Hello Bitcoin-Dev,

CVE-2017-9230 (1) (2), or commonly known as ‘ASICBOOST’ is a severe (3) (4) and 
actively exploited (5) security vulnerability.
 
To learn more about this vulnerability please read Jeremy Rubin’s detailed 
report:
http://www.mit.edu/~jlrubin//public/pdfs/Asicboost.pdf
 
Andreas Antonopoulos has an excellent presentation on why asicboost is 
dangerous:
https://www.youtube.com/watch?v=t6jJDD2Aj8k

In decisions on the #bitcoin-core-dev IRC channel; It was proposed, without 
negative feedback, that SegWit be used as a partial-mitigation of CVE-2017-9230.

SegWit partially mitigates asicboost with the common reasonable assumption that 
any block that doesn’t include a witness commit in it's coinbase transaction 
was mined using covert asicboost.  Making the use of covert asicboost far more 
conspicuous.

It was also proposed that this partial mitigation should be quickly 
strengthened via another soft-fork that makes the inclusion of witness commits 
mandatory, without negative feedback.

The security trade-offs of deploying a partial-mitigation to CVE-2017-9230 
quickly vs more slowly but more conservatively is under intense debate.  The 
author of this post has a strong preference to the swiftest viable option.

Cameron.


(1) CVE Entry:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=+CVE-2017-9230

(2) Announcement of CVE to Mailing List:
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-May/014416.html

(3) Discussion of the perverse incentives created by 'ASICBOOST' by Ryan Grant:
 https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-May/014352.html

(4) Discussion of ASICBOOST's non-independent PoW calculation by Tier Nolan:
 https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-May/014351.html

(5) Evidence of Active Exploit by Gregory Maxwell:
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-April/013996.html

_______________________________________________
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Reply via email to