Vulnerability Details CVE-2024-34478
btcd before 0.24.0 does not correctly implement the consensus rules outlined in BIP 68 and BIP 112, making it susceptible to consensus failures. Specifically, it uses the transaction version as a signed integer when it is supposed to be treated as unsigned. There can be a chain split and loss of funds.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 24.3%
CVSS Severity
CVSS v3 Score 7.5
References
- https://delvingbitcoin.org/t/disclosure-btcd-consensus-bugs-due-to-usage-of-signed-transaction-version/455
- https://github.com/btcsuite/btcd/blob/e4c88c3a3ecb1813529bf3dddc7a865bd418a6b8/blockchain/chain.go#L383C1-L392C3
- https://github.com/btcsuite/btcd/blob/e4c88c3a3ecb1813529bf3dddc7a865bd418a6b8/txscript/opcode.go#L1172C1-L1178C3
- https://delvingbitcoin.org/t/disclosure-btcd-consensus-bugs-due-to-usage-of-signed-transaction-version/455
- https://github.com/btcsuite/btcd/blob/e4c88c3a3ecb1813529bf3dddc7a865bd418a6b8/blockchain/chain.go#L383C1-L392C3
- https://github.com/btcsuite/btcd/blob/e4c88c3a3ecb1813529bf3dddc7a865bd418a6b8/txscript/opcode.go#L1172C1-L1178C3
Products affected by CVE-2024-34478
-
cpe:2.3:a:btcd_project:btcd:0.10.0
-
cpe:2.3:a:btcd_project:btcd:0.11.0
-
cpe:2.3:a:btcd_project:btcd:0.11.1
-
cpe:2.3:a:btcd_project:btcd:0.12.0
-
cpe:2.3:a:btcd_project:btcd:0.13.0
-
cpe:2.3:a:btcd_project:btcd:0.20.0
-
cpe:2.3:a:btcd_project:btcd:0.20.1
-
cpe:2.3:a:btcd_project:btcd:0.21.0
-
cpe:2.3:a:btcd_project:btcd:0.22.0
-
cpe:2.3:a:btcd_project:btcd:0.22.1
-
cpe:2.3:a:btcd_project:btcd:0.22.2
-
cpe:2.3:a:btcd_project:btcd:0.22.3
-
cpe:2.3:a:btcd_project:btcd:0.23.0
-
cpe:2.3:a:btcd_project:btcd:0.23.1
-
cpe:2.3:a:btcd_project:btcd:0.23.2
-
cpe:2.3:a:btcd_project:btcd:0.23.3
-
cpe:2.3:a:btcd_project:btcd:0.23.4
-
cpe:2.3:a:btcd_project:btcd:0.3.0
-
cpe:2.3:a:btcd_project:btcd:0.3.1
-
cpe:2.3:a:btcd_project:btcd:0.3.2
-
cpe:2.3:a:btcd_project:btcd:0.3.3
-
cpe:2.3:a:btcd_project:btcd:0.4.0
-
cpe:2.3:a:btcd_project:btcd:0.5.0
-
cpe:2.3:a:btcd_project:btcd:0.6.0
-
cpe:2.3:a:btcd_project:btcd:0.7.0
-
cpe:2.3:a:btcd_project:btcd:0.8.0
-
cpe:2.3:a:btcd_project:btcd:0.9.0