Bitcoin Unlimited Remote Exploit Crash

[Hydrogen]

This is essentially a remote crash vunerability in BTU. Most versions of Bitcoin Unlimited(and Classic on a quick check) have this bug. With a crafted XTHIN request, any node running XTHIN can be remotely crashed. If Bitcoin Unlimited was a predominant client, this is a vulnerability that would have left the entire network open to being crashed. Almost all Bitcoin Unlimited nodes live now have this bug.

To be explicitly clear, just by making a request on the peer-to-peer network, this could be used to crash any XTHIN node with this bug. Any business could have been shutdown mid-transaction, an exchange in the middle of a high volume trading period, a miner in the course of operating could be attacked in this manner. The network could have in total been brought down. Major businesses could have been brought grinding to a halt.
How many bugs, screw ups, and irrational arguments do people have to see before they realize how unsafe BTU is? If you run a Bitcoin Unlimited node, shut it down now. If you don't you present a threat to the network.

EDIT: Here is the line in main.cpp requiring asserts be active for a live build. This was incorrectly claimed to only apply to debug builds. This is being added simply to clarify that is not the case. (Please do not flame the person who claimed this, he admitted he was in the wrong. He stated something he believed was correct and did not continue insisting it was so when presented with evidence. Be civil with those who interact with you in a civil way.)

https://www.reddit.com/r/Bitcoin/comments/5zdkv3/bitcoin_unlimited_remote_exploit_crash/

Doesn't look good for bitcoin unlimited.

Imagine what would have happened if this exploit had been released later & if all the BU supporters could have moved their bitcoin to BU.

All their btc would be worthless now.

[1714057004]

1714057004

[1714057004]

1714057004

[1714057004]

1714057004

[GreenBits]

This is essentially a remote crash vunerability in BTU. Most versions of Bitcoin Unlimited(and Classic on a quick check) have this bug. With a crafted XTHIN request, any node running XTHIN can be remotely crashed. If Bitcoin Unlimited was a predominant client, this is a vulnerability that would have left the entire network open to being crashed. Almost all Bitcoin Unlimited nodes live now have this bug.

To be explicitly clear, just by making a request on the peer-to-peer network, this could be used to crash any XTHIN node with this bug. Any business could have been shutdown mid-transaction, an exchange in the middle of a high volume trading period, a miner in the course of operating could be attacked in this manner. The network could have in total been brought down. Major businesses could have been brought grinding to a halt.
How many bugs, screw ups, and irrational arguments do people have to see before they realize how unsafe BTU is? If you run a Bitcoin Unlimited node, shut it down now. If you don't you present a threat to the network.

EDIT: Here is the line in main.cpp requiring asserts be active for a live build. This was incorrectly claimed to only apply to debug builds. This is being added simply to clarify that is not the case. (Please do not flame the person who claimed this, he admitted he was in the wrong. He stated something he believed was correct and did not continue insisting it was so when presented with evidence. Be civil with those who interact with you in a civil way.)

https://www.reddit.com/r/Bitcoin/comments/5zdkv3/bitcoin_unlimited_remote_exploit_crash/

Doesn't look good for bitcoin unlimited.

Imagine what would have happened if this exploit had been released later & if all the BU supporters could have moved their bitcoin to BU.

All their btc would be worthless now.

This was/is hilarious, but it was much asshole to release this in a public forum, ESP Reddit, which has heaps more exposure than here. They had a field day with this, nodes starting going down left and right as people started to test this exploit for themselves (and you know someone was like 'let me make a script!' because people spend time and energy on the damndest shit).

But, this is pretty shitshowian, I guess it's for the best this came out like this, instead of an actual malicious attack with no preamble.

[ebliever]

All their btc would be worthless now.

Worse than that, if they forked and drove Core into the ground (not likely), all OUR bitcoin would be worthless too. That's what gets me, the arrogance combined with the incompetence.

[Foxpup]

This was/is hilarious, but it was much asshole to release this in a public forum, ESP Reddit, which has heaps more exposure than here.

It was the BU devs who first publicly announced the bug on GitHub instead of quietly fixing it. While they are generally assholes, this particular action is in the stupid, not asshole, category (the asshole behaviour came later when they blamed Core for the whole mess).

[franky1]

All their btc would be worthless now.

Worse than that, if they forked and drove Core into the ground (not likely), all OUR bitcoin would be worthless too. That's what gets me, the arrogance combined with the incompetence.

taking down a node does not destroy coins.
private keys are protected

[dinofelis]

All their btc would be worthless now.

Can you explain the logical link between software crashing, and coins being worthless ?
If they had an exploit that could send unwarranted transactions, THAT would be fun.  But just crashing the node, what does that do ?  If the operating system on which the node runs, crashes, or the computer has a power failure, are coins worthless too ?

