Parity Admits to “Critical” Vulnerability in Testnet That Could Corrupt Ethereum
Alert: Please update your Parity Ethereum clients to 1.11.3-beta or 1.10.6-stable asap. https://t.co/QNxzv74kSF
— Parity Technologies (@ParityTech) June 6, 2018
Reported in a security alert, UK-based Parity Technologies described a “potential consensus-related issue” on its Ropsten testnet:
“In the worst case, submitting a certain malformed transaction (coming from a 0xfff…fff address) to a mining Parity Ethereum node could have caused that node to produce a malformed block, which would still be treated as valid by other affected Parity Ethereum nodes.”
If the error remained unnoticed, users of the Parity Ethereum client would fall out of sync with the wider network — leading to rejected transactions and a chain split. According to the public record of Parity-based Ethereum nodes, this failure would affect nearly a third of the entire Ethereum network.
Now, all users must update to an amended version of the third-party Ethereum client — or they risk corrupting the Ethereum mainnet. Parity appealed to any entity using its software:
“Please update your nodes as soon as possible and then double check that you are running version 1.10.6-stable or 1.11.3-beta.”
Parity Under Fire Once Again
This is not the first time Parity admitted a critical failure. In 2017, the company’s MultiSig Wallet software recorded several multi-million dollar losses.
In the wake of a July 2017 hack for 150,000 ETH, the firm again caused “considerable stress and confusion” when it “accidentally” locked up users’ funds worth over $300 million.
The full statement and update can be found on our website https://t.co/dBfLnrYIMB. If you would like to check if your wallet has been affected pls visit: https://t.co/kmQjKKuZRI pic.twitter.com/NZbAFpcbWj
— Parity Technologies (@ParityTech) November 8, 2017
Although Parity expressed deep remorse for the latter error, the failure seemingly could have been avoided. In a confession titled a “Postmortem,” Parity admitted to neglecting a warning of the vulnerability in August — nearly three months before the “MultiSig Library Self-Destruct”:
“In August, a Github contributor called “3esmit” recommended a code change that initWallet should be called when being deployed which at the time was considered a convenience enhancement.”
Parity’s latest blunder is now remedied. However, one may wonder how many misgivings users can tolerate before losing faith. As institutions and individuals are seduced with faster, more robust blockchains, the Ethereum Foundation may begin eliminating the weak links.
Cover Photo by Ricardo Gomez Angel on Unsplash
Disclaimer: Our writers' opinions are solely their own and do not reflect the opinion of CryptoSlate. None of the information you read on CryptoSlate should be taken as investment advice, nor does CryptoSlate endorse any project that may be mentioned or linked to in this article. Buying and trading cryptocurrencies should be considered a high-risk activity. Please do your own due diligence before taking any action related to content within this article. Finally, CryptoSlate takes no responsibility should you lose money trading cryptocurrencies.