How does the most recently found critical vulnerability (CVE-2018-17144) work?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
5
down vote

favorite












If you were a miner, what are the steps you would take to create the extra (21,000,012.5th) bitcoin?



Where in the source code is this exactly (link)?



Why can't this be done by a non-miner?



Also, which forks are/were vulnerable?






reward-schedule error weaknesses source-code







share|improve this question

























    up vote
    5
    down vote

    favorite












    If you were a miner, what are the steps you would take to create the extra (21,000,012.5th) bitcoin?



    Where in the source code is this exactly (link)?



    Why can't this be done by a non-miner?



    Also, which forks are/were vulnerable?






    reward-schedule error weaknesses source-code







    share|improve this question























      up vote
      5
      down vote

      favorite









      up vote
      5
      down vote

      favorite











      If you were a miner, what are the steps you would take to create the extra (21,000,012.5th) bitcoin?



      Where in the source code is this exactly (link)?



      Why can't this be done by a non-miner?



      Also, which forks are/were vulnerable?






      reward-schedule error weaknesses source-code







      share|improve this question













      If you were a miner, what are the steps you would take to create the extra (21,000,012.5th) bitcoin?



      Where in the source code is this exactly (link)?



      Why can't this be done by a non-miner?



      Also, which forks are/were vulnerable?






      reward-schedule error weaknesses source-code




      reward-schedule error weaknesses source-code






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked 4 hours ago









      hedgedandlevered

      6971516




      6971516




















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          3
          down vote














          If you were a miner, what are the steps you would take to create the extra (21,000,012.5th) bitcoin?



          Where in the source code is this exactly (link)?




          There are two components to CVE-2018-17144. There is a crash bug and an inflation bug. Both are triggered by almost the same scenario: a transaction contains an input multiple times.



          In general, how this would work is as follows: lets suppose a miner has an unspent output A for 1 BTC. They create a transaction with that input in twice, so input 1 spends from output A and input 2 also spends from output A. The output of that transaction has a value of 2 BTC. Note how the output's value is larger than the value of output A, but if you had output A twice, the value is correct.



          The miner would then take this transaction and include it in a block that he is mining. Once the miner find a block with his transaction included in it, he broadcasts it to the Bitcoin network.



          When a Bitcoin Core 0.14.x node receives this block, it will validate the block, but it will skip the duplicate input check because of the false parameter on this line. So the transaction the miner made will pass this step of validation, and the other transaction validation steps, including input script validation, until it reaches this loop. In this loop, the inputs to the transaction are being marked as spent in the UTXO database. The first time the duplicated input is seen, it is marked as spent. But the second time it is seen, the coin is already marked as spent so coins->vout[nPos].IsNull() will be true. This means that it will go into this if statement and subsequently hit the assert statement that follows. The assert causes the software to crash.



          For Bitcoin Core 0.15.0 - 0.16.2, the behavior is different. This is due to the change in how the UTXO database is structured. Everything is largely the same until the same loop is reached. Here, instead of returning whether the output was spent, SpendCoin actually returns whether the input exists in the database. So the first time, it will pass as expected, but the second time, instead of returning false, it still returns true.



          Looking at SpendCoin, you can see that it only returns false when it is unable to fetch the coin (object representing a UTXO) from the database. With the new database structure, this makes sense as the output should be removed from the database when it is spent. But, if you look a few lines down, you see that it only deletes the coin when it is marked as FRESH. In the case the coin was FRESH, SpendCoin would delete the object on the first pass so the second pass the coin would not be found and thus it would return false. This triggers the assert following the function call causing the node to shutdown.



          If the coin was not FRESH, the coin object itself is not deleted, but its contents are cleared. This means that the second time the input is seen, if the coin was not FRESH, SpendCoin would still return true as the object still exists in memory, which means that it passes the assert that follows the SpendCoin (which caused the crash when the coin was not FRESH). Then validation continues as normal, and the output this transaction created is added to the UTXO database, which means that money that shouldn't exist now exists in the UTXO database.



