NVD Flags Bitcoin’s Inscriptions As Cybersecurity Risk

Table of Contents

• NVD Flags Bitcoin’s Inscriptions 
• Relevance to Ordinals? 

The United States National Vulnerability Database (NVD) flagged Bitcoin’s inscriptions as a cybersecurity risk on the 9th of December, bringing attention to the security flaw that allowed the development of the Ordinals Protocol in 2022. 

NVD Flags Bitcoin’s Inscriptions 

Database records show that a data carrier limit can be bypassed by masking the data as code in some Bitcoin Core and Bitcoin Knots versions, as exploited in the wild by Inscriptions in 2022 and 2023, according to the NVD document. Being added to the United States National Vulnerability Database means that a specific cybersecurity vulnerability has been documented, recognized, cataloged, and deemed important for public awareness. The NVD database is managed by the National Institute of Standards and Technology (NIST), an agency of the United States Department of Commerce. 

The network vulnerability is currently under analysis. One potential impact of this vulnerability is that it could lead to large amounts of non-transactional data spamming the blockchain. This could potentially increase network size, adversely impacting performance and fees on the network. 

A post by Bitcoin core developer Luke Dashjr on X (formerly Twitter) is used as an information resource on the National Vulnerability Database website. In the post, Dashjr alleges that inscriptions spam the network by exploiting a Bitcoin core vulnerability.

“PSA: “Inscriptions” are exploiting a vulnerability in #Bitcoin Core to spam the blockchain. Bitcoin Core has, since 2013, allowed users to set a limit on the size of extra data in transactions they relay or mine (`-datacarriersize`). By obfuscating their data as program code, Inscriptions bypass this limit. This bug was recently fixed in Bitcoin Knots v25.1. It took longer than usual due to my workflow being severely disrupted at the end of last year (v24 was skipped entirely). Bitcoin Core is still vulnerable in the upcoming v26 release. I can only hope it will finally get fixed before v27 next year.”

Relevance to Ordinals? 

An inscription comprises additional data embedded in a specific Satoshi (smallest unit of Bitcoin). The data can be anything, such as an image, text, or any other form of media. When data is embedded in a Satoshi, it becomes a permanent part of the Bitcoin blockchain. While data embedding has been a part of the Bitcoin protocol, its popularity skyrocketed after the Ordinals came into the picture in 2022. Ordinals allow unique digital art to be directly embedded into Bitcoin transactions, operating similarly to how NFTs run on Ethereum. 

Ordinal transactions have weighed down the Bitcoin network on several occasions in 2023, significantly increasing competition for block space. This increased competition has resulted in a considerable increase in fees on the network and significantly slower transaction and processing speeds. If the vulnerability is patched, it could substantially restrict Ordinals on the Bitcoin network. In fact, Dashjr has suggested that fixing the vulnerability could end Bitcoin Ordinals and the BRC-20 tokens that cause increased network congestion on Bitcoin. 

When asked by a user if Ordinals and BRC-20 tokens would “stop being a thing” if the vulnerability were to be fixed, Dashjr replied in the affirmative. However, he stated that existing inscriptions would remain after the vulnerability was patched, thanks to the network’s immutability.

Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.