ETH 2.0 Audit Highlights Risks to Block Proposers and P2P Protocol

Published at: March 26, 2020

Technology security firm Least Authority has published an audit of the specifications for ETH 2.0 — the long-awaited overhaul of the Ethereum (ETH) protocol.

Least Authority audited ETH 2.0’s during January at the request of the Ethereum Foundation. The firm worked alongside the Foundation throughout the process and compiled the final version of the report on March 6.

Ethereum Foundation commissions Least Authority to audit ETH 2.0

The security firm reviewed the core ETH 2.0 specs for phase 0, the Beacon Chain specs, and Beacon Chain Fork Choice documents, peer-to-peer (P2P) networking documentation, the Honest Validator specifications, and the documentation for the Go Implementation of ETH 2.0. 

The report notes that while specific aspects of ETH 2.0’s design can be reviewed, “the collective system may not behave as intended.”

Report highlights risks to block proposers

While the report found the ETH 2.0 specs to be “very well thought out and comprehensive,” noting that “security had been a strong consideration during the design phase,” Least Authority highlights concerns regarding the P2P layer and risks to block proposers.

The researchers assert that the network specifications make it a fairly easy task for block validators to establish the IP addresses of other validators. 

With the documentation implying block proposers are public knowledge, the firm is concerned that an attacker may seek to strategically execute denial-of-service (DDoS) attacks.

The report also warns that an attacker could wield a large volume of nodes to launch a targeted attack on block proposers.

Least Authority notes concerns regarding P2P networking protocol

The security firm asserts that the documentation surrounding ETH 2.0’s P2P and Ethereum node records (ENR) systems is lacking, emphasizing that they were “unable to conclude how the P2P system incorporates the ENR system.”

A “spam problem” is also identified in the protocol’s P2P messaging system. The report warns that the absence of a centralized entity overseeing nodes' actions opens up the possibility of a dishonest node attempting to overwhelm the network with an unlimited number of old block messages while incurring little penalty.

“This type of attack would slow down or potentially halt network processing for the duration it was carried out,” the findings conclude.

The report also highlights concerns regarding “misaligned gossip incentives” and the lack of “BAR-resilient gossip protocol,” and urges the Ethereum foundation to seek regular peer reviews of its code.

Of the 10 issues identified in the firm’s final report, two have since been resolved, and one has been determined to have been an invalid issue.

Security vulnerability identified among Ethereum Dapp wallets

On March 23, crypto wallet provider ZenGO announced it had built a testnet to highlight a major security flaw pervading decentralized applications (Dapp) wallets — urging wallet providers to make users aware of the vulnerability.

ZenGo’s testnet demonstrates how through authorizing a single transaction between a user’s wallet and a Dapp’s smart contract grants the application authorization to access all funds held within that wallet.

Tags
Related Posts
US Treasury blacklisted a non-existent ETH address in connection with alleged Russian election interference
Earlier today, the U.S. Department of the Treasury updated its Specially Designated Nationals List, adding several individuals and a number of cryptocurrency addresses. One of the individuals added was Artem Mikhaylovich Lifshits — a Russian national, accused of interfering in the U.S. elections. In addition to disclosing his personal information, the site lists a number of cryptocurrency addresses that he allegedly controls. One of the Ethereum addresses, found at 0xa7e5d5a720f06526557c513402f2e6b5fa20b00, does not seem to exist, however. Source: U.S. Department of the Treasury. There was likely a mixup somewhere in the chain of command and the Treasury meant to blacklist 0xA7e5d5A720f06526557c513402f2e6B5fA20b008 …
Regulation / Sept. 10, 2020
Ethereum Creator Picks Two Worst Bull and Bear BTC Predictions Ever Made
As the world’s biggest cryptocurrency, Bitcoin (BTC) is highly volatile, once surging from $1,000 to $20,000 in the span of just over a year. The coin has become the subject of infinite price predictions. Both optimistic and negative, some of these predictions have turned out to be extremely inaccurate. Vitalik Buterin, the well-known co-creator of the Ethereum network and its native cryptocurrency Ether (ETH), highlighted the two worst Bitcoin price predictions ever made since the digital currency was introduced back in 2009. In an April 6 tweet, Buterin emphasized that price predictions on crypto markets are “notorious for turning out …
Bitcoin / April 6, 2020
Ethereum white paper predicted DeFi but missed NFTs: Vitalik Buterin
Rounding up the last decade, Ethereum co-founder Vitalik Buterin revisited his predictions made over the years, showcasing a knack for being right about abstract ideas than on-production software development issues. Buterin started the Twitter thread by addressing his article dated Jul. 23, 2013 in which he highlighted Bitcoin's (BTC) key benefits — internationality and censorship resistance. Buterin foresaw Bitcoin’s potential in protecting the citizens’ buying power in countries such as Iran, Argentina, China and Africa. However, Buterin also noticed a rise in stablecoin adoption as he saw Argentinian businesses operating in Tether (USDT). He backed up his decade-old ideas around …
Adoption / Jan. 2, 2022
Vitalik Buterin talks crypto’s perils in Time Magazine interview
Ethereum co-founder Vitalik Buterin graced the front page of Time Magazine this month after he interviewed the publication about the potential perils of the industry he helped create. During the 80-minute interview, Buterin explained the “dystopian potential” of digital assets if implemented incorrectly. Among his biggest worries are overzealous investors, high transaction fees and public displays of wealth by those claiming to have made a fortune trading cryptos and nonfungible tokens (NFTs). Although Buterin has high hopes for Ethereum — the network powering the second-largest cryptocurrency by market capitalization and countless other projects — he fears that his vision of …
Ethereum / March 18, 2022
CryptoPunk to be split into pieces: Nifty Newsletter, Aug 3–9
In this week’s newsletter, read about Ethereum co-founder Vitalik Buterin’s proposal for stealth NFT ownership. Check out how a CryptoPunk will be split into thousands of pieces to enable smaller investors to access it, and how the NFT play-to-earn game Axie Infinity plans to double down on South Korea despite regulatory hurdles. In other news, learn about how NFT storage works according to two NFT experts. Lastly, check out how a Redditor turned criticisms of the NFT space into NFTs. Vitalik Buterin proposes stealth addresses for anonymous NFT ownership Vitalik Buterin, co-founder of Ethereum, proposed what he dubs a “low-tech …
Blockchain / Aug. 10, 2022