A Bitcoin Core developer has denied any involvement in adding inscriptions to the National Vulnerability Database (NVD), which could potentially expose Bitcoin users to loss of funds or denial of service attacks.
Inscriptions are a way of embedding arbitrary data into Bitcoin transactions, using a technique called OP_RETURN. This allows users to create digital art, messages, or other forms of expression on the Bitcoin blockchain, without affecting its functionality or security.
However, some critics argue that inscriptions are a form of spam that clog up the Bitcoin network and increase the transaction fees. They also claim that inscriptions violate the original design and vision of Bitcoin, which was intended to be a peer-to-peer electronic cash system, not a platform for data storage.
One of the most vocal opponents of inscriptions is Luke Dashjr, a Bitcoin Core developer and maintainer. He has repeatedly called for the removal of inscriptions from the Bitcoin protocol, and has even proposed a hard fork to achieve this.
How did inscriptions end up on the NVD?
The NVD is a government-sponsored database that tracks and assigns scores to common vulnerabilities and exposures (CVEs) in various software systems. The NVD is widely used by security researchers, developers, and users to assess the risk and impact of potential threats.
On May 12, 2023, the NVD published a CVE entry for Bitcoin Core, the most popular implementation of the Bitcoin protocol. The entry, numbered CVE-2021-31876, stated that Bitcoin Core versions 0.12.0 through 0.21.1 did not properly implement the replacement policy specified in BIP125, which makes it easier for attackers to trigger a loss of funds, or a denial of service attack against downstream projects such as Lightning network nodes.
The entry also mentioned that the vulnerability was related to inscriptions, and that they were exploiting a loophole in Bitcoin Core to bypass the limit on the size of extra data in transactions. The entry assigned a medium severity score of 6.5 out of 10 to the vulnerability.
What was Dashjr’s response?
Dashjr, who is also one of the authors of BIP125, was quick to respond to the NVD entry. He posted a message on the Bitcoin development mailing list, claiming that he had nothing to do with adding inscriptions to the NVD, and that they were not a vulnerability, but a bug that would be fixed.
He explained that the replacement policy in BIP125 was intended to allow users to increase the fee of their unconfirmed transactions, in order to speed up their confirmation. However, he said that Bitcoin Core had a flaw in its implementation, which allowed users to replace their transactions with ones that had different outputs, inputs, or scripts. This could enable attackers to double-spend their coins, or to create transactions that were incompatible with the Lightning network.
Dashjr said that the flaw was not caused by inscriptions, but by the lack of enforcement of the nSequence field, which is a parameter that indicates the relative locktime of a transaction. He said that the nSequence field should be used to signal whether a transaction is replaceable or not, and that Bitcoin Core should reject any replacement attempt that does not respect this signal.
He also said that inscriptions were not exploiting the flaw, but were simply using the OP_RETURN opcode, which is a valid part of the Bitcoin script language. He said that inscriptions were not obfuscating their data as program code, but were simply storing it in a way that was compatible with the Bitcoin protocol.
He concluded his message by saying that he was working on a patch to fix the flaw in Bitcoin Core, and that he hoped that the NVD would correct their entry and remove the reference to inscriptions.
What are the implications of the NVD entry and Dashjr’s response?
The NVD entry and Dashjr’s response have reignited the debate over inscriptions and their role in the Bitcoin ecosystem. While some supporters of inscriptions see them as a form of innovation and expression, others view them as a nuisance and a distraction from the main purpose of Bitcoin.
The NVD entry also raises questions about the accuracy and reliability of the NVD as a source of information and guidance for the Bitcoin community. Some users have expressed doubts about the validity and credibility of the NVD entry, and have suggested that it was influenced by political or ideological motives7.
The NVD entry and Dashjr’s response also highlight the challenges and trade-offs involved in developing and maintaining a decentralized and open-source software system like Bitcoin. As Bitcoin evolves and adapts to new use cases and demands, it faces the risk of introducing bugs, vulnerabilities, or inconsistencies that could compromise its security, performance, or compatibility. It also faces the challenge of balancing the interests and preferences of different stakeholders, such as developers, miners, users, and regulators.
As Bitcoin continues to grow and mature, it will need to find ways to address these issues and to foster a constructive and collaborative dialogue among its diverse and passionate community.