GO-2024-3189
- Source
- https://pkg.go.dev/vuln/GO-2024-3189
- Import Source
- https://vuln.go.dev/ID/GO-2024-3189.json
- JSON Data
- https://api.osv.dev/v1/vulns/GO-2024-3189
- Aliases
- Published
- 2024-10-15T18:38:57Z
- Modified
- 2024-10-17T14:56:24Z
- Summary
- Consensus failure in github.com/btcsuite/btcd
- Details
-
The btcd Bitcoin client (versions 0.10 to 0.24) did not correctly re-implement Bitcoin Core's 'FindAndDelete()' functionality, causing discrepancies in the validation of Bitcoin blocks. This can lead to a chain split (accepting an invalid block) or Denial of Service (DoS) attacks (rejecting a valid block). An attacker can trigger this vulnerability by constructing a 'standard' Bitcoin transaction that exhibits different behaviors in 'FindAndDelete()' and 'removeOpcodeByData()'.
- References
- Credits
-
-
- darosior
-
- dergoegge
-
Affected packages
Go / github.com/btcsuite/btcd
Package
- Name
- github.com/btcsuite/btcd
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/btcsuite/btcd
Affected ranges
- Type
- SEMVER
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed0.24.2-beta.rc1
Ecosystem specific
{
"custom_ranges": [
{
"events": [
{
"introduced": "0.10.0"
}
],
"type": "ECOSYSTEM"
}
],
"imports": [
{
"path": "github.com/btcsuite/btcd/txscript",
"symbols": [
"Engine.Execute",
"Engine.Step",
"VerifyTaprootKeySpend",
"baseSegwitSigVerifier.Verify",
"baseSigVerifier.Verify",
"baseTapscriptSigVerifier.Verify",
"opcodeCheckMultiSig",
"opcodeCheckSig",
"opcodeCheckSigAdd",
"opcodeCodeSeparator",
"removeOpcodeByData",
"taprootSigVerifier.Verify"
]
}
]
}