Ethereum network survives malicious attack, but raises serious security concerns

Ethereum network survives malicious attack, but raises serious security concerns

The Ethereum (ETH) blockchain survived what appeared to be an intentional attack on December 31, which reportedly came very close to bringing down the entire network. Liam Aharon, an Australia-based blockchain developer, confirmed that the attack exploited a software glitch in a widely-used Ethereum client, called Parity.

As noted by Sergio Demian Lerner, a cryptocurrency security consultant:

“The attack is simple: you send to a Parity node a block with invalid transactions, but valid header (borrowed from another block). The node will mark the block header as invalid and ban this block header forever but the header is still valid.”

George Pîrlea, a distributed systems expert, further explained:

“The attack consists of sending a block along with a header that doesn’t match the block. Parity verified the block, noticed it did not match the header, and then marked the *header* as bad. This means the real/correct body would never be downloaded.”

Aharon pointed out that the attack exploited a bug in the Parity client by “tricking” the vulnerable nodes. This was done by making them think that a valid block was invalid.

Aharon mentioned that a significant number of Parity Ethereum nodes became unsynced with the Ethereum network. Although a software patch was released about 14 hours after the attack had been reported, there are still several Ethereum nodes that haven’t been updated, Aharon revealed.

This time, Aharon noted, the attack failed to bring down the Ethereum network because there’s another popular ETH client, called Geth, which is reportedly immune to this particular attack.

Aharon argued that if the Ethereum community did not have Geth, then the attack would have been quite serious.

He also said he’s concerned because Parity confirmed this month that they were planning to end support for the client, and were preparing to delegate maintenance to a distributed autonomous organization.

Aharon pointed out that maintaining a client is hard work, and that he’s worried that with fewer resources supporting Parity, the Ethereum community might only have Geth in 2020. He argued that if there was only one Ethereum client, then attacks similar to the one experienced on New Year’s Eve could potentially bring down the entire network, instead of only being inconvenient.

Aharon acknowledged that he doesn’t know what the best solution might be, however, as someone who regularly manages Ethereum infrastructure, he’s aware of the significant risk of relying on only one client.

A Twitter user pointed out that only around 20 percent of Ethereum nodes are currently running Parity, so the attack didn’t actually come close to taking down the network. He added that even if there were more Parity clients, then a Geth node could still be created in a few hours.

Responding to the user’s comments, Aharon asked what would happen if the attack affected Geth instead of Parity. Aharon also recommending having multiple Ethereum clients in order to survive such attacks in the future.

Posted In: , Hacks
Invest with AMFEIX

Like what you see? Subscribe to CryptoSlate

Get our daily newsletter containing the top blockchain stories and crypto analysis straight to your inbox.

Sign up to stay informed
Omar Faridi

Omar Faridi

Journalist @ CryptoSlate

Omar enjoys writing about all topics related to Bitcoin, blockchain, and cryptocurrency. He is most interested in crypto regulations, quantum resistant blockchains, and Ethereum and Bitcoin Core development. His academic background includes an undergraduate degree in computer science from the University of Nevada and a masters of science in psychology from the University of Phoenix. He works as an application developer for the University of Houston and a data storage specialist for Dell EMC.

View author profile

Commitment to Transparency: The author of this article is invested and/or has an interest in one or more assets discussed in this post. CryptoSlate does not endorse any project or asset that may be mentioned or linked to in this article. Please take that into consideration when evaluating the content within this article.

Disclaimer: Our writers' opinions are solely their own and do not reflect the opinion of CryptoSlate. None of the information you read on CryptoSlate should be taken as investment advice, nor does CryptoSlate endorse any project that may be mentioned or linked to in this article. Buying and trading cryptocurrencies should be considered a high-risk activity. Please do your own due diligence before taking any action related to content within this article. Finally, CryptoSlate takes no responsibility should you lose money trading cryptocurrencies.