On December 9, the United States National Vulnerability Database (NVD) raised concerns about Bitcoin’s inscriptions, identifying them as a significant cybersecurity risk. The database highlighted a security flaw that paved the way for the development of the Ordinals Protocol in 2022.
According to NVD records, certain versions of Bitcoin Core and Bitcoin Knots exhibit a datacarrier limit bypass, allowing data to be disguised as code. The document points out that this vulnerability was exploited in the wild by Inscriptions in 2022 and 2023.
Inclusion in the NVD’s list signifies the acknowledgment of a specific cybersecurity threat, emphasizing its importance for public awareness. The NVD is overseen by the National Institute of Standards and Technology (NIST), a branch of the U.S. Department of Commerce.
The ongoing analysis of Bitcoin’s network vulnerability suggests potential consequences, such as a surge in non-transactional data flooding the blockchain. This could lead to an increase in network size, negatively impacting performance and fees.
A recent post by Bitcoin Core developer Luke Dashjr on X (formerly Twitter) is highlighted on the NVD’s website as an informative resource. Dashjr claims that inscriptions exploit a vulnerability in Bitcoin Core, likening it to receiving daily junk mail that slows down the user experience.
The relevance of this vulnerability to Ordinals lies in the nature of inscriptions, where additional data is embedded into specific satoshis, the smallest unit of Bitcoin. This digital data, whether an image, text, or other media, becomes a permanent part of the Bitcoin blockchain with each addition to a satoshi.
Although data embedding has been part of the Bitcoin protocol for some time, its popularity surged with the introduction of Ordinals in late 2022. This protocol allowed for the direct embedding of unique digital arts into Bitcoin transactions, akin to nonfungible tokens (NFTs) on the Ethereum network.
The increased volume of Ordinals transactions in 2023 led to network congestion, intensifying competition to confirm transactions and subsequently raising fees while slowing processing times.
If the bug is patched, there is potential for restricting Ordinals inscriptions on the network. When asked about the impact on Ordinals and BRC-20 tokens if the vulnerability is fixed, Dashjr affirmed that they would cease to exist. However, existing inscriptions would remain intact due to the network’s immutability.
