CVE-2024-34478: 
vulnerability analysis and mitigation

A critical consensus vulnerability was discovered in btcd versions prior to 0.24.0. The vulnerability stems from incorrect implementation of consensus rules outlined in BIP 68 and BIP 112, where the transaction version is treated as a signed integer instead of unsigned as specified in the BIPs (Delving Bitcoin).

The vulnerability arises from btcd's handling of transaction versions in BIP 68 and BIP 112 implementations. While both Bitcoin Core and btcd store the transaction version as a signed 32-bit integer, the BIPs specify that it should be treated as unsigned in the context of BIP 68 & 112 validation. btcd failed to perform the necessary cast to uint32, resulting in incorrect handling of transactions with negative versions (Delving Bitcoin).

If exploited, this vulnerability can cause btcd nodes to reject blocks that Bitcoin Core nodes would accept (or vice versa), leading to chain splits. This could result in Lightning Nodes using btcd as their chain backend risking fund loss due to missed canonical chain updates. Additionally, attackers could potentially trigger a split and mine on the 'btcd chain' to deceive btcd users into accepting payments that wouldn't be valid on the canonical chain. Miners using btcd could waste resources mining on an invalid chain (Delving Bitcoin).

Users of btcd are strongly advised to upgrade to version v0.24.0 or above, which contains the fix for this vulnerability. The fix was merged into btcd on June 21, 2023 (Delving Bitcoin).

The btcd project acknowledged the severity of the issue by awarding a bug bounty reward of 0.023 BTC to the researcher who discovered the vulnerability (Delving Bitcoin).