Data: Just 2/3 of ETH Nodes Running Parity Have Been Patched Against Critical Security Flaw

Published at: May 17, 2019

Global hacking research collective SRLabs claims that only two thirds of the Ethereum client software that runs on Ethereum nodes has been patched against a critical security flaw discovered earlier this year. The news was reported by business tech website ZDNet on May 17.

An SRLabs report ostensibly shared with ZDNet has reportedly revealed that the critical flaw is a denial of service (DoS) vulnerability in the Ethereum Parity client. As SRLabs has outlined, the flaw could enable a hacker to remotely crash legitimate Parity Ethereum nodes by sending malformed packets.

Should sufficient malicious nodes overwhelm the network and gain a 51% majority, they could potentially commit double-spends and validate unsound transactions, ZDNet notes.

While the issue was addressed with the release of the Parity Ethereum client v2.2.10 in mid-February — just a few days after the flaw was reported by SRLabs — SRLabs researcher Karsten Nohl told ZDNet that:

"According to our collected data, only two thirds of nodes have been patched so far."

One month after the issue was successfully patched in the new Parity release, SRLabs researchers reportedly scanned the Ethereum blockchain to check how many Parity nodes had updated their clients to the new version. The report notes:

"One month after this alert, we used data from Ethernodes.org to assess the security of the Ethereum node landscape and found that around 40% of all scanned Parity Ethereum nodes [...] remained unpatched and thus vulnerable to the mentioned attack."

The data reportedly indicates that unpatched Parity nodes comprise 15% of all scanned nodes — implying that 15% of all Ethereum nodes are vulnerable to a potential 51% attack.

The sluggish pace of patching in response to discovered vulnerabilities was purportedly further demonstrated in SRLabs’ broader analysis, which found that  7% of active Parity Ethereum nodes had not been patched for nine months, leaving them susceptible to other detected flaws.

A similar slow pace was discovered for a different Ethereum node client, Go-Ethereum (Geth), with 44% of Geth nodes reportedly not undergoing a critical security update (v1.8.21).

Nohl noted that Parity’s highly complex automated update process lacks reliability when nodes are not configured correctly, while the Geth client lacks an auto update system altogether.

The unpatched nodes ostensibly pose a risk to the entire network, as they could be crashed to reduce the costs of carrying out a blockchain-wide 51% attack, ZDNet notes.

This March, researchers from major cryptocurrency trading platform BitMEX discovered a potential bug in its Ethereum Parity full node, which they claimed was unlikely to be exploited.

Tags
Related Posts
The importance of decentralized oracles: Interview with Sergey Nazarov
Chainlink co-founder Sergey Nazarov believes that increasing the decentralization and scalability of oracle technologies are key to ensure trust in the DeFi ecosystem. Oracles play a key role in the correct functioning of DeFI protocols by connecting them to real-world data. However, the trustworthiness of oracles becomes compromised in instances where they rely on a single data source to retrieve information. For instance, according to Nazarov, excessively centralized oracles enabled five recent flash loan attacks, which resulted in DeFi protocols losing around $40 million. Flash loans, a form of loan that does not require any collateral, can be used to …
Decentralization / Dec. 19, