Name of the Vulnerable Software and Affected Versions Bitcoin (affected versions not specified)

Description The issue allows an attacker to create seemingly valid SPV proofs for fraudulent transactions by publishing specially crafted transactions on the Bitcoin blockchain. This is achieved by creating a 64-byte transaction that the fraudulent transaction treats as a node in its merkle proof. The attacker creates the malicious transaction E and calculates an unusual but valid transaction D, so that the last 32 bytes of D are a part of the merkle proof of E. The estimated number of operations required to calculate a suitable value for E' is between 2^60 to 2^81. The vulnerability does not enable the SPV maintainer to do anything they would not have been able to do otherwise, but it makes abusing the SPV maintainer position significantly cheaper.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. However, as a mitigation measure, adding the coinbase transaction and its merkle proof into the SPV proofs can prevent this issue by increasing the brute-force required to 2^224. If the length of the coinbase proof matches the length of the transaction proof, and both proofs are valid for the same header, we can trust that the exploit has not been abused for the transaction. Additionally, having a trusted SPV maintainer position can prevent this issue.