CVE-2024-38365

Name of the Vulnerable Software and Affected Versions btcd versions 0.10 through 0.24

Description The issue arises from the incorrect implementation of the "FindAndDelete()" functionality in the btcd Bitcoin client, leading to discrepancies in the validation of Bitcoin blocks. This can cause a chain split or Denial of Service (DoS) attacks. An attacker can trigger this vulnerability by constructing a standard Bitcoin transaction that exhibits different behaviors in 'FindAndDelete()' and 'removeOpcodeByData()'. The removeOpcodeByData function removes any data pushes from a script that contain specified data, whereas FindAndDelete only removes exact matches. This difference in behavior can be exploited remotely without requiring any hash power, as it can be triggered by a standard Bitcoin transaction relayed through the P2P network.

Recommendations To resolve the issue, upgrade to btcd version v0.24.2 or later. As a temporary workaround, consider restricting the use of the removeOpcodeByData function until a patch is applied. Avoid using transactions that may trigger the difference in behavior between FindAndDelete and removeOpcodeByData until the issue is resolved.