Parity admits to “critical” vulnerability in testnet that could corrupt Ethereum 🚨 This article is 6 years old...
News ▸ Ethereum ▸ Technology
Parity admits to “critical” vulnerability in testnet that could corrupt Ethereum
2 min read
Updated: Jan. 3, 2021 at 10:37 am UTC
Photo by Ricardo Gomez Angel on Unsplash
Users of Parity Ethereum were warned to update after a “critical” consensus issue was discovered — one that could potentially corrupt up to 30% of the world’s second most successful blockchain.
Alert: Please update your Parity Ethereum clients to 1.11.3-beta or 1.10.6-stable asap. https://t.co/QNxzv74kSF
— Parity Technologies (@ParityTech) June 6, 2018
Reported in a security alert, UK-based Parity Technologies described a “potential consensus-related issue” on its Ropsten testnet:
“In the worst case, submitting a certain malformed transaction (coming from a 0xfff…fff address) to a mining Parity Ethereum node could have caused that node to produce a malformed block, which would still be treated as valid by other affected Parity Ethereum nodes.”
If the error remained unnoticed, users of the Parity Ethereum client would fall out of sync with the wider network — leading to rejected transactions and a chain split. According to the public record of Parity-based Ethereum nodes, this failure would affect nearly a third of the entire Ethereum network.
Now, all users must update to an amended version of the third-party Ethereum client — or they risk corrupting the Ethereum mainnet. Parity appealed to any entity using its software:
“Please update your nodes as soon as possible and then double check that you are running version 1.10.6-stable or 1.11.3-beta.”
Parity Under Fire Once Again
This is not the first time Parity admitted a critical failure. In 2017, the company’s MultiSig Wallet software recorded several multi-million dollar losses.
In the wake of a July 2017 hack for 150,000 ETH, the firm again caused “considerable stress and confusion” when it “accidentally” locked up users’ funds worth over $300 million.
The full statement and update can be found on our website https://t.co/dBfLnrYIMB. If you would like to check if your wallet has been affected pls visit: https://t.co/kmQjKKuZRI pic.twitter.com/NZbAFpcbWj
— Parity Technologies (@ParityTech) November 8, 2017
Although Parity expressed deep remorse for the latter error, the failure seemingly could have been avoided. In a confession titled a “Postmortem,” Parity admitted to neglecting a warning of the vulnerability in August — nearly three months before the “MultiSig Library Self-Destruct”:
“In August, a Github contributor called “3esmit” recommended a code change that initWallet should be called when being deployed which at the time was considered a convenience enhancement.”
Parity’s latest blunder is now remedied. However, one may wonder how many misgivings users can tolerate before losing faith. As institutions and individuals are seduced with faster, more robust blockchains, the Ethereum Foundation may begin eliminating the weak links.
Posted In: Ethereum, Technology
