Ethereum network survives malicious attack, but raises serious security concerns
The Ethereum (ETH) blockchain survived what appeared to be an intentional attack on December 31, which reportedly came very close to bringing down the entire network. Liam Aharon, an Australia-based blockchain developer, confirmed that the attack exploited a software glitch in a widely-used Ethereum client, called Parity.
As noted by Sergio Demian Lerner, a cryptocurrency security consultant:
“The attack is simple: you send to a Parity node a block with invalid transactions, but valid header (borrowed from another block). The node will mark the block header as invalid and ban this block header forever but the header is still valid.”
George Pîrlea, a distributed systems expert, further explained:
“The attack consists of sending a block along with a header that doesn’t match the block. Parity verified the block, noticed it did not match the header, and then marked the *header* as bad. This means the real/correct body would never be downloaded.”
Aharon pointed out that the attack exploited a bug in the Parity client by “tricking” the vulnerable nodes. This was done by making them think that a valid block was invalid.
Aharon mentioned that a significant number of Parity Ethereum nodes became unsynced with the Ethereum network. Although a software patch was released about 14 hours after the attack had been reported, there are still several Ethereum nodes that haven’t been updated, Aharon revealed.
This time, Aharon noted, the attack failed to bring down the Ethereum network because there’s another popular ETH client, called Geth, which is reportedly immune to this particular attack.
Aharon argued that if the Ethereum community did not have Geth, then the attack would have been quite serious.
He also said he’s concerned because Parity confirmed this month that they were planning to end support for the client, and were preparing to delegate maintenance to a distributed autonomous organization.
Aharon pointed out that maintaining a client is hard work, and that he’s worried that with fewer resources supporting Parity, the Ethereum community might only have Geth in 2020. He argued that if there was only one Ethereum client, then attacks similar to the one experienced on New Year’s Eve could potentially bring down the entire network, instead of only being inconvenient.
Aharon acknowledged that he doesn’t know what the best solution might be, however, as someone who regularly manages Ethereum infrastructure, he’s aware of the significant risk of relying on only one client.
A Twitter user pointed out that only around 20 percent of Ethereum nodes are currently running Parity, so the attack didn’t actually come close to taking down the network. He added that even if there were more Parity clients, then a Geth node could still be created in a few hours.
Responding to the user’s comments, Aharon asked what would happen if the attack affected Geth instead of Parity. Aharon also recommending having multiple Ethereum clients in order to survive such attacks in the future.