CVE-2023-50428: Bitcoin Core Client Vulnerability
According to the United States National Vulnerability Database (NVD), the recently sensationalized Bitcoin inscriptions have been reported as a cybersecurity vulnerability, designated as CVE-2023-50428, and are currently pending analysis. Being added to the NVD list signifies that a specific cybersecurity vulnerability has been identified, cataloged, and recognized as significant for public awareness. This database is managed by the National Institute of Standards and Technology (NIST), a part of the U.S. Department of Commerce.
“In Bitcoin Core through 26.0 and Bitcoin Knots before 25.1.knots20231115, datacarrier size limits can be bypassed by obfuscating data as code (e.g., with OP_FALSE OP_IF), as exploited in the wild by Inscriptions in 2022 and 2023,” reads a description of the CVE-2023-50428 vulnerability.
A recent tweet by Bitcoin Core client developer Luke Dashjr on X has also been included in the report as an external resource.
PSA: “Inscriptions” are exploiting a vulnerability in #Bitcoin Core to spam the blockchain. Bitcoin Core has, since 2013, allowed users to set a limit on the size of extra data in transactions they relay or mine (`-datacarriersize`). By obfuscating their data as program code,…
— Luke Dashjr (@LukeDashjr) December 6, 2023
Why is this relevant to the Ordinal protocol?
Inscriptions involve embedding additional data into a specific satoshi (the smallest unit of Bitcoin). This data can be in any digital format, such as images, text, or other media forms. Each time data is added to a satoshi, it becomes a permanent part of the Bitcoin blockchain.
Although data embedding has been a feature of the Bitcoin protocol for some time, its popularity only began to rise with the emergence of the Ordinal protocol at the end of 2022. This protocol allowed the embedding of unique digital art directly into Bitcoin transactions, akin to how Non-Fungible Tokens (NFTs) function on the Ethereum network.
Should this so-called ‘vulnerability’ be rectified, it could potentially impose restrictions on inscriptions on the network. When asked whether Ordinals and BRC-20 tokens would stop being a thing if the vulnerability were fixed, Luke Dashjr responded affirmatively, “Correct.” However, due to the immutable nature of the network, existing inscriptions will continue to exist but will be non-tradable.
