Skip to content

Bitcoin Ordinals Listed as Vulnerability in U.S. National Database

Labeled as a vulnerability, Ordinals face scrutiny for increasing block sizes and congesting the network. This issue, now officially recognized, raises critical concerns about the future scalability and efficiency of the Bitcoin network.

The discussion around Bitcoin Ordinal Inscriptions has taken a new turn, with Inscriptions now being marked as a vulnerability and included in the U.S. National Vulnerability Database (NVD). The vulnerability has been assigned the identifier CVE-2023-50428 and is currently pending analysis. At present, this is perhaps the most debated vulnerability in the database, yet it is not the first to be related to cryptocurrencies, as there have been many others previously listed.

The U.S. National Vulnerability Database was founded as part of an initiative to help improve cybersecurity. The NVD is maintained by the National Institute of Standards and Technology, which is a part of the U.S. Department of Commerce. Being included in the NVD list indicates that a particular cybersecurity vulnerability has been identified, documented, and acknowledged as important for public awareness. It also encourages the development of updates to fix vulnerabilities and generally promotes a culture of security. 

Many other countries have similar databases. For example, the European Union Agency for Cybersecurity (ENISA), or the Australian Cyber Security Centre (ACSC). 

According to the description on the website, the vulnerability allows the bypassing of data size limits by obfuscating data as code.

“In Bitcoin Core through 26.0 and Bitcoin Knots before 25.1.knots20231115, datacarrier size limits can be bypassed by obfuscating data as code (e.g., with OP_FALSE OP_IF), as exploited in the wild by Inscriptions in 2022 and 2023.”

At a basic level, it enables users to embed substantial chunks of data within Bitcoin transactions. The exploit cleverly uses scripting to mask this data as program code, potentially resulting in network spam and higher transaction fees.

Using this loophole, Ordinals embed images and text onto individual satoshis, the smallest Bitcoin unit, making each uniquely collectible, akin to a version of non-fungible tokens. This has had a dramatic effect on the Bitcoin network.

The average block size has nearly doubled. Before the introduction of Ordinals, it was approximately 1.1MB, but following their rise in popularity, it surged past 2MB and is now averaging around 1.7MB. Ordinals already consume over 50% of Bitcoin block space. 


Given that Bitcoin block size is capped at 4MB, a further rise in the popularity of Ordinals could create significant issues for the network. If there is a rush into them, the block size could increase even more, possibly hitting the limit. This would lead to an increasing number of pending transactions on the network and skyrocketing transaction fees, resembling the worst traffic day of the year.

As we previously reported, Bitcoin Core developers appear to be firmly opposed to the use of Ordinals. Luke Dashjr, a developer for Bitcoin Core, has expressed on X (formerly Twitter) that he considers ordinals to exploit a vulnerability. He suggests that this issue should be addressed in the upcoming V27 release of their Bitcoin client, slated for next year. However, he clarified that he had no role in the inclusion of Bitcoin inscriptions in the NVD.

Bitcoin Core, along with several other entities, develops software that is utilized by Bitcoin node operators.

It’s important to note that the Bitcoin Core team only released V26 of the client on December 6, indicating that the delivery of V27 may take some time. In contrast, Bitcoin Knots, another popular Bitcoin node client developer, has already addressed this “vulnerability” in their v25.1 release. 

Considering the dominance of the Bitcoin Core client in the Bitcoin ecosystem, there is a possibility that some node operators may eventually feel compelled to adopt new software that excludes ordinals from the network.


Meanwhile, certain node operators are already indicating their intention to switch to Bitcoin Knots, specifically to censor Ordinals. Notably, Ocean, a mining operation backed by Jack Dorsey, has announced its deployment of the Bitcoin Knots v25.1 client, in an effort to fix a “long-standing vulnerability”.

“...Among other improvements, this upgrade fixes this long-standing vulnerability exploited by modern spammers. As a result, our blocks will now include many more real transactions and help to bring an end to the DoS attack being performed on the Bitcoin network.”

Despite the backlash against Ordinals in the Bitcoin developer community, the emerging Ordinals ecosystem has at least six months (likely more) to develop a survival plan. Without this, they risk being completely eliminated from the Bitcoin network.