BU Phantom Menace Exploits xThin Vulnerability, Nodes Temporarily Destroyed
The Bitcoin community is at risk of bifurcation in all senses of the word. We are now witnessing a contentious political split between “small blockers” and “big blockers” while simultaneously facing the possibility of a hard fork. On the afternoon of March 14, SegWit “small block” supporters aimed, fired, and reloaded round after round of 150 character tweets, aimed at the “big block” proponents behind Bitcoin Unlimited about yet another catastrophic failure of their implementation. We now detail the chain of events that unfolded over the span of twenty-four hours.
At hour 0 in Reddit land, a user by the handle “ciphera” publicly detailed plans of exploiting known vulnerabilities found in Bitcoin Unlimited. Many unsupported allegations have since surfaced that the identity behind the handle is a prominent Bitcoin Core developer, Eric Lombrozo, who is supposedly motivated to commit cyber-offense by what must have been, according to the allegation, political partisanship.
Reddit user “shinobimonkey” later warned the /r/bitcoin community of a “remote crash vulnerability” in Bitcoin Unlimited that would expose any node that made so much as a request on the network. An xThin bug in the overlay client created the vulnerability from a point in any remote attack vector. “If Bitcoin Unlimited was a predominant client,” he emphasized, “this is a vulnerability that would have left the entire network open to being crashed.” Adding to that, “Most versions of Bitcoin Unlimited (and Classic…) have this bug.”
Then, Bitcoin Unlimited nodes started dropping off.
As the zero-day exploit unfolded, Peter Todd, a Bitcoin Core developer and vocal “small blocker,” noted it in a tweet, the tweet from which subsequent tweetstorms followed, drawing first blood.
The vulnerability had been quickly addressed and fixed, but the attempted low-key effort had been foiled by Peter Todd. In what was ostensibly a private slack channel, Peter Tschipper and two other aliased Bitcoin Unlimited contributors, or at least, watchers, contested the viability of continuing to maintain their code out in the open git field.
Meanwhile, over in /r/BTC neverland, Andrew Stone, known by the handle “theZerg,” “responded in kind” to Peter Todd, condemning Todd’s swift action which led to the xThin bug debacle blowing up on social media.
A popular Bitcoin news outlet published a heated, highly-emotional piece making unsupported claims that the attacker was, in fact, a Bitcoin Core developer, also characterized as Bitcoin Unlimited’s hidden “arch nemesis” from the nefarious side of the “Empire.”
Responding to the finger-pointing, Blockstream’s CTO, Gregory Maxwell, pled to the Bitcoin Unlimited team to correct any “defamatory claims” that was made.
To which the response was a No.
Politics, grade-school level drama, and ugly allegations aside, the fact is, none of the wordy firearm detract from the reality that Bitcoin Unlimited simply is not technically sound in its current form.