After Bitcoin Core 0.12.0 and before Bitcoin Core 0.15.0 a node could be spammed with minimum difficulty headers, which could possibly be leveraged to crash it by OOM.
This issue is considered Medium severity.
Details
Before the introduction of headers pre-synchronisation, nodes relied exclusively on checkpoints to avoid getting spammed by low-difficulty headers.
In Bitcoin Core 0.12.0 a check for headers forking before the last checkpoint’s height was moved to
after storing the header in mapBlockIndex. This allowed an attacker to grow the map unboundedly by
spamming headers whose parent is the genesis block (which only need difficulty 1 to create), as such
blocks bypassed the checkpoint logic.
Attribution
Credits to Cory Fields for finding and responsibly disclosing the bug.
Timeline
- 2017-08-08 Cory Fields privately reports the bug
- 2017-08-11 Pieter Wuille opens PR #11028 to fix it
- 2017-08-14 PR #11028 is merged
- 2017-09-14 Bitcoin Core version 0.15.0 is released with a fix
- 2018-10-03 The last vulnerable version of Bitcoin Core (0.14.3) goes end of life
- 2024-07-03 Public disclosure.