          So now the question is, when are UTXOs marked as FRESH? They are marked FRESH when they are added to the UTXO database. But the UTXO database is still only in memory (as a cache). When it is saved to disk, the entries in memory are then no longer marked as FRESH. This saving to disk happens after every block (as well as at other times, but that is not important).



          Thus, if a miner has an output that was part of a transaction that has already confirmed, and he spends the output twice in the same transaction (so the transaction has two inputs that refer to the same output), and this transaction is not broadcast to the network but instead included in a block that he mines, he is able to create a new output that has twice the value of the output that he spent, thereby creating coins.




          Why can't this be done by a non-miner?




          The reason that this cannot be done by a non-miner is because transactions that are received outside of blocks are still checked for duplicate inputs. The transaction will be rejected as invalid and not added to the node's mempool, so the transaction will never get into a block. It is only transactions with duplicate inputs that get into blocks that trigger this vulnerability, and thus only miners can do this as they must knowingly insert an invalid transaction into their block.




          Also, which forks are/were vulnerable?




          Any fork whose software includes commit eecffe50efc3944d713c701fa375dacbf17fb7cf. This would mean any software forked from or pulled in changes from Bitcoin Core after November 10th, 2016.






          share|improve this answer




















            Your Answer







            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "308"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            convertImagesToLinks: false,
            noModals: false,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            noCode: true, onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );













             

            draft saved


            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fbitcoin.stackexchange.com%2fquestions%2f79481%2fhow-does-the-most-recently-found-critical-vulnerability-cve-2018-17144-work%23new-answer', 'question_page');

            );

            Post as a guest

















            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            3
            down vote














            If you were a miner, what are the steps you would take to create the extra (21,000,012.5th) bitcoin?



            Where in the source code is this exactly (link)?




            There are two components to CVE-2018-17144. There is a crash bug and an inflation bug. Both are triggered by almost the same scenario: a transaction contains an input multiple times.



            In general, how this would work is as follows: lets suppose a miner has an unspent output A for 1 BTC. They create a transaction with that input in twice, so input 1 spends from output A and input 2 also spends from output A. The output of that transaction has a value of 2 BTC. Note how the output's value is larger than the value of output A, but if you had output A twice, the value is correct.



            The miner would then take this transaction and include it in a block that he is mining. Once the miner find a block with his transaction included in it, he broadcasts it to the Bitcoin network.



            When a Bitcoin Core 0.14.x node receives this block, it will validate the block, but it will skip the duplicate input check because of the false parameter on this line. So the transaction the miner made will pass this step of validation, and the other transaction validation steps, including input script validation, until it reaches this loop. In this loop, the inputs to the transaction are being marked as spent in the UTXO database. The first time the duplicated input is seen, it is marked as spent. But the second time it is seen, the coin is already marked as spent so coins->vout[nPos].IsNull() will be true. This means that it will go into this if statement and subsequently hit the assert statement that follows. The assert causes the software to crash.



            For Bitcoin Core 0.15.0 - 0.16.2, the behavior is different. This is due to the change in how the UTXO database is structured. Everything is largely the same until the same loop is reached. Here, instead of returning whether the output was spent, SpendCoin actually returns whether the input exists in the database. So the first time, it will pass as expected, but the second time, instead of returning false, it still returns true.



            Looking at SpendCoin, you can see that it only returns false when it is unable to fetch the coin (object representing a UTXO) from the database. With the new database structure, this makes sense as the output should be removed from the database when it is spent. But, if you look a few lines down, you see that it only deletes the coin when it is marked as FRESH. In the case the coin was FRESH, SpendCoin would delete the object on the first pass so the second pass the coin would not be found and thus it would return false. This triggers the assert following the function call causing the node to shutdown.