[franky1]

All their btc would be worthless now.

Can you explain the logical link between software crashing, and coins being worthless ?
If they had an exploit that could send unwarranted transactions, THAT would be fun.  But just crashing the node, what does that do ?  If the operating system on which the node runs, crashes, or the computer has a power failure, are coins worthless too ?

nope just copy and paste your private key/seed into an updated client that does not have the bug.
diversity is good.

but imagine if the network was running only core nodes. nothing else was allowed. then your stuck(not destroyed) just stuck waiting

[Foxpup]

All their btc would be worthless now.

Can you explain the logical link between software crashing, and coins being worthless ?

The value of Bitcoin lies solely in its usefulness for financial transactions. If a node run by a business crashes, they cannot send or receive transactions until it is fixed. If this happens to many business simultaneously (or even just a few large ones), the currency as a whole becomes useless.

[Lauda]

Does *anyone* reasonable still want the client of these guys to be the main one on the network?

[franky1]

Does *anyone* reasonable still want the client of these guys to be the main one on the network?

dynamics is compatible with many implementation. even some other "core" nodes that have been tweaked in their own repo's
and yep that includes pools who have set consensus.h & policy.h to be adjustable at runtime.

blockstreams(core) can be dynamic with only a few extra lines of code.

but blockstreams(core) want dominance and want to be the sole codebase.
imagine if blockstreams(core) achieved it withno diverse codebase of differing nodes existing.. and blockstreams(core) had a bug.
it wont be a simple copy and paste keys into an alternative while you wait to fix.. your instead stuck

diversity is good(Sipa's 2013 leveldb bug taught us that atleast)

but todays event atleast shows that core are NOT independent by not wanting to help keep things diverse.

but i do laugh that you think running BU or anything not blockstream is a "power grab".. where the truth is its actually a dilution of power and an increase of diversity by having different 'brands' on the network

which would you prefer:
diversity: a few nodes of one brand go offline due to a bug/exploit
centralist: all nodes of one brand go offline due to a bug/exploit

[Dream 1000 BTC]

https://pbs.twimg.com/media/C66gpcRWgAAFlMt.jpg:large

Does *anyone* reasonable still want the client of these guys to be the main one on the network?

LMAO, the image makes my happy day. BU sucks, has plenty of bugs, and thinks they will change the bitcoin, no doubt they will kill bitcoin. 

[AliceWonderMiscreations]

Satoshi's original code had bugs that were far worse.

This bug should not have existed but that does not mean the BU project isn't the right direction for Bitcoin to take.

[dinofelis]

All their btc would be worthless now.

Can you explain the logical link between software crashing, and coins being worthless ?

The value of Bitcoin lies solely in its usefulness for financial transactions.

Nah, the value of bitcoin as of today mainly resides in the expectation to find one day a fool that will buy it from you at higher price.  Most bitcoins are hodled.  If the value of bitcoin today were residing in its capacity to treat transactions, it should be around $50 right now !  Many transactions take ages to get confirmed....

I agree with you that if the expectation was that no transactions will EVER be possible, of course, that would mean indeed that what you are holding, is valueless.  But that is actually MORE the case if you expect inflating fees than expecting a bug to be corrected.

[rico666]

Satoshi's original code had bugs that were far worse.

This bug should not have existed but that does not mean the BU project isn't the right direction for Bitcoin to take.

You are right. There are a thousand other reasons why the BU project isn't the right direction for Bitcoin to take.
This is just a small one and could be neglected.


Rico

[ebliever]

All their btc would be worthless now.

Worse than that, if they forked and drove Core into the ground (not likely), all OUR bitcoin would be worthless too. That's what gets me, the arrogance combined with the incompetence.

taking down a node does not destroy coins.
private keys are protected

Pushing an incompetent implementation forward that the market does not support, thus leading to the price crashing, is what I was talking about.

[Kprawn]

We have Peer review for this very reason.... to spot these problems before it goes live. Bitcoin has been solid so far, because a lot of people are

checking and verifying the code all the time. You have seen this, when Mike Hearn and company, wanted to sneak in some bad code into XT.

The people that still think BU is the way to go, has to re-think their strategy. 

[dinofelis]

We have Peer review for this very reason.... to spot these problems before it goes live. Bitcoin has been solid so far, because a lot of people are

checking and verifying the code all the time. You have seen this, when Mike Hearn and company, wanted to sneak in some bad code into XT.

The people that still think BU is the way to go, has to re-think their strategy. 

Well, in as much as there is antagonists trying to attack code, that's the best peer review that can be done.  I don't think BU (nor Segwit) will be activated, but bitcoin without block limits would have been better.  But that's not bitcoin now.