CVE-2012-2459: Duplicate Transaction Merkle Root Collision
This vulnerability allowed two different Bitcoin blocks to produce the same Merkle root, which could cause a node to drop out of consensus.
- Block A
Let’s imagine we have Block A with three transactions: [
Tx1, Tx2, Tx3]The Merkle tree for this block is constructed as:
Since we have an odd number of txs (leaves),
the last element is duplicated to make an even count.
the last element is duplicated to make an even count.
The Merkle root for this block is calculated as:
Merkle root =
where
H(Node1 || Node2)where
Node1 = H(H(Tx1) || H(Tx2))Node2 = H(H(Tx3) || H(Tx3))
- Block B
Now let’s take another Block B with four transactions: [
Tx1, Tx2, Tx3, Tx3]We calculate it's merkle root
The Merkle root for this new block is the same as the previous one
That means TWO DIFFERENT BLOCKS produce the same Merkle root.
This can cause a node to drop out of consensus.
Here’s how:
Here’s how:
- If a node receives the invalid Block B first, it will reject it and mark the block hash as invalid.
- Bitcoin Core caches invalid blocks by their hash.
Later, if that node receives the valid Block A,
it will refuse to accept it,
because it already marked that block hash as invalid.
it will refuse to accept it,
because it already marked that block hash as invalid.
Bitcoin Core fixed this by:
- Rejecting blocks with duplicate transaction IDs
- Without caching the block as permanently invalid
📢 Coming Next
In our next posts, we’ll explain the 4 new vulnerabilities disclosed this week by the Bitcoin Core 👇
Follow @bitcoin_devs so you don’t miss it!