Disclosure of the details of an integer overflow bug which causes a crash if a node is getting
spammed addr messages continuously for a very long time (years). A fix was released on April 14th
2025 in Bitcoin Core v29.0.
This issue is considered Low severity.
Details
The address manager in Bitcoin Core uses a 32-bit identifier for each entry, incremented on every
insertion. An earlier security
advisory explained how it
enabled an attacker to remotely trigger an assertion failure by spamming a node with addr messages
until the 32-bit identifier overflow.
This was partially addressed in Bitcoin Core v22.0 by rate-limiting insertions in the address manager to 1 address per peer every 10 seconds. This made the attack a lot more expensive if not impractical: even with 1000 peers continuously attacking it would still take more than a year to get the 32-bit identifier to overflow.
The remaining, more expensive attack vector was addressed in Bitcoin Core version 29.0 by making the identifier a 64-bit identifier.
Attribution
Credit goes to Eugene Siegel for discovering and disclosing the vulnerability, and to Martin Zumsande for changing the identifier to 64-bit.
Timeline
- 2021-06-21 - Initial report sent to security@bitcoincore.org by Eugene Siegel
- 2021-07-19 - Rate limiting is merged in PR #22387
- 2021-09-13 - v22.0 is released with rate-limiting
- 2024-07-31 - Publication of the first security advisory
- 2024-09-20 - Change to 64-bit identifier is merged in PR #30568
- 2025-04-14 - Bitcoin Core v29.0 is released with the 64-bit identifier
- 2025-04-28 - Public Disclosure