Patched vulnerability could’ve crippled ETH over the past 2 years: Ethereum Foundation

Published at: May 19, 2021

The Ethereum Foundation has published a blog post outlining a potentially catastrophic vulnerability that could have resulted in the mainnet being brought down at a cost of less than five-figures up until the execution of the Berlin hard fork last month.

A May 18 blog post describes the vulnerability as having posed “a severe threat against the Ethereum platform” until April’s upgrades allowed it to dodge the bullet.

The report describes the threat as having been an “open secret,” noting that it was once publicly disclosed by mistake. Following the implementation of the Berlin hard fork, the foundation estimated the threat is low enough to warrant full disclosure at this time, stating:

“It’s important that the community is given a chance to understand the reasoning behind changes that negatively affect the user experience, such as raising gas costs and limiting refunds.”

The post details that Ethereum’s state consists of a Merkle Patricia trie, conceptually likening new accounts on the Ethereum network to new leaves growing on a tree. With the growth of the Ethereum network, increases to gas costs have been implemented from October 2016 to protect against denial-of-service attacks, including the controversial Ethereum Improvement Proposal 1884.

#Ethereum's DoS that never came to be.For over a year, mainnet could have been brought down with a few thousand $. As we've left it in the past, it's time to shed some light on those troubled times.https://t.co/xbPgbyWpcp

— Go Ethereum (@go_ethereum) May 18, 2021

In 2019, Ethereum security researchers Hubert Ritzdorf, Matthias Egli and Daniel Perez teamed up to weaponize an exploit enabled by the recent upgrades, with the attack triggering random trie lookups that could “lead to blocktimes in the minute-range.” A report published that year states that delays caused by the attack will become longer as Ethereum’s state grows, “which allows efficient DoS attacks against Ethereum.”

After various proposals from developers were rejected throughout 2020, Vitalik Buterin teamed up with Martin Swende to author EIP-2929 and EIP-2930 — upgrades that raised gas prices “only for things not already accessed” in order to prevent the attack. The EIPs were introduced alongside the Berlin upgrade on April 15. As such, the blog estimates the Berlin upgrade reduced the effectiveness of the exploit by 50 times.

Ethereum is not the only network to come clean about long-term vulnerabilities after implementing upgrades to protect against said exploits.

In September 2020, crypto researchers Braydond Fuller and Javed Khan published a paper revealing a “high” severity vulnerability for layer-two solutions built on top of Bitcoin, such as the Lightning Network. Despite the vulnerability being introduced and the authors estimating that 50% of Bitcoin nodes were exposed to the vector, the authors did not identify any attempts at exploiting the weakness.

Tags
Ethereum
Security
Related Posts
CipherTrace warns of surge in funds lost to MetaMask phishers
Cyber Security firm CipherTrace has issued a warning after noting a surge in reports over the past 24 hours of user funds being stolen by a malicious Chrome browser extension posing as popular crypto wallet MetaMask. The warning was issued under the headline, “ALERT: Malicious Crypto Browser Extension — Masked MetaMask” and reported the company had seen “an uptick of alerts and comments within the online cryptocurrency community of users’ funds being stolen.” In response to online criticism that MetaMask is not doing enough to steer its users away from potentially harmful websites and downloads, MetaMask’s chief product officer Jacob …
Ethereum / Dec. 3, 2020
TZero-Backed Startup Wants to Launch Security Token Market
Boston Security Token Exchange (BSTX), a platform jointly owned by BOX Digital Markets and Overstock’s blockchain arm tZERO, has filed an application with the United States Securities and Exchange Commission (SEC) to approve the launch of a market for publicly traded registered security tokens. In the rule change proposal released by the SEC on Oct. 11, BOX asks the commission to “adopt rules to govern the trading of equity securities on the Exchange” which “would operate a fully automated, price/time priority execution system for the trading of ‘security tokens.’” Establishing its own listing standards The firm also hints at having …
Blockchain / Oct. 12, 2019
How blockchain archives can change how we record history in wartime
Decentralized blockchain technology has been around for a relatively short period of time, in the grand scheme of things, but its decentralized nature has the power to keep data and information out of the hands of censors looking to create a “safe” and “faultless” version of history. Blockchain is permissionless and literally owned by no one. So, while we can’t save the Alexandria libraries of the past, we can make sure the future is well equipped with the tools necessary to preserve historical records. Here we’ll look at some of the ways nonfungible tokens (NFT) and blockchain technology have been …
Adoption / May 12, 2022
Aurora pays $6M bug bounty to ethical security hacker through Immunefi
On Tuesday, Ethereum (ETH) bridging and scaling solution Aurora announced it had paid out a $6 million bounty to ethical security hacker pwning.eth, who discovered a critical vulnerability in the Aurora Engine. The exploit allegedly placed over $200 million worth of capital at risk. The sum was paid in collaboration with Immunefi, a leading platform for Web 3.0 bug bounties, with more than $145 million bounties available and over $45 million bounties paid out. On April 26, Immunefi received a report from pwning.eth about a critical flaw in the Aurora Engine that would have enabled the infinite minting of ETH …
Blockchain / June 7, 2022
LastPass attacker stole password vault data, showing Web2's limitations
Password management service LastPass was hacked in August 2022, and the attacker stole users’ encrypted passwords, according to a Dec. 23 statement from the company. This means that the attacker may be able to crack some website passwords of LastPass users through brute force guessing. Notice of Recent Security Incident - The LastPass Blog#lastpasshack #hack #lastpass #infosec https://t.co/sQALfnpOTy — Thomas Zickell (@thomaszickell) December 23, 2022 LastPass first disclosed the breach in August 2022 but at that time, it appeared that the attacker had only obtained source code and technical information, not any customer data. However, the company has investigated and …
Adoption / Dec. 23, 2022