The U.S. National Vulnerability Database (NVD), a central repository for cybersecurity threats, has hosted a page concerning an alleged bug related to Bitcoin inscriptions as of Dec. 9.
Inscriptions, a fundamental aspect of a Bitcoin feature known as Ordinals, allow for the creation of digital collectibles similar to non-fungible tokens (NFTs) — a feature not typically that was not possible on Bitcoin before a key upgrade in January 2023.
The U.S. National Vulnerability Database (NVD) is a pivotal resource for cybersecurity, particularly relevant for crypto-natives concerned about digital asset security. Managed by the National Institute of Standards and Technology, the NVD catalogs software and hardware vulnerabilities, providing detailed information and severity ratings. Its integration with cybersecurity tools aids in real-time threat assessment, a crucial factor for the constantly evolving blockchain and cryptocurrency sector.
The NVD database directly quotes an earlier GitHub advisory. Both pages state that it is possible to bypass Bitcoin’s data carrier size by obfuscating data as code. They also state that the vulnerability was “exploited in the wild by Inscriptions in 2022 and 2023.”
The government database additionally classifies the issue as 5.3 or “medium” risk on its CVSS 3.x Severity and Metrics scale. A link to the official Bitcoin Wiki indicates that the issue is easy to exploit but is a denial-of-service (DoS) risk, which implies that Bitcoin wallet balances are not directly at risk.
The fact that the NVD lists the bug does not mean that the U.S. government recognizes the bug; rather, the site accepts reports from external users. The NIST also states it does not endorse external links that describe the vulnerability.
Database cites Luke Dashjr’s original complaint
One of the pages cited by the NVD database is a comment from Bitcoin Core developer Luke Dashjr, who warned of Ordinals-related spam on Dec. 6. He said:
“PSA: ‘Inscriptions’ are exploiting a vulnerability in Bitcoin Core to spam the blockchain. Bitcoin Core has, since 2013, allowed users to set a limit on the size of extra data in transactions they relay or mine (`-datacarriersize`). By obfuscating their data as program code, Inscriptions bypass this limit.”
He added that the vulnerability had been labeled CVE-2023-50428, though the relevant GitHub page indicates that the submission is unreviewed as of Dec. 11.
The vulnerability is controversial despite its semi-official status. Dashjr has opposed Ordinals since their introduction, and the latest developments will aid his goals: he has asserted that a fix to the vulnerability could eliminate Ordinals from Bitcoin entirely. Dashjr’s Bitcoin node, Bitcoin Knots, has patched the issue. His recently launched mining pool, Ocean, has allegedly stopped processing transactions related to the issue as well.
Although it is unclear whether Dashjr is solely responsible for submitting the bug to GitHub and the NVD database, his efforts have gained partial community support. One linked item in the NVD post cites a comment from Bitcoin Core developer Sjors Provoost, who claims that the absence of a solution could cause maintainers to be repeatedly pressured to stop spam.
Regardless, many in the Bitcoin community are opposed to Dashjr. Several users have posted a chain letter asserting that “inscriptions will never stop” regardless of whether a fix is introduced to the main Bitcoin client, Bitcoin Core, in the future.