Full GitHub Disclosure
Full descriptions and lists of cryptocurrencies affected can be found here.
Learn moreWei Jin
Common Vulnerabilities and Exposure (CVE) Extensions
CVE is a list of entries—each containing an identification number, a description, and at least one public reference—for publicly known cybersecurity vulnerabilities.
About
As an extension to our cryptocurrency research paper, we applied for extensions to exisiting CVEs, which were accepted by the National Institute of Standards and Technology (NIST) and the MITRE Corporation.
Currently, we have a total of 4 approved CVE extensions.
CVE-2018-17144
Bitcoin Core 0.14.x before 0.14.3, 0.15.x before 0.15.2, and 0.16.x before 0.16.3 allow a remote denial of service (application crash) exploitable by miners via duplicate input. Attackers can also double spend Bitcoin transactions, causing an artificial inflation of Bitcoin.
At the time of our discovery (26/3/2019), we found 6 different cryptocurrencies that also contained this vulnerability including MinexCoin, MktCoin, and PlatinCoin.
CVE-2019-7167
Zcash, before the Sapling network upgrade (2018-10-28), had a counterfeiting vulnerability. A key-generation process, during evaluation of polynomials related to a to-be-proven statement, produced certain bypass elements. Availability of these elements allowed a cheating prover to bypass a consistency check, and consequently transform the proof of one statement into an ostensibly valid proof of a different statement, thereby breaking the soundness of the proof system. This misled the original Sprout zk-SNARK verifier into accepting the correctness of a transaction.
At the time of our discovery (27/5/2019), we found 1 other cryptocurrency that also contained this vulnerability - Hush.
CVE-2016-10724 / CVE-2016-10725
These two vulnerabilites are closely related and hence are grouped in the same section.
A remote network alert system originating from Bitcoin allows the denial of service (memory exhaustion) if an attacker can sign a message with a certain private key that had been known by unintended actors. Due to an infinitely sized map, an attacker can send a large number of alerts (or very large alerts, or both) to a node, causing the node to run out of memory and crash. The alert system in itself also creates a centralized source in the cryptocurrency. Bitcoin has since deprecated the alert system entirely.
At the time of our discovery (14/6/2019), we found 377 other cryptocurrencies that also contained this vulnerability including Zcash, Bitcoin Private, and Dogecoin.