Research: Unpatched Ethereum Clients Expose the Whole Network to 51% Attacks

Any software that is available for use publicly is also naturally exposed to a heightened risk of getting hacked. Users of public software are always advised to keep their software up to date with the latest security patches and other updates. The weight and intensity of the risk are raised even furthermore when it comes to cryptocurrencies.

Unlike normal software, when a cryptocurrency’s blockchain network is hacked into, it’s not the data that’s being stolen but the actual virtual currency that holds value. Which is why it is deeply concerning to learn that unpatched and out-of-date Ethereum clients are causing a risk to the whole network.

This information was revealed in a new report by Security Research Labs (SRLabs). The research used data collected from ethernodes.org and the results have been appalling, to say the least. Just last year, well over a billion dollars were stolen in crypto hacks. Cryptocurrency networks are in dire need of attention, and it seems that the passive approach that has been applied to defending against such attacks has failed.

SRLabs reported back in February that a vulnerability in the Parity client exposed nodes to being remotely crashed. This vulnerability could be used in conjunction with a 51% attack on the network, such as the one on the Ethereum Classic network. The report by SRLabs noted that there was still a significant number of nodes that remained unpatched, exposing the network to the possibility of future attacks. The report states:

“According to our collected data, only two-thirds of nodes have been patched so far. Shortly after we reported this vulnerability, Parity released a security alert, urging participants to update their nodes.”

Another patch that was released on March 2 was not applied by 30% of Parity nodes. The extreme case of this neglect is the 7 percent of Parity nodes that still have a version vulnerable to a critical consensus vulnerability patched last July. The Parity client has a somewhat functional auto-update system in place. Things are even worse for the Geth (Go-Ethereum) client.

The research accordingly indicates:

“According to their announced headers, around 44% of the Geth nodes visible at ethernodes.org were below version v.1.8.20, a security-critical update, released two-month before our measurement.”

The report warns that leaving a large enough number of clients open to attacks will compromise the safety of the whole network. If a hacker can crash a large number of nodes, controlling 51% of the network becomes easier, making software crashes a big safety concern.

Sharing Is Caring: