CVE-2023-50428: Bitcoin Core Client Vulnerability Exploited by Inscriptions
The United States National Vulnerability Database (NVD) added Bitcoin to its list on December 9th, highlighting a protocol vulnerability that facilitated the development of the Ordinals Protocol in 2022. This flaw has been assigned the identifier CVE-2023-50428. As per the database records, certain versions of Bitcoin Core and Bitcoin Knots can circumvent data volume restrictions by disguising them as code. “As exploited in the wild by Inscriptions in 2022 and 2023,” the document states.
Being added to the NVD list signifies that the CVE-2023-50428 vulnerability has been recognized, cataloged, and acknowledged as important for public awareness. The database is managed by the National Institute of Standards and Technology (NIST), an agency of the U.S. Department of Commerce.
The vulnerability in the Bitcoin network is currently under analysis. One of the potential consequences could be the influx of a significant amount of non-transactional data into the blockchain, potentially increasing the network’s size and negatively impacting performance and fees.
The NVD website features a recent post by Bitcoin Core developer Luke Dashjr on X (formerly Twitter) as an informational resource. Dashjr asserts that inscriptions use the Bitcoin Core vulnerability for network spamming.
PSA: “Inscriptions” are exploiting a vulnerability in #Bitcoin Core to spam the blockchain. Bitcoin Core has, since 2013, allowed users to set a limit on the size of extra data in transactions they relay or mine (`-datacarriersize`). By obfuscating their data as program code,…
— Luke Dashjr (@LukeDashjr) December 6, 2023
Why is this significant for Ordinals? An inscription involves embedding additional data into a specific satoshi (the smallest unit of Bitcoin). These data can be any digital objects, such as images, text, or other media forms. Each time data is added to a satoshi, it becomes a permanent part of the Bitcoin blockchain.
Although data embedding has been part of the Bitcoin protocol for some time, its popularity surged with the emergence of ordinals at the end of 2022 – a protocol that allowed embedding unique digital artworks directly into Bitcoin transactions, similar to how non-fungible tokens (NFTs) operate on the Ethereum network.
The volume of ordinal transactions several times overloaded the Bitcoin network in 2023, leading to increased competition for transaction confirmation, thus resulting in higher fees and slower processing.
If the vulnerability is rectified, it could potentially limit the ability to create ordinals inscriptions on the network. When asked if the existence of ordinals and BRC-20 tokens would cease if the vulnerability is addressed, Dashjr replied, “Correct.” However, existing inscriptions will remain untouched due to the network’s immutability.