Luke Dashjr, Bitcoin developer and CTO of Mummalin, has registered a method that allows Ordinal inscriptions to be saved on the Bitcoin blockchain as a code vulnerability. The vulnerability, CVE-2023-50428, states that “datacarrier size limits can be bypassed by obfuscating data as code,” as Ordinal inscriptions do to embed images and other kinds of data directly onto the BTC blockchain.

Luke Dashjr Registers Bitcoin Vulnerability CVE-2023-50428

Luke Dashjr, Bitcoin developer and CTO of Mummalin, the company behind the Ocean mining pool, has registered the method that allows Ordinal inscriptions to embed data directly on top of the Bitcoin blockchain as a vulnerability. The vulnerability, registered as CVE-2023-50428, describes how the Ordinals protocol allows this data to be obfuscated and embedded into the chain.

The description of the so-called vulnerability explains:

In Bitcoin Core through 26.0 and Bitcoin Knots before 25.1.knots20231115, datacarrier size limits can be bypassed by obfuscating data as code (e.g., with OP_FALSE OP_IF), as exploited in the wild by Inscriptions in 2022 and 2023.

The National Institute of Standards and Technology’s (NIST) National Vulnerability Database (NVB), which hosts a copy of the Common Exploits and Vulnerabilities (CVE) list, gives this exploit a 5.3 score, identifying it as a “medium” threat.

Dashjr, who has already stated that Ordinal inscriptions are a bug and expects to get the issue fixed in the next release of the Bitcoin Core full node software, is facing enormous criticism from the Bitcoin community.

Other developers have conceptually rejected the fix for this “vulnerability,” already proposed as a patch for Bitcoin Core in September. Peter Todd, a Bitcoin Core developer who opposes this change, explained that:

It is very unlikely that miners will give up that source of revenue. Censoring those transactions would simply encourage the development of private mempools – harmful to small miners – while making fee estimation less reliable.

In the same way, Bitcoin contributor Sjors Provoost stated that the approach taken by Dashjr “does not create an incentive to use a slightly less harmful method to post ‘spam,'” encouraging programmers to find more innovative ideas to avoid the proposed filter.

Ocean, a Bitcoin mining pool, uses a fork of Bitcoin Core developed by Dashjr, called Knots, which has been criticized for censoring Samourai Wallet’s private transactions after applying this fix targeting Ordinal inscriptions.

What do you think about the Bitcoin CVE-2023-50428 vulnerability? Tell us in the comments section below.