring estimates that this denial-of-service vulnerability impacts approximately 3,330 of the 19,200 accessible Bitcoin full nodes' user agents.
In Bitcoin Core software versions prior to 24.0.1, malicious actors could spam nodes using a low-difficulty header chain. By forcing nodes to download and store an excessively long header chain, the attack could crash nodes by consuming too much bandwidth or device storage space. Developers addressed this vulnerability in Bitcoin Core pull request (PR) number 25717 and merged the fix into production with the release of version 24.0.1 on December 12, 2022. The current Bitcoin Core node software version (now 27.1) includes fixes for this and other vulnerabilities.
Although this vulnerability is quite severe, there are few known instances of it being exploited in the public record. The high cost of generating and broadcasting block header chains to execute a denial-of-service attack makes it economically unfeasible for most attackers. However, it remains a security flaw that could be exploited by extremely wealthy, powerful, or technically skilled entities, such as a nation-state, who might aim to disrupt Bitcoin operations for non-financial or financial delay reasons. In early June, developers agreed to disclose severe vulnerabilities in Bitcoin Core software that had been patched for at least 18 months. Initially, they disclosed vulnerabilities in versions 20 and below. Every few weeks, they continue to reveal more software vulnerabilities. Unless Bitcoin node operators update their software, up to 17% of the network's nodes could be at risk of denial-of-service attacks.