Bitcoin inscriptions receive 5.3 severity score on National Vulnerability Database

Bitcoin inscriptions have received a base security score of "5.3 Medium" on the U.S. National Vulnerability Database.
Bitcoin inscriptions have received a base security score of "5.3 Medium" on the U.S. National Vulnerability Database.

Update (Dec. 13, 12:05am): This article has been changed to reflect clarification from Luke Dashjr, who says he had requested Bitcoin inscriptions be given a CVE number, but did not have a part in it being added to the NVD.

Bitcoin inscriptions have received a 5.3 medium base severity score from the National Vulnerability Database — a repository of cybersecurity risks managed by the United States government.

Bitcoin inscriptions first appeared on the U.S. vulnerability database as part of the Common Vulnerabilities and Exposures (CVE) Assignment list on Dec. 9, which claimed it was a security flaw that enabled the development of the Ordinals protocol in 2022.

On Dec. 11, the NVD updated the listing by assigning inscriptions a base severity score of “5.3 Medium.”

The CVE List has assigned a 5.3 Medium score to the Inscriptions listing. Source: NVD

According to data from software firm Atlassian, a medium score refers to a vulnerability where exploitation provides “very limited” access to a network or denial of service attacks that are quite difficult to execute.

Speaking to Cointelegraph, Bitcoin core developer Luke Dashjr said that a major factor in the NVD's 5.3 score was due to the vulnerability having a low availability impact on the Bitcoin network. Still, he argued the score could be understating its potential long-term effects.

“I think this [score] may understate the impact, failing to consider the long-term effects of blockchain bloat. If they had classified the availability impact as ‘High,’ the CVSS base score would be 7.5."

While Dashjr has denied any part in getting Bitcoin inscriptions on the NVD, he admits he had initially requested the CVE number, which saw it added to the CVE list.

Notably, the CVE list is designed so any developer can submit a potential vulnerability. It is typically listed as long as the CVE Assignment Team deems it important for public awareness. Once it receives a score from analysts at the National Institute of Standards and Technology it is then published on the NVD. 

Dashjr courted controversy in a Dec. 6 post to X (formerly Twitter) claiming that inscriptions — used by the Ordinals protocol and BRC-20 creators to embed data on satoshis — exploit a Bitcoin Core vulnerability to “spam the blockchain.”

Related: Bitcoin Ordinals could be stopped if blockchain bug is patched, claims dev

The debate around the nature of Bitcoin inscriptions continues to rage across social media. While many Bitcoiners claim that inscriptions are “spamming the network,” advocates of Ordinals such as Taproot Wizards co-founder Udi Wertheimer say Ordinals are crucial to the next major wave of adoption and revenue generation for the Bitcoin network.

The Bitcoin network has seen increased congestion over the past few months due to a wider craze around Ordinals’ nonfungible token inscriptions and BRC-20 token minting.

According to mempool.space, there are more than 275,000 unconfirmed transactions, and average medium-priority transaction costs have increased to around $14 from roughly $1.50. If the so-called inscriptions bug is patched, it could potentially restrict future Ordinals inscriptions on the network.

Magazine: Lawmakers’ fear and doubt drives proposed crypto regulations in US