How A Security Vulnerability Affected Ethereum And Led To A Chain Split

How A Security Vulnerability Affected Ethereum And Led To A Chain Split

The Ethereum network is facing a chain split after an exploit forced over 50% of its nodes to upgrade their client to prevent further attacks. This security vulnerability was detected, reported, and fixed by Go Ethereum, developers of the affected client, Geth.

On August 24th, 2021, via their official Twitter handle, Go Ethereum and its Team Lead, Péter Szilágyi, released Geth v1.10.8. Users were encouraged to update to this new version to “avoid attacks on Ethereum and downstream projects”.

Specifically, the vulnerability affects version 1.10.0 or previous versions of the Geth EVM causing nodes to be unable to process the chain, Go Ethereum revealed on a GitHub repository. The bug was found by Guido Vranken, a member of blockchain security firm Sentnl while auditing the Telos EVM.

The biggest concern is that the security vulnerability could enable double-spending attacks. In other words, an exploit that would allow a bad actor to disrupt the blockchain and spent the same Ethereum based asset twice.

Data from Ethernodes.org indicates that Geth is the most used client with 3,958 nodes (74.67% of the Ethereum network), followed by Openethereum with 980 (18.49%), erigon 249 (4.70%), and others as seen below.

Therefore, a large portion of the network was susceptible to this vulnerability, but the majority of the nodes upgraded to the newest version. BTC.com and exchange Binance recently reported that their nodes are running the newest version of the client.

A consensus bug hit #ethereum mainnet today, exploiting the consensus-bug that was fixed in geth v1.10.8. Fortunately, most miners were already updated, and the correct chain is also the longest (canon)PSA: Update to v1.10.8!— M H (((Swende))) (@mhswende) August 27, 2021

Still, Research Igor Igamberdiev found evidence of bad actors trying to exploit the vulnerability. The bug can affect other blockchains, such as Binance Smart Chain (BSC) and Polygon, EVM compatible.

Thus, Igamberdiev reported the address used for the exploit on Ethereum and the BSC. The research claimed that there was no exploit on Polygon.

And this is BSC exploit txhttps://t.co/dlcw6VYbsR pic.twitter.com/WlUCrqkEIv— Igor Igamberdiev (@FrankResearcher) August 27, 2021

Infura, a major Ethereum-based infrastructure providor, reported no issues related to the bug. The company confirmed that its nodes were successfully upgraded:

Earlier today, a security vulnerability was exploited on the Ethereum mainnet affecting geth versions <1.10.8. Infura is unaffected by this exploit. We were in close contact with Ethereum Foundation and our infrastructure was updated upon release of the hotfix on the 24th.

Ethereum And Its Security Bugs, The Price To Pay For Its Development?

The incident was used by Ethereum detractors to emphasize the problems that affect the network. Others, like Kevin Sekniqi, COO at Ava Labs, called the event a “nothing burger”:

Before anyone starts FUD-ing this, this is perfectly normal. Miners will upgrade, and this will be resolved quickly. This is frankly a nothingburger, although exchanges and other key ecosystem entry points need to be careful about having upgraded nodes.

A Bitcoin investor claimed that BTC “does soft forks” to prevent these types of bugs. However, Ethereum core developer Tim Beiko claimed that the bug was found “between two versions” of a client’s implementation.

Highlighting the decentralized nature of the network, Beiko said that other nodes were not affected by the vulnerability, he added:

Probably not worth engaging to be honest, but seems like a reasonable price to pay to actually do stuff on ETH. I say this as someone who owns BTC for what is worth.

At the time of writing, ETH trades at $3,240 with a 4.4% profit in the daily chart. The report is yet to negatively impact ETH’s price.

Source