From 01c28073ba2cae5a53124c7dc7123240b98513ce Mon Sep 17 00:00:00 2001
From: Peter Todd <pete@petertodd.org>
Date: Sat, 20 Sep 2014 12:32:42 -0400
Subject: [PATCH] Add warning about the merkle-tree algorithm duplicate txid
 flaw

Lots of people read the Bitcoin Core codebase to learn more about
crypto; better to warn about flaws explicitly so they don't blindly copy
the code for other uses and create broken systems.
---
 src/core.cpp | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/core.cpp b/src/core.cpp
index 491e4fa68..e52327ba8 100644
--- a/src/core.cpp
+++ b/src/core.cpp
@@ -226,6 +226,13 @@ uint256 CBlockHeader::GetHash() const
 
 uint256 CBlock::BuildMerkleTree() const
 {
+    // WARNING! If you're reading this because you're learning about crypto
+    // and/or designing a new system that will use merkle trees, keep in mind
+    // that the following merkle tree algorithm has a serious flaw related to
+    // duplicate txids, resulting in a vulnerability. (CVE-2012-2459) Bitcoin
+    // has since worked around the flaw, but for new applications you should
+    // use something different; don't just copy-and-paste this code without
+    // understanding the problem first.
     vMerkleTree.clear();
     BOOST_FOREACH(const CTransaction& tx, vtx)
         vMerkleTree.push_back(tx.GetHash());