Hard Guarantees #2: Length Extension Attacks

Why Length Extension Attacks Don’t Work on Bitcoin Block Headers

If you’ve ever worked with SHA-256, you’ve probably heard about its vulnerability to a length extension attack. It’s a known vulnerability of Merkle–Damgård hash functions, where knowing the hash of a message can allow someone to forge a valid hash of a longer message without knowing the original input.

The blockchain is linked together through block headers, and each block helps secure trillions of dollars worth of value. Naturally, a question comes up:

“Could this be used to tamper with a Bitcoin block header?”

Short answer: No. Here’s why.

Bitcoin block headers go through a double SHA-256 hash. That means:

block_hash = SHA256(SHA256(block_header))

That second hash breaks the attack chain completely because:

The attacker sees only the outer 256-bit hash.

They don’t have access to internal SHA-256 state.

They can’t extend it because the input is now a fixed-length digest. It is not a variable-length message like a single hash would be.

Even if Bitcoin didn’t double hash, the system would still be hard to attack. Let’s say someone did try to extend the block header:

  1. The hash changes, which means the block no longer solves the proof-of-work puzzle. You can’t edit your way around that. You’d have to redo the computational work.
  2. Nodes would reject the block anyway. The block header is strictly 80 bytes, and anything longer is non-conforming. If a node sees a block header that doesn’t match the expected format, it throws it out.

Any length extension attempt results in a different hash and fails the mining test. It also violates the block header format and gets rejected at the protocol level. But the elegant part of the Bitcoin protocol design is that Bitcoin doesn’t rely on just one line of defense.

Double SHA-256 stops cryptographic-level attacks.

Block format validation stops malformed data.

Proof of work ensures nobody can skip the cost of honesty.

And network consensus ensures only the longest valid chain survives.

It’s not “we hope miners don’t cheat” or “we hope nodes check formats” or “we hope nobody finds a clever way to abuse padding.” It’s all of those that reduce attack surfaces.

It’s a hallway of locked doors. You don’t get in by tricking just one. You’d have to break through all of them, and Bitcoin was designed so each lock reinforces the next.

If you’re into security or distributed systems, understanding how Bitcoin closes off even these edge-case attack paths is a great study in layered protocol design.