            If the coin was not FRESH, the coin object itself is not deleted, but its contents are cleared. This means that the second time the input is seen, if the coin was not FRESH, SpendCoin would still return true as the object still exists in memory, which means that it passes the assert that follows the SpendCoin (which caused the crash when the coin was not FRESH). Then validation continues as normal, and the output this transaction created is added to the UTXO database, which means that money that shouldn't exist now exists in the UTXO database.



            So now the question is, when are UTXOs marked as FRESH? They are marked FRESH when they are added to the UTXO database. But the UTXO database is still only in memory (as a cache). When it is saved to disk, the entries in memory are then no longer marked as FRESH. This saving to disk happens after every block (as well as at other times, but that is not important).



            Thus, if a miner has an output that was part of a transaction that has already confirmed, and he spends the output twice in the same transaction (so the transaction has two inputs that refer to the same output), and this transaction is not broadcast to the network but instead included in a block that he mines, he is able to create a new output that has twice the value of the output that he spent, thereby creating coins.




            Why can't this be done by a non-miner?




            The reason that this cannot be done by a non-miner is because transactions that are received outside of blocks are still checked for duplicate inputs. The transaction will be rejected as invalid and not added to the node's mempool, so the transaction will never get into a block. It is only transactions with duplicate inputs that get into blocks that trigger this vulnerability, and thus only miners can do this as they must knowingly insert an invalid transaction into their block.




            Also, which forks are/were vulnerable?




            Any fork whose software includes commit eecffe50efc3944d713c701fa375dacbf17fb7cf. This would mean any software forked from or pulled in changes from Bitcoin Core after November 10th, 2016.






            share|improve this answer
























              up vote
              3
              down vote














              If you were a miner, what are the steps you would take to create the extra (21,000,012.5th) bitcoin?



              Where in the source code is this exactly (link)?




              There are two components to CVE-2018-17144. There is a crash bug and an inflation bug. Both are triggered by almost the same scenario: a transaction contains an input multiple times.



              In general, how this would work is as follows: lets suppose a miner has an unspent output A for 1 BTC. They create a transaction with that input in twice, so input 1 spends from output A and input 2 also spends from output A. The output of that transaction has a value of 2 BTC. Note how the output's value is larger than the value of output A, but if you had output A twice, the value is correct.



              The miner would then take this transaction and include it in a block that he is mining. Once the miner find a block with his transaction included in it, he broadcasts it to the Bitcoin network.



              When a Bitcoin Core 0.14.x node receives this block, it will validate the block, but it will skip the duplicate input check because of the false parameter on this line. So the transaction the miner made will pass this step of validation, and the other transaction validation steps, including input script validation, until it reaches this loop. In this loop, the inputs to the transaction are being marked as spent in the UTXO database. The first time the duplicated input is seen, it is marked as spent. But the second time it is seen, the coin is already marked as spent so coins->vout[nPos].IsNull() will be true. This means that it will go into this if statement and subsequently hit the assert statement that follows. The assert causes the software to crash.



              For Bitcoin Core 0.15.0 - 0.16.2, the behavior is different. This is due to the change in how the UTXO database is structured. Everything is largely the same until the same loop is reached. Here, instead of returning whether the output was spent, SpendCoin actually returns whether the input exists in the database. So the first time, it will pass as expected, but the second time, instead of returning false, it still returns true.



              Looking at SpendCoin, you can see that it only returns false when it is unable to fetch the coin (object representing a UTXO) from the database. With the new database structure, this makes sense as the output should be removed from the database when it is spent. But, if you look a few lines down, you see that it only deletes the coin when it is marked as FRESH. In the case the coin was FRESH, SpendCoin would delete the object on the first pass so the second pass the coin would not be found and thus it would return false. This triggers the assert following the function call causing the node to shutdown.



              If the coin was not FRESH, the coin object itself is not deleted, but its contents are cleared. This means that the second time the input is seen, if the coin was not FRESH, SpendCoin would still return true as the object still exists in memory, which means that it passes the assert that follows the SpendCoin (which caused the crash when the coin was not FRESH). Then validation continues as normal, and the output this transaction created is added to the UTXO database, which means that money that shouldn't exist now exists in the UTXO database.



