The National Vulnerability Database (NVD) flagged Bitcoin’s inscriptions as a cybersecurity risk on Dec. 9, calling attention to the security flaw that enabled the development of the Ordinals Protocol in 2022.
According to the database records, a datacarrier limit can be bypassed by masking data as code in some versions of Bitcoin Core and Bitcoin Knots. “As exploited in the wild by Inscriptions in 2022 and 2023,” reads the document.
Being added to the NVD’s list means that a specific cybersecurity vulnerability has been recognized, cataloged, and deemed important for public awareness. The database is managed by the National Institute of Standards and Technology (NIST), an agency of the U.S. Department of Commerce.
Bitcoin’s network vulnerability is currently under analysis. As one potential impact, it could result in large amounts of non-transactional data spamming the blockchain, potentially increasing network size, and adversely affecting performance and fees.
On the NVD’s website, a recent post from Bitcoin Core developer Luke Dashjr on X (formerly Twitter) is featured as an information resource. Dashjr alleges that inscriptions exploit a Bitcoin Core vulnerability to spam the network. “I guess it’s like receiving junk mail that you have to sift through everyday to find the ones that are your contacts. It slows down the process,” a user wrote in the discussion.
An inscription consists of embedding additional data to a specific satoshi (the smallest unit of Bitcoin). This data can be anything digital, like an image, text, or other forms of media. Each time data is added onto a satoshi, it becomes a permanent part of the Bitcoin blockchain.
Even though data embedding has been part of the Bitcoin protocol for some time, its popularity only increased with the advent of Ordinals in late 2022, a protocol that allowed unique digital arts to be directly embedded into Bitcoin transactions, similar to how nonfungible tokens (NFTs) run on the Ethereum network.
The volume of Ordinals transactions clogged Bitcoin’s network several times during 2023, resulting in more competition to confirm transactions, thus increasing fees and slowing processing time.
If the bug is patched, it has the potential to restrict Ordinals inscriptions on the network. Asked if Ordinals and BRC-20 tokens “would stop being a thing” if the vulnerability was fixed, Dashjr replied, “Correct.” However, existing inscriptions would remain intact due to the immutability of the network.