bitcoin-dev

Re: A Free-Relay Attack Exploiting RBF Rule #6

Original Postby Peter Todd

Posted on: March 28, 2024 19:16 UTC

The discussion revolves around CVE-2017-12842, which the author does not consider to be a serious vulnerability.

The skepticism stems from the belief that the effort and financial investment required to exploit this vulnerability could be as intensive, if not more so, than creating fake blocks directly. This perspective casts doubt on the practicality and necessity of addressing the issue through a software fork. Furthermore, the mention of Sergio's RSK Bridge contract being susceptible to this vulnerability highlights concerns over what is perceived as reckless design choices within certain projects.

The narrative also delves into the process of disclosure and the interactions—or lack thereof—with the relevant parties prior to publicizing the information. Despite having direct connections with key individuals who were informed about the report on CVE-2017-12842, the decision was made to dismiss the findings. This dismissal and the subsequent lack of engagement from these parties underscore a broader frustration experienced by the author, especially given the personal and professional significance of the research involved. The emphasis on the lack of response, despite the anticipation of such an outcome, illustrates a challenging aspect of dealing with vulnerabilities in high-profile projects.

Moreover, the author reflects on the broader implications of their experience, questioning the value of adhering to a traditional disclosure process for certain types of security issues. The recounting of their experience suggests that bypassing the formal disclosure route and directly publishing information about the vulnerability might have been a more effective approach, considering the political and social dynamics at play. This reflection is framed within the context of the author's current standing with influential members of the Bitcoin Core community, particularly those working on mempool code, indicating a complex web of professional relationships and reputations.

In light of these experiences, the author concludes that engaging in the disclosure process for issues like CVE-2017-12842 may not be worthwhile, given the potential for political drama and distraction from the core technical issues at hand. This stance is articulated against the backdrop of ongoing challenges and disagreements within the cryptocurrency and blockchain development communities. For more insights and updates from the author, they can be reached through their personal website, available at Peter Todd's Website.