              So now the question is, when are UTXOs marked as FRESH? They are marked FRESH when they are added to the UTXO database. But the UTXO database is still only in memory (as a cache). When it is saved to disk, the entries in memory are then no longer marked as FRESH. This saving to disk happens after every block (as well as at other times, but that is not important).



              Thus, if a miner has an output that was part of a transaction that has already confirmed, and he spends the output twice in the same transaction (so the transaction has two inputs that refer to the same output), and this transaction is not broadcast to the network but instead included in a block that he mines, he is able to create a new output that has twice the value of the output that he spent, thereby creating coins.




              Why can't this be done by a non-miner?




              The reason that this cannot be done by a non-miner is because transactions that are received outside of blocks are still checked for duplicate inputs. The transaction will be rejected as invalid and not added to the node's mempool, so the transaction will never get into a block. It is only transactions with duplicate inputs that get into blocks that trigger this vulnerability, and thus only miners can do this as they must knowingly insert an invalid transaction into their block.




              Also, which forks are/were vulnerable?




              Any fork whose software includes commit eecffe50efc3944d713c701fa375dacbf17fb7cf. This would mean any software forked from or pulled in changes from Bitcoin Core after November 10th, 2016.






              share|improve this answer






















                up vote
                3
                down vote










                up vote
                3
                down vote










                If you were a miner, what are the steps you would take to create the extra (21,000,012.5th) bitcoin?



                Where in the source code is this exactly (link)?




                There are two components to CVE-2018-17144. There is a crash bug and an inflation bug. Both are triggered by almost the same scenario: a transaction contains an input multiple times.



                In general, how this would work is as follows: lets suppose a miner has an unspent output A for 1 BTC. They create a transaction with that input in twice, so input 1 spends from output A and input 2 also spends from output A. The output of that transaction has a value of 2 BTC. Note how the output's value is larger than the value of output A, but if you had output A twice, the value is correct.



                The miner would then take this transaction and include it in a block that he is mining. Once the miner find a block with his transaction included in it, he broadcasts it to the Bitcoin network.



                When a Bitcoin Core 0.14.x node receives this block, it will validate the block, but it will skip the duplicate input check because of the false parameter on this line. So the transaction the miner made will pass this step of validation, and the other transaction validation steps, including input script validation, until it reaches this loop. In this loop, the inputs to the transaction are being marked as spent in the UTXO database. The first time the duplicated input is seen, it is marked as spent. But the second time it is seen, the coin is already marked as spent so coins->vout[nPos].IsNull() will be true. This means that it will go into this if statement and subsequently hit the assert statement that follows. The assert causes the software to crash.



                For Bitcoin Core 0.15.0 - 0.16.2, the behavior is different. This is due to the change in how the UTXO database is structured. Everything is largely the same until the same loop is reached. Here, instead of returning whether the output was spent, SpendCoin actually returns whether the input exists in the database. So the first time, it will pass as expected, but the second time, instead of returning false, it still returns true.



                Looking at SpendCoin, you can see that it only returns false when it is unable to fetch the coin (object representing a UTXO) from the database. With the new database structure, this makes sense as the output should be removed from the database when it is spent. But, if you look a few lines down, you see that it only deletes the coin when it is marked as FRESH. In the case the coin was FRESH, SpendCoin would delete the object on the first pass so the second pass the coin would not be found and thus it would return false. This triggers the assert following the function call causing the node to shutdown.



                If the coin was not FRESH, the coin object itself is not deleted, but its contents are cleared. This means that the second time the input is seen, if the coin was not FRESH, SpendCoin would still return true as the object still exists in memory, which means that it passes the assert that follows the SpendCoin (which caused the crash when the coin was not FRESH). Then validation continues as normal, and the output this transaction created is added to the UTXO database, which means that money that shouldn't exist now exists in the UTXO database.



