A so-called vulnerability associated with some versions of the Bitcoin Core and Bitcoin Knots software has been flagged by the National Institute of Standards and Technology (NIST), a U.S. government agency that manages cybersecurity risks.
The “vulnerability” in question, labelled “CVE-2023-50428,” has been added to the NIST’s National Vulnerability Database (NVD), with the agency saying that it impacts Bitcoin Core through version 26.0 and Bitcoin Knots until 25.1.
“datacarrier size limits can be bypassed by obfuscating data as code… as exploited in the wild by Inscriptions in 2022 and 2023,” read the description on the NIST website.
Read more: Bitcoin Core ‘v26.0’ Goes Live, Includes Measures to Reduce Transaction Tampering
Being assigned a CVE or “Common Vulnerabilities and Exposures” by the NIST means that the agency has determined a weakness in the codebase that results in a negative impact on its security or integrity when exploited.
CVE-2023-50428 is currently awaiting analysis from NVD staff after being published on the website on Friday.
Bitcoin Core developer Luke Dashjr first flagged the issue as a “vulnerability” that was being exploited by inscriptions from the Bitcoin Ordinals protocol last week, after a surge in the use of these inscriptions led to record levels of congestion on the Bitcoin blockchain.
The users and proponents of ordinals inscriptions and the related BRC-20 meme coins argue that blockchains are public, uncensorable goods open to anyone for any use for any purpose, and inscriptions are as legitimate a use as any. (They also have brought a boon to the Bitcoin miners who have been the beneficiary of a rise in fees, which has, in turn, improved the security of the Bitcoin blockchain.)
Read more: Luke Dashjr Warns Users About Bitcoin Knots Expiry After Losing $3.6M in Hack
Dashjr, who has been a longtime critic of the Ordinals protocol, claimed that the inscriptions had obfuscated their data as program code, and bypassed the limit of the extra data in transactions that they mine. Speaking to CoinDesk in January, he even went so far as to call the Ordinals protocol an “attack” on Bitcoin.
He has called for “patching the vulnerability,” which would in effect, no longer allow new Ordinals inscriptions on the network – something that has triggered heated debate within the community on whether developers should police how the underlying chain is used.
Update, Monday, December 11, 2023, 3:15pm ET: Added description of viewpoint of ordinal inscriptions proponents.