How Bad Is Ethereum’s Latest Geth Exploit?

How Bad Is Ethereum’s Latest Geth Exploit?

Ethereum blockchain’s most popular software client Geth also known as “Go Ethereum,” has faced a major exploit on the older versions yesterday. The bug impacted older versions of Geth clients, specifically v1.10.7 and earlier.

The exploit reportedly affected more than 50% of older Ethereum clients who have not updated to the latest hotfix released by Go Ethereum developers on August 24. As a result of the exploit, the Ethereum blockchain went under an unplanned hard fork splitting the blockchain in two. 74% of the clients use Geth and out of those 73% were on the older version which means a whopping 54% of Ethereum nodes are running with the bug.

The Go Ethereum team discovered the vulnerability on August 18 itself but didn’t reveal the nature of it to avoid others to exploit the issue. Ethereum team lead Péter Szilágyi had said they would reveal the attack vector on an upcoming date,

“The exact attack vector will be provided at a later date to give node operators and dependent downstream projects time to update their nodes and software,”

PSA: On Tuesday Aug 24th, Geth will issue a hotfix to a high severity security issue. Please make any necessary preparations to upgrade to the upcoming release (v.1.10.8). #ethereum #geth— Go Ethereum (@go_ethereum) August 18, 2021

While the Go Ethereum team didn’t reveal the nature of the vulnerability, it seems the attacker managed to figure it out and went about attacking older clients that have not updated the hotfix. While the network requested everyone to upgrade to the latest version, the data suggest only 30% of validators did so which made the attack easier once the vulnerability was found.

What was the Nature of the Attack and How Does it Impact Ethereum Blockchain?

The idea to make people aware of the bug in advance failed miserably as it was a matter of time before someone managed to identify the problem. The Ethereum developers believe the plan failed miserably but more so because the node validators failed to update to the patched version in time. The attacker managed to commit changes to a PRE-Compiled contract by adding a change to the same memory location as a function.

A Twitter user who goes by the name of “Good Guy Biker – Vancouver BC Canada” gave a complete breakdown of the exploit and also explained the nature of the attack. As a result of the vulnerability, the Etheruem network was running two chains simultaneously and if the bad one was not discarded in time it could have lead to a double-spend or 51% attack since a majority of validators had not updated their clients.

As promised here is a breakdown on the current ongoing exploit of the gETH network. Attack contract here https://t.co/aDazyM2WaKUsing STATICCALL the recompiled contract to execute RunPrecompiledContract function. The contract returns the 0x4 smart contract reference of … pic.twitter.com/lQtST36NqQ— Good Guy Biker – Vancouver BC Canada (@SpillyGuy) August 28, 2021

This is not the first time when the Ethereum network has faced a chain split due to a vulnerability in the older client version of Geth. In November a similar issue led to another chain split as validators failed to upgrade. Talking about the pre-announcement, an Ethereum developer said,

“Last time we did a hotfix, people were angry that we didn’t announce it. This time we decided to try it differently. Let’s see which works better,”

Source