CVE-2023-50428: 
Bitcoin Core vulnerability analysis and mitigation

CVE-2023-50428 affects Bitcoin Core through version 26.0 and Bitcoin Knots before version 25.1.knots20231115. The vulnerability allows datacarrier size limits to be bypassed by obfuscating data as code (e.g., with OP_FALSE OP_IF), which has been exploited in the wild by Inscriptions in 2022 and 2023. This vulnerability is disputed, as some consider it "not a bug" while others, particularly the Bitcoin Knots project, view it as a security issue (NVD).

The vulnerability involves the ability to bypass the datacarrier size limits in Bitcoin transactions by disguising data as program code. This is accomplished using script operations like OP_FALSE OP_IF to obfuscate the data. The issue has been assigned a CVSS v3.1 Base Score of 5.3 (MEDIUM) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (NVD).

The vulnerability allows users to bypass intended transaction data size restrictions, potentially leading to blockchain bloat and increased resource requirements for node operators. This has been particularly evident with the rise of Inscriptions, which utilize this method to store larger amounts of data on the blockchain than originally intended by the datacarrier size limits (SecurityOnline).

Bitcoin Knots has addressed this issue in version 25.1.knots20231115 by updating the -datacarriersize policy limit to match newer style datacarrier transactions and introducing an additional -datacarriercost option to avoid giving the "segwit discount" to arbitrary data. The fix allows for increased fees for datacarrier transactions (Bitcoin Knots).

The vulnerability has sparked debate in the Bitcoin community, with some viewing it as a legitimate security concern while others consider it "not a bug." Bitcoin Core developer Luke Dashjr has publicly identified this as a vulnerability being exploited to spam the blockchain, while others in the community view it as an innovative feature (SecurityOnline).