Bitcoin devs calm panic over Core bug false alarm

Erroneous rumors of a possible bug in Bitcoin Core caused widespread panic this weekend as the Bitcoin community jumped to a number of massively off-beam conclusions.

The claims appeared in the weekly Optech newsletter produced by non-profits Brink and Bitcoin Operations Technology Group.

Most weeks, the letter focuses on largely mundane topics like repository changes, pull request details, or mailing list messages. However, on Friday, it included a vague reference to an “upcoming disclosure of vulnerabilities affecting older versions of Bitcoin Core.”

This caused paranoid Bitcoiners to jump to disastrous interpretations and posts to X (formerly Twitter) warning of “a serious vulnerability with Bitcoin Core v24” earned tens of thousands of impressions.

Read more: Don’t download your full node Bitcoin software from Bitcoin.org

It is strongly recommended that all users and administrators upgrade to Bitcoin Core 25.0 or above,” X users warned. If there is a bug, they thought, it could have affected thousands of fully validating nodes running the decentralized Bitcoin network.

For context, Bitcoin Core is by far the dominant software that Bitcoin node operators use. Over 56,000 node operators run it around the world, with over 18,000 online at any given moment.

Not only that, more than 98% of reachable nodes use Bitcoin Core as their software client. The current version is 27, released on April 16. Developers released version 24 last year and deprecated it months ago.

However, unlike conventional software like app store or manufacturer software updates, Bitcoin Core does not auto-update. Yes, that means that node operators must download and upgrade their software manually.

Because some node operators choose not to (or forget to) update their software, old versions of Bitcoin Core validate transactions on the Bitcoin network for months or even years. This can be problematic if hackers discover a bug and exploit nodes running old software.

Senior Bitcoin developer responds to fire alarm

Bitcoin Core developer Ava Chow stepped into the public discourse to turn off this false alarm. She clarified categorically, “Not 24.x. First set of disclosures would be for 0.21.x and older.”

In other words, the imminent vulnerability disclosure discussed in the Optech newsletter relates to Bitcoin Core version 21, not 24.

The confusion arose from two factors. First, Optech correctly summarized a proposal by developers to disclose vulnerabilities in old versions of Bitcoin Core. That proposal might, if and when fully enacted, allow developers to disclose technical vulnerabilities in versions of software up to 12 months old and older.

Therefore, if this proposal were enacted (and it isn’t yet), it would allow developers to disclose any severe bugs in last year’s version.

However, again, the proposal is still in discussion. Developers haven’t yet agreed what length of time is appropriate for the disclosure of major bugs.

The leading proposal attempts to find a compromise between never disclosing and immediately disclosing. “The proposed policy tries to strike a balance between these two,” wrote Chow. “Waiting for the last vulnerable version to go EOL [end of life] seems like a good middle ground — enough time for the vast majority of nodes to upgrade, but not so long that issues never get disclosed.”

So, as a starting point, developers are going to disclose security bugs in version 21 later this month. Again, that’s version 21, not 24.

https://twitter.com/achow101/status/1799979586127900788

Read more: Luke Dashjr calls Ordinals a spam ‘bug’ that should be ‘fixed’

Swift response to a fake bug in Bitcoin Core

As a culturally conservative community, it’s certainly in Bitcoiners’ self-interest to take security threats very seriously. By far the largest and most distributed crypto asset, the Bitcoin node and mining network secures over $1.3 trillion worth of coins held by hundreds of millions of humans.

Although this particular vulnerability regarding Core version 24 was probably a false alarm, the serious response was healthy.

There’s a vanishingly tiny number of nodes operating version 21 or older of Bitcoin Core, so it’s probably appropriate to responsibly disclose the bug that existed in that software. Moreover, it’s usually a good safety protocol to update to the latest version of Core, anyway.

The modern version of Bitcoin Core is 27 so it’s probably fine to disclose the errors that developers made when coding version 21.

Developers haven’t planned to disclose security bugs in version 24 this month. They are, however, discussing a policy to shorten the length of time between private detection of bugs by Bitcoin Core maintainers and public disclosure of those bugs.

In the future, a true fire — and not just a fire drill — might broadcast an all-hands-on-deck call for node operators or miners to respond to a legitimate security vulnerability. For now, however, this was merely a test.

Got a tip? Send us an email or ProtonMail. For more informed news, follow us on X, Instagram, Bluesky, and Google News, or subscribe to our YouTube channel.