                So now the question is, when are UTXOs marked as FRESH? They are marked FRESH when they are added to the UTXO database. But the UTXO database is still only in memory (as a cache). When it is saved to disk, the entries in memory are then no longer marked as FRESH. This saving to disk happens after every block (as well as at other times, but that is not important).



                Thus, if a miner has an output that was part of a transaction that has already confirmed, and he spends the output twice in the same transaction (so the transaction has two inputs that refer to the same output), and this transaction is not broadcast to the network but instead included in a block that he mines, he is able to create a new output that has twice the value of the output that he spent, thereby creating coins.




                Why can't this be done by a non-miner?




                The reason that this cannot be done by a non-miner is because transactions that are received outside of blocks are still checked for duplicate inputs. The transaction will be rejected as invalid and not added to the node's mempool, so the transaction will never get into a block. It is only transactions with duplicate inputs that get into blocks that trigger this vulnerability, and thus only miners can do this as they must knowingly insert an invalid transaction into their block.




                Also, which forks are/were vulnerable?




                Any fork whose software includes commit eecffe50efc3944d713c701fa375dacbf17fb7cf. This would mean any software forked from or pulled in changes from Bitcoin Core after November 10th, 2016.






                share|improve this answer













                If you were a miner, what are the steps you would take to create the extra (21,000,012.5th) bitcoin?



                Where in the source code is this exactly (link)?




                There are two components to CVE-2018-17144. There is a crash bug and an inflation bug. Both are triggered by almost the same scenario: a transaction contains an input multiple times.



                In general, how this would work is as follows: lets suppose a miner has an unspent output A for 1 BTC. They create a transaction with that input in twice, so input 1 spends from output A and input 2 also spends from output A. The output of that transaction has a value of 2 BTC. Note how the output's value is larger than the value of output A, but if you had output A twice, the value is correct.



                The miner would then take this transaction and include it in a block that he is mining. Once the miner find a block with his transaction included in it, he broadcasts it to the Bitcoin network.



                When a Bitcoin Core 0.14.x node receives this block, it will validate the block, but it will skip the duplicate input check because of the false parameter on this line. So the transaction the miner made will pass this step of validation, and the other transaction validation steps, including input script validation, until it reaches this loop. In this loop, the inputs to the transaction are being marked as spent in the UTXO database. The first time the duplicated input is seen, it is marked as spent. But the second time it is seen, the coin is already marked as spent so coins->vout[nPos].IsNull() will be true. This means that it will go into this if statement and subsequently hit the assert statement that follows. The assert causes the software to crash.



                For Bitcoin Core 0.15.0 - 0.16.2, the behavior is different. This is due to the change in how the UTXO database is structured. Everything is largely the same until the same loop is reached. Here, instead of returning whether the output was spent, SpendCoin actually returns whether the input exists in the database. So the first time, it will pass as expected, but the second time, instead of returning false, it still returns true.



                Looking at SpendCoin, you can see that it only returns false when it is unable to fetch the coin (object representing a UTXO) from the database. With the new database structure, this makes sense as the output should be removed from the database when it is spent. But, if you look a few lines down, you see that it only deletes the coin when it is marked as FRESH. In the case the coin was FRESH, SpendCoin would delete the object on the first pass so the second pass the coin would not be found and thus it would return false. This triggers the assert following the function call causing the node to shutdown.



                If the coin was not FRESH, the coin object itself is not deleted, but its contents are cleared. This means that the second time the input is seen, if the coin was not FRESH, SpendCoin would still return true as the object still exists in memory, which means that it passes the assert that follows the SpendCoin (which caused the crash when the coin was not FRESH). Then validation continues as normal, and the output this transaction created is added to the UTXO database, which means that money that shouldn't exist now exists in the UTXO database.



                So now the question is, when are UTXOs marked as FRESH? They are marked FRESH when they are added to the UTXO database. But the UTXO database is still only in memory (as a cache). When it is saved to disk, the entries in memory are then no longer marked as FRESH. This saving to disk happens after every block (as well as at other times, but that is not important).



