CVE-2023-50428

Name of the Vulnerable Software and Affected Versions Bitcoin Core versions prior to 26.1 Bitcoin Knots versions prior to 25.1.knots20231115

Description A flaw exists in Bitcoin Core through version 26.0 and Bitcoin Knots before version 25.1.knots20231115, where data carrier size limits can be circumvented by obscuring data as code, specifically using OP FALSE OP IF. This issue was exploited in the wild by Inscriptions in 2022 and 2023. The vulnerability allows for bypassing intended data size restrictions, potentially leading to blockchain spam and resource exhaustion. Some consider this behavior not a bug, while others view it as a security concern. Approximately, there are no estimates of affected devices. Real-world exploitation occurred with Inscriptions in 2022 and 2023. The vulnerability involves bypassing datacarrier size limits by obfuscating data as code, utilizing constructs like

OP FALSE

and

OP IF

.

Recommendations Upgrade Bitcoin Core to a version later than 26.0. Upgrade Bitcoin Knots to version 25.1.knots20231115 or later.