Pages:
Author

Topic: Vulnerability that allowed Ordinals to exist now has its own CVE code (Read 375 times)

legendary
Activity: 3010
Merit: 8114
Everyone is just trying to create some useless JPEG "art" that they can inscribe, hope some sucker appreciates the "value" of such a drawing and then buy it at a huge loss.

Not "everyone," but yes it would appear the majority of it is highly grifty and most people are in it for the grift, as are 99.9% of BRC-20 token makers/minters. Here's one such exception - this is cool AF - a working chess game as an inscription:

https://ordinals.com/inscription/d412d1aa997583ec5c558bee031291bac78f9f9a8acb2edccd2b6e19df64c9bbi0

There's a lot of innovative stuff happening on ordinals but we don't hear about it cuz there's no money in marketing it.

If some centralized digital trading cards company were to launch and make this exact same trading model but without blockchains, it is almost guaranteed that everyone will just go there and the Ordinals hype will dry up. Just like how they ditched NFTs for Ordinals.

They have already... Topps, which was at least at one time the biggest sports card company in the world, started releasing cards on the WAX blockchain. It flopped and they moved to their own private ledger system.

An Ordinal is an NFT, as defined by their common users. Name registrations on Namecoin and fungible tokens with pictures are also NFTs. Sorry, I don't make the rules.

Ordinals users are already blockchain users. They're not moving to a private system. That's for newbs still making the jump from physical to digital.
legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
Im starting to question if taproot was a good deal. Unpopular opinion, but does the pros outweight the cons?

Yes. Signature aggregation (on certain type of TX) allow smaller TX size while Taproot in general let you only certain part of the script which also allow smaller TX size and somewhat improve your privacy.

As far as I can tell stuff like Ordinals were never possible before taproot

That's not true, Ordinals and others utilize witness data which has been possible since SegWit. And as reminder, NFT protocol on BTC already exist before SegWit.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
The appeal of ordinals (and inscriptions) is having your data stored in the world's most secure and popular blockchain. Even if its just used as a marketing ploy, that's where the allure lies. There are already tons of other blockchains in which massive amounts of data can be stored. A few of them, such as Arweave, were created exactly for that purpose. Ordinals people don't want to use other blockchains... Well I mean they are now, but they're not as popular.

Everyone is just trying to create some useless JPEG "art" that they can inscribe, hope some sucker appreciates the "value" of such a drawing and then buy it at a huge loss.

If some centralized digital trading cards company were to launch and make this exact same trading model but without blockchains, it is almost guaranteed that everyone will just go there and the Ordinals hype will dry up. Just like how they ditched NFTs for Ordinals.
legendary
Activity: 3472
Merit: 10611
won't this cause a fork since there are also people who supported ordinals?
It depends on how it will be fixed, if it were through a fork where the exploit becomes invalid, then it would require majority support (like any other fork) and if it reaches that majority, there won't be any chain split.
But so far the proposals and efforts to prevent the abuse has been through policy rules, meaning these spam transactions would become non-standard not invalid. Meaning nodes would refuse to relay such transactions but they will verify them if they are already in a block.

Im starting to question if taproot was a good deal. Unpopular opinion, but does the pros outweight the cons?
No, Taproot introduced Schnorr signatures which is an excellent addition. It not only slightly compresses the signature+public key that we use each time spending a coin but also adds the option for key aggregation which decreases the size of multi-sig scripts to be the same size as a single-sig. It also makes using more complex scripts with branches that don't all need to be releveled on chain easier.

The problem is that with introduction of SegWit, certain rules became looser opening up the possibility for this type of abuse. All we have to do is to reintroduce those strict rules into full nodes again.
sr. member
Activity: 322
Merit: 449
Im starting to question if taproot was a good deal. Unpopular opinion, but does the pros outweight the cons? As far as I can tell stuff like Ordinals were never possible before taproot, so at this point im wondering, if it should have passed. I just see BTC as good enough as it is withotu any more bells and whistles. Transaction must move from A to B, onchain, even if more expensive, at a reasonable rate. But ORDI is just artificially cluttering the blockchain, by artificially I considering anything that isn't moving coins from A to B. Perhaps it's worth it for the LN improvements in delivers. We'll see how it plays out on the long term.
legendary
Activity: 2422
Merit: 1451
Leading Crypto Sports Betting & Casino Platform