                Thus, if a miner has an output that was part of a transaction that has already confirmed, and he spends the output twice in the same transaction (so the transaction has two inputs that refer to the same output), and this transaction is not broadcast to the network but instead included in a block that he mines, he is able to create a new output that has twice the value of the output that he spent, thereby creating coins.




                Why can't this be done by a non-miner?




                The reason that this cannot be done by a non-miner is because transactions that are received outside of blocks are still checked for duplicate inputs. The transaction will be rejected as invalid and not added to the node's mempool, so the transaction will never get into a block. It is only transactions with duplicate inputs that get into blocks that trigger this vulnerability, and thus only miners can do this as they must knowingly insert an invalid transaction into their block.




                Also, which forks are/were vulnerable?




                Any fork whose software includes commit eecffe50efc3944d713c701fa375dacbf17fb7cf. This would mean any software forked from or pulled in changes from Bitcoin Core after November 10th, 2016.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered 2 hours ago









                Andrew Chow♦

                28.1k21859




                28.1k21859



























                     

                    draft saved


                    draft discarded















































                     


                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fbitcoin.stackexchange.com%2fquestions%2f79481%2fhow-does-the-most-recently-found-critical-vulnerability-cve-2018-17144-work%23new-answer', 'question_page');

                    );

                    Post as a guest
































































                    Comments

                    Post a Comment

                    Popular posts from this blog

                    Long meetings (6-7 hours a day): Being “babysat” by supervisor

                    Image
                    Clash Royale CLAN TAG #URR8PPP .everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0; up vote 31 down vote favorite 4 I hold a PhD in mechanical engineering with a 7 year background in self-guided, self-paced research including 2 years as a graduate level course instructor and a subject matter expert for various engineering projects in a university setting in the United States. For the last 10-11 months, I am working in a research industry in France where my task is to debug C++ spaghetti code written over a period of several years by my current supervisor. It is a team of 2: just I and my supervisor. Diurnally, I am posed with a "bug of the day" to get out of this C++ code. My supervisor generally gives me about 15-30 minutes to solve it and then accosts me about whether or not the task is completed and then rinses and repeats this until the end of the day. Off-late, my supervisor has been holding 6-7 hour long "meetin
                    Read more

                    Is the Concept of Multiple Fantasy Races Scientifically Flawed? [closed]

                    Image
                    Clash Royale CLAN TAG #URR8PPP up vote 2 down vote favorite Many fantasy worlds have multiple humanoid species (elves, orcs, humans, etc) living in the same world, in addition to that, they often have the ability to interbreed. And I can't help but question their believability... fantasy-races reproduction interspecies-relations share | improve this question edited Aug 9 at 14:46 Michael Kjörling ♦ 21.1k 10 85 161 asked Aug 9 at 13:13 Chlodio 118 6 closed as unclear what you're asking by MichaelK, Gryphon, John, Vincent, Frostfyre Aug 9 at 15:25 Please clarify your specific problem or add additional details to highlight exactly what you need. As it's currently written, it’s hard to tell exactly what you're asking. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question. 3 Stack Exchange exist to
                    Read more

                    Confectionery

                    Image
                    Prepared foods made with a lot of sugar or other cabohydrates "Sweetmeat" redirects here. For the racehorse, see Sweetmeat (horse). Not to be confused with Sweetbread. This Kransekake is a traditional Scandinavian baker's confection. Confectionery is the art of making confections , which are food items that are rich in sugar and carbohydrates. Exact definitions are difficult. [1] In general, though, confectionery is divided into two broad and somewhat overlapping categories, bakers' confections and sugar confections. [2] Bakers' confectionery, also called flour confections , includes principally sweet pastries, cakes, and similar baked goods. Sugar confectionery includes candies ( sweets in British English), candied nuts, chocolates, chewing gum, bubble gum, pastillage, and other confections that are made primarily of sugar. In some cases, chocolate confections (confections made of chocolate) are treated as a separate category, as are sugar-free versions of
                    Read more