7.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-38365

GHSA ID

GHSA-27vh-h6mc-q6g8

EPSS Score

0.1223%

CWE

CWE-670

Published

10/10/2024

Updated

10/17/2024

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-38365

CVE-2024-38365: btcd did not correctly re-implement Bitcoin Core's "FindAndDelete()" functionality

Impact

The btcd Bitcoin client (versions 0.10 to 0.24) did not correctly re-implement Bitcoin Core's "FindAndDelete()" functionality. This logic is consensus-critical: the difference in behavior with the other Bitcoin clients can lead to btcd clients accepting an invalid Bitcoin block (or rejecting a valid one).

This consensus failure can be leveraged to cause a chain split (accepting an invalid Bitcoin block) or be exploited to DoS the btcd nodes (rejecting a valid Bitcoin block). An attacker can create a standard transaction where FindAndDelete doesn't return a match but removeOpCodeByData does making btcd get a different sighash, leading to a chain split. Importantly, this vulnerability can be exploited remotely by any Bitcoin user and does not require any hash power. This is because the difference in behavior can be triggered by a "standard" Bitcoin transaction, that is a transaction which gets relayed through the P2P network before it gets included in a Bitcoin block.

`FindAndDelete` vs. `removeOpcodeByData`

removeOpcodeByData(script []byte, dataToRemove []byte) removes any data pushes from script that contain dataToRemove. However, FindAndDelete only removes exact matches. So for example, with script = "<data> <data||foo>" and dataToRemove = "data" btcd will remove both data pushes but Bitcoin Core's FindAndDelete only removes the first <data> push.

Patches

This has been patched in btcd version v0.24.2-beta.

References

FindAndDelete: https://github.com/btcsuite/btcd/security/advisories/GHSA-27vh-h6mc-q6g8

(GitHub Advisory)

7.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-38365

GHSA ID

GHSA-27vh-h6mc-q6g8

EPSS Score

0.1223%

CWE

CWE-670

Published

10/10/2024

Updated

10/17/2024

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/btcsuite/btcd	go	< 0.24.2-beta.rc1	0.24.2-beta.rc1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from btcd's removeOpcodeByData implementation differing from Bitcoin Core's FindAndDelete. The commit diff shows the critical change from substring matching (bytes.Contains) to exact matching (bytes.Equal) in script.go. This matches the advisory's description of the vulnerability where btcd removed partial matches while Bitcoin Core required exact matches. The function's role in signature validation (modifying scriptCode for sighash) directly impacts consensus-critical behavior.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** *t** *it*oin *li*nt (v*rsions *.** to *.**) *i* not *orr**tly r*-impl*m*nt *it*oin *or*'s "*in**n***l*t*()" *un*tion*lity. T*is lo*i* is *ons*nsus-*riti**l: t** *i***r*n** in ****vior wit* t** ot**r *it*oin *li*nts **n l*** to *t** *l

Reasoning

T** vuln*r**ility st*ms *rom *t**'s `r*mov*Op*o***y**t*` impl*m*nt*tion *i***rin* *rom *it*oin *or*'s `*in**n***l*t*`. T** *ommit *i** s*ows t** *riti**l ***n** *rom su*strin* m*t**in* (`*yt*s.*ont*ins`) to *x**t m*t**in* (`*yt*s.*qu*l`) in `s*ript.*

7.4

Basic Information

Concerned about an active attack path?

CVE-2024-38365: btcd did not correctly re-implement Bitcoin Core's "FindAndDelete()" functionality

Impact

FindAndDelete vs. removeOpcodeByData

Patches

References

7.4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

`FindAndDelete` vs. `removeOpcodeByData`

Vulnerability Intelligence
Miggo AI