- Monero (Mordinals... believe it or not, its a thing now  Cheesy )
I'm pretty sure if any developer were to move fast preventing on-chain spam, if would be Mknero's.
It's pretty easy to patch any decentralized cryptocurrency so that their nodes no longer transmit this type of data. No hard fork needed.
Already I think the hype of Ordinals on Monero died before it actually managed to catch on, but they could be done with it any moment.
legendary
Activity: 3010
Merit: 8114
And as i said previously, people who own ordinals generally don't care how "ownership" works. Few of them even use Ordinals only to store arbitrary data on Bitcoin blockchain. Although in case reference software[1] change how ownership work, people will resort by keep using wallet and website which use old "ownership" system.

Its not a decentralized protocol like Bitcoin, and nobody ever claimed that it was. Participants agree to the set of currently-established rules, hoping that it will continue to be enforced and not change (or if it is changed, its to resolve some kind of recurrent problem). This is how all Bitcoin-based protocols work. And it hasn't been without its hiccups, but to say it flat out "doesn't work" like franknbeans claims is a straight up lie.

Although Monero community took Ordinals problem seriously by adding limit size on TX_EXTRA[2].

I skimmed through the "How It Works" section on the website I linked and it seems like there is potentially some deanonymization of the sender at risk each time a send is performed. But outside of adding to (comparatively mild) blockchain bloat, regular users of Monero remain unaffected. I don't see it catching on.
legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
This is crazy considering many altcoin has it's own NFT protocol and Monero supposed to offer fungibility.
ordinals doesnt work as a proof of transfer thing so it doesnt matter what type of blockchain they chuck junk on..
the junk data does not ON BLOCKCHAIN assign itself to a particular output. thus it doesnt transfer economically.
the scam/empty promise is how ordinals software makes ASSUMPTIONS not locked to block data but software policy, policy they can change without affecting/editing/breaking the blockchain.. yep they can change ownership to a different output with a couple lines of code and completely change who owns what and they dont need to break the blockchain to do it.. so its not a solid proof of transfer. its a scammy lame/ assumption without a security method of real immutable proof

And as i said previously, people who own ordinals generally don't care how "ownership" works. Few of them even use Ordinals only to store arbitrary data on Bitcoin blockchain. Although in case reference software[1] change how ownership work, people will resort by keep using wallet and website which use old "ownership" system.

putting ordinals on monero or bitcoin makes no difference.. both are schemes and scams of putting junk on a blockchain and PRETEND people get to claim rightful ownership when sold.. even if the proof of transfer does not operate via blockchain proofs, because ordinals does not use/need onchain proof of which output/account owns it.. its all dodgy editable policy in ordinals software

Although Monero community took Ordinals problem seriously by adding limit size on TX_EXTRA[2].

[1] https://github.com/ordinals/ord
[2] https://github.com/monero-project/monero/pull/8733
legendary
Activity: 4424
Merit: 4794
This is crazy considering many altcoin has it's own NFT protocol and Monero supposed to offer fungibility.

ordinals doesnt work as a proof of transfer thing so it doesnt matter what type of blockchain they chuck junk on..
the junk data does not ON BLOCKCHAIN assign itself to a particular output. thus it doesnt transfer economically.
the scam/empty promise is how ordinals software makes ASSUMPTIONS not locked to block data but software policy, policy they can change without affecting/editing/breaking the blockchain.. yep they can change ownership to a different output with a couple lines of code and completely change who owns what and they dont need to break the blockchain to do it.. so its not a solid proof of transfer. its a scammy lame/ assumption without a security method of real immutable proof

putting ordinals on monero or bitcoin makes no difference.. both are schemes and scams of putting junk on a blockchain and PRETEND people get to claim rightful ownership when sold.. even if the proof of transfer does not operate via blockchain proofs, because ordinals does not use/need onchain proof of which output/account owns it.. its all dodgy editable policy in ordinals software
legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
I agree that the Ordinals should be placed on an independent blockchain and let them do their thing.

The appeal of ordinals (and inscriptions) is having your data stored in the world's most secure and popular blockchain. Even if its just used as a marketing ploy, that's where the allure lies. There are already tons of other blockchains in which massive amounts of data can be stored. A few of them, such as Arweave, were created exactly for that purpose. Ordinals people don't want to use other blockchains... Well I mean they are now, but they're not as popular.

As with its status as a cryptocurrency, Bitcoin Ordinals are the gold standard for ordinals projects, and thus they will have higher value than ordinals on other chains, which now include:

- Litecoin
- Dogecoin (Doginals)
- Ethereum (Ethscriptions)
- Avalanche
- Solana
- Polygon

and most recently,

- Monero (Mordinals... believe it or not, its a thing now  Cheesy )

This is crazy considering many altcoin has it's own NFT protocol and Monero supposed to offer fungibility.
legendary
Activity: 3010
Merit: 8114
I agree that the Ordinals should be placed on an independent blockchain and let them do their thing.

The appeal of ordinals (and inscriptions) is having your data stored in the world's most secure and popular blockchain. Even if its just used as a marketing ploy, that's where the allure lies. There are already tons of other blockchains in which massive amounts of data can be stored. A few of them, such as Arweave, were created exactly for that purpose. Ordinals people don't want to use other blockchains... Well I mean they are now, but they're not as popular.

As with its status as a cryptocurrency, Bitcoin Ordinals are the gold standard for ordinals projects, and thus they will have higher value than ordinals on other chains, which now include:

- Litecoin
- Dogecoin (Doginals)
- Ethereum (Ethscriptions)
- Avalanche
- Solana
- Polygon

and most recently,

- Monero (Mordinals... believe it or not, its a thing now  Cheesy )
hero member
Activity: 1778
Merit: 907
Bitcoin Developers should just have a hard fork and put Ordinals on their own chain. It's clear that Ordinals will only cause more problems in the future as interest in Ordinals will only continue to go up. The narrative right now is that Ordinals are the next rated Bitcoin and anyone who missed out on Bitcoin would want to join the bandwagon. In the long run, these $20 fees will only chase people from using Bitcoin. Transaction fees will only go up from here if that vulnerability isn't fixed.

$100 transaction fees incoming.
I agree that the Ordinals should be placed on an independent blockchain and let them do their thing. Waiting for people's interest to die down seems quite helpless and meaningless, as numerous new tokens keep popping up every single day and congest the network, hurting Bitcoin and its users in the process. Most of them, if not all of them, have zero purpose and are simply pump-and-dump schemes, which is the very reason the interest in them isn't just going to disappear tomorrow. This is only the beginning; if no action is taken against them, I'm positive that fees will only increase from now on.

So far, no action against them has been taken; all I've seen are a few disclosures stating that they're indeed a vulnerability and steps will be taken to solve the on-going issue, but nothing concrete yet.
legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
--snip--
Interesting that the vulnerability was assigned a "medium" score of 53. Not low, not high, right in the middle. I wonder who assesses these kinds of things -- its not easy to tell from the article. In any case, I think they got it right. Blockchain bloat is indeed a problem, but as data storage solutions continue to improve, how big of a problem will it actually be in the future?
--snip--

You got me curious, so i did quick research and here's the short result.
1. https://nvd.nist.gov/vuln/detail/CVE-2023-50428 mention it use CVSS Version 3.X as way to give score 5.3.
2. https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2023-50428&vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L&version=3.1&source=NIST mention CVSS Version 3.0 and 3.1 give same score and details with only following detail,

Impact Subscore: 1.4
Exploitability Subscore: 3.9

3. Since NIST website lack some detail, i decide to look on different website and found https://www.opencve.io/cve/CVE-2023-50428 which specify more detail (see my screenshot on below).

legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
I'll tell you something, I never liked the abuse of Ordinals, but I did not expect it to be classified as a vulnerability  Grin

Interesting that the vulnerability was assigned a "medium" score of 53. Not low, not high, right in the middle. I wonder who assesses these kinds of things -- its not easy to tell from the article. In any case, I think they got it right. Blockchain bloat is indeed a problem, but as data storage solutions continue to improve, how big of a problem will it actually be in the future?

I do understand that, ideally in principle, block space should be reserved for actual transactional data, but I think the point remains.

I wonder *who* submitted the vulnerability then. Because Luke is as anti-Ordinals as you can get around these parts.

