Disclosure of the details of an integer overflow bug which causes a crash if a node is getting
spammed addr messages continuously for a very long time (years). A fix was released on April 14th
2025 in Bitcoin Core v29.0.

This issue is considered Low severity.

Details

The address manager in Bitcoin Core uses a 32-bit identifier for each entry, incremented on every
insertion. An earlier security
advisory explained how it
enabled an attacker to remotely trigger an assertion failure by spamming a node with addr messages
until the 32-bit identifier overflow.

This was partially addressed in Bitcoin Core v22.0 by rate-limiting insertions in the address
manager to 1 address per peer every 10 seconds. This made the attack a lot more expensive if not
impractical: even with 1000 peers continuously attacking it would still take more than a year to get
the 32-bit identifier to overflow.

The remaining, more expensive attack vector was addressed in Bitcoin Core version 29.0 by making the
identifier a 64-bit identifier.

Attribution

Credit goes to Eugene Siegel for discovering and disclosing the vulnerability, and to Martin
Zumsande for changing the identifier to 64-bit.

Timeline

• 2021-06-21 – Initial report sent to security@bitcoincore.org by Eugene Siegel
• 2021-07-19 – Rate limiting is merged in PR #22387
• 2021-09-13 – v22.0 is released with rate-limiting
• 2024-07-31 – Publication of the first security advisory
• 2024-09-20 – Change to 64-bit identifier is merged in PR #30568
• 2025-04-14 – Bitcoin Core v29.0 is released with the 64-bit identifier
• 2025-04-28 – Public Disclosure