Will the vulnerability CVE being adopted by the US NVD cause the collapse of the inscription ecology? "BTC Ecology"

Original | Odaily

Author | Husband How

Today, Yu Sine, the founder of the security company Slowmist, posted on the X platform that the BTC Inion vulnerability CVE was officially adopted by the National Vulnerability Database (NVD), and the CVSS vulnerability rating is 5.3 medium risk (out of 10).

"The inscription issue has been assigned a CVE number, which is a drain from the bottom of the kettle, and the attitude is clearly qualitatively a loophole. CVE numbers are nothing new, many security teams/individuals can apply for them, and we don’t pay much attention to this thing… But perhaps BTC ecosystem-related actors will value this, after all, CVE numbers are one of the most well-known proofs of vulnerability in the security industry. ”

Although Cosine has repeatedly said that he also plays (researches) inscriptions, “I feel that there will be other ways out of inscriptions, and I hope to see a better solution”, “the inscription vulnerability is officially stamped and certified” still caused discussion in the crypto community. Some did not endorse NVD’s accreditation and said that decentralized BTC should not be defined by a centralized authority.

(Screenshot of Cosine tweet)

Previously, Luke Dashjr, the developer of the BTC core client, Bitcoin Core, said that the inscription was using a vulnerability in the Bitcoin Core client to spam the blockchain, which had been assigned the identifier CVE-2023-50428. However, crypto investors are not buying it, arguing that Luke Dashjr’s successful CVE application was based on his own bias and false reasons, which is “a shameful use of public safety mechanisms.”

(Screenshot of Luke Dashjr’s tweet)

The core question for inscription holders is, does the adoption of NVD certification mean that the vulnerability needs to be fixed, which in turn will affect the inscription market?

An anonymous security source told Odaily that vulnerability authentication does not mean that it needs to be fixed, and whether it is fixed or not depends on how Bitcoin Core thinks and executes; But this does lead to the qualitative “BTC serial inscription is a vulnerability”, after all, CVE/NVD has a long-term influence in the security industry or the technology industry.

"It’s also important to know that while CVE/NVD vulnerability platforms are extremely well-known, not all of the countless vulnerabilities recorded in history have been fixed or fixed in a timely manner. This kind of vulnerability controversy is not a special case encountered by BTC, and it can be treated with a normal heart. ”

In addition, the security source said that although CVSS rated the vulnerability as 5.3 moderate, it does not mean that it threatens the security of the entire blockchain. "CVSS is a very well-known vulnerability scoring standard in the industry, and even the top standard, with a maximum score of 10 and a rating of 5.3 is telling. Medium risk, not high risk, not serious. BTC this medium-risk vulnerability will not have much impact if it is not fixed or will not have much impact in the short term, BTC serial number inscriptions (including those BRC-20) are exploiting this vulnerability as long as they are trading or on-chain activity, which in Luke Dashjr’s eyes is bringing about a spam attack. Spam is garbage, that’s all, but it’s not garbage, and it’s a topic that everyone has to say, so it’s very controversial. ”

Cosine also expressed his opinion on social media, saying: “CVE vulnerabilities do not necessarily mean that they will be fixed or necessary, especially if the vulnerability score is not high, such as the 5.3 medium risk level of the BTC number vulnerability, from the details, there are many indicators that affect the final score, some of which are 0 points, and the “impact” indicator of lmpact is only 1.4 points.” If this is the case, it really depends on the attitude of Bitcoin Core whether it will be fixed or not, and whether it will be implemented after the repair depends on the attitude of the miners. ”

(Inscription Vulnerability Scoring)

At present, the crypto community is still debating the “vulnerability” of the inscription, and the introduction of NVD adoption certification has undoubtedly exacerbated the conflict between the two sides again. From a developer’s perspective, it’s normal for a vulnerability to be created in a system and fixed for it, no matter how important it is. However, for the inscription ecology that exploits this vulnerability, especially for many stakeholders, this is undoubtedly “cutting off people’s money”.

Nowadays, the inscription is bringing a new narrative and vitality to the BTC ecosystem, and it is expected that developers and ecological builders can negotiate and agree as soon as possible to find an optimal solution.