My guess it's a security researcher who routinely audits Bitcoin Core for vulnerabilities and is against Ordinals.
legendary
Activity: 3010
Merit: 8114
Luke denied writing the CVE a few hours ago:

https://cointelegraph.com/news/bitcoin-developer-luke-dashjr-denies-adding-inscriptions-nvd-vulnerability-score

Quote
Bitcoin core developer Luke Dashjr has denied playing any part in adding Bitcoin inscriptions as a cybersecurity risk on the United States National Vulnerability Database’s (NVD) Common Vulnerabilities and Exposure (CVE) list.

Dashjr courted controversy in a Dec. 6 post to X (formerly Twitter) claiming that inscriptions — used by the Ordinals protocol and BRC-20 creators to embed data on satoshis — exploit a Bitcoin Core vulnerability to “spam the blockchain.”

Some observers then pointed to Dashjr days later, when Bitcoin inscriptions appeared on the U.S. vulnerability database as part of the CVE list on Dec. 9, which described it as a security flaw that enabled the development of the Ordinals protocol in 2022.

However, despite being an outspoken Bitcoin Ordinals critic, Dashjr told Cointelegraph that he had no role in adding inscriptions to the vulnerability database’s CVE list.

Interesting that the vulnerability was assigned a "medium" score of 53. Not low, not high, right in the middle. I wonder who assesses these kinds of things -- its not easy to tell from the article. In any case, I think they got it right. Blockchain bloat is indeed a problem, but as data storage solutions continue to improve, how big of a problem will it actually be in the future?

I do understand that, ideally in principle, block space should be reserved for actual transactional data, but I think the point remains.
copper member
Activity: 33
Merit: 152
The solution to this without causing a community rift is simple. Add an OP code which allows verification of a succinct zero knowledge proving system like groth16 (same footprint as a 3 party multisig, ~200-300 bytes) and move forward the proposals for recursive covenants. Then all of the "spam" that some people don't like goes to layer 2 zkVMs, transaction fees come down to normal and everyone is happy.
hero member
Activity: 2212
Merit: 805
Top Crypto Casino
Bitcoin Developers should just have a hard fork and put Ordinals on their own chain. It's clear that Ordinals will only cause more problems in the future as interest in Ordinals will only continue to go up. The narrative right now is that Ordinals are the next rated Bitcoin and anyone who missed out on Bitcoin would want to join the bandwagon. In the long run, these $20 fees will only chase people from using Bitcoin. Transaction fees will only go up from here if that vulnerability isn't fixed.

$100 transaction fees incoming.
hero member
Activity: 1428
Merit: 513
Payment Gateway Allows Recurring Payments
You are right OP, this issue of ordinals is being considered by the Developers and they plan to solve this by the 27th update, I got know about it in Finally Bitcoin Devolpers planning to kill Ordinals and Inscription by Gladitorcomeback. This tells us all that they are planning to kill the ordinals and it will solve all the congestion problems, well I thought they might not consider it solving even after announcing it. But your topics indicates that a step has been taken.

Well, this is really bad for those who invested in Ordinal tokens (BRC-20), even when this news was published the price of ORDI token was decreasing but now increasing again, although I never liked Ordinals in the first place, when this issue arises I made some topic about it that's when I get to know that these are not good and judged them as bad use of BTC blockchain (I am good at judging).
legendary
Activity: 3234
Merit: 1055

won't this cause a fork since there are also people who supported ordinals?

more than $20 for a transaction fee is too much and you already throw the division on bigger blocks and the non-supporters of it. they would either see it as a feature.
and miners due to the incentive will not mind the ordinals. the more it exists, the higher the profits to get.
legendary
Activity: 2422
Merit: 1451
Leading Crypto Sports Betting & Casino Platform
By your definition Gmail limit of 25 MB per attachment is also a vulnerability.
Nice analogy. Let's bring it to the same terms as ordinals function.
So each email has a 25MB limit for attachments.

Yeah, start with the fact that is was 100kb when I got my first computer.  Wink
You see, things evolve, things are knot forever stuck in the stone age!
Okie dokie then.
Are you for bigger blocks also?

Certainly today's bandwidth capacity and hard disk prices would permit such. And I am saying that in all honesty.
Bigger blocks could very well help with network congestion and still leave some space for stuff like ordinals.
So if we want to allow JPEGs on the Bitcoin Blockchain, might as well make more space for them instead of just allowing them while space is so limited and they cause so many issues.
Pages:
Jump to: