The Bitcoin network is today facing a discreet but serious threat. Around 13% of the nodes that maintain and secure the blockchain are vulnerable to a critical flaw that could bring them down. This vulnerability, identified in May 2023, nevertheless persists on several nodes which have not yet been updated with the latest version of the Bitcoin Core software. While Bitcoin security is often touted for its robustness, this issue reveals systemic flaws related to the management of software essential to the proper functioning of the network.
A critical unpatched vulnerability on 13% of Bitcoin nodes
In May 2023, Bitcoin developers discovered a major vulnerability in the Bitcoin Core software. The bug, named CVE-2024-35202, affects nodes running versions earlier than 25.0. More than 13.7% of active nodes globally have not yet installed this momentous update, putting a significant portion of the network at risk of crashing. According to the developers, the flaw lies in the compact block protocol, a system designed to optimize data transmission by reducing the size of transactions sent between nodes. Such a bug can cause individual nodes to collapse, thereby compromising the stability of the network. “Affected nodes may be forced into an invalid state, resulting in a complete shutdown,” explain developers in an official report.
Although the bug is fixed in version 25.0, the fact that Bitcoin Core does not offer automatic updates leaves many node operators vulnerable. The update requires manual intervention, which seems to be a hurdle for many. According to BitNodes.io, nearly 2,582 active nodes, out of a total of 18,843, continue to operate without protection against this flaw. The stakes are high, because although the exploit does not allow bitcoins to be stolen or double spending, it could be used by actors seeking to destabilize the network. A large-scale attack could create significant disruption to the Bitcoin network.
Why are so many nodes not updating?
The absence of automatic updates in the Bitcoin Core software questions the management and security of nodes in a network as essential as that of Bitcoin. Indeed, each node operator is responsible for maintaining and updating their software, a choice linked to the decentralized philosophy of Bitcoin. However, this manual management is today at the origin of the vulnerability of nodes which have not yet integrated the latest version. “Bitcoin Core does not force users to update their software, and leaves some functional nodes with outdated versions vulnerable,” the developers point out. How can we then guarantee the security of the network while respecting its founding principle of decentralization?
Reasons why some operators delay updating their nodes often include distrust of new versions or a lack of technical knowledge to understand the importance of these updates. Thus, a model of automatic or semi-automatic updates could be a solution to prevent such risks in the future. If certain actors managed to exploit this flaw on a large scale, it could have a destabilizing impact on the network on a technical level, but also in terms of user confidence in the security of Bitcoin.
This problem reveals a deep dilemma in the management of the Bitcoin network. While decentralization is one of its strengths, it also makes security management more complicated, especially when it comes to critical updates. If no action is taken to incentivize or facilitate node updates, the network could remain exposed to future attacks. The question is therefore open: should we preserve the total freedom of node operators, or impose stricter security measures to guarantee the stability of the network? One thing is certain, the Bitcoin community will have to think quickly about these issues to avoid other vulnerabilities in the future.
Maximize your Tremplin.io experience with our 'Read to Earn' program! For every article you read, earn points and access exclusive rewards. Sign up now and start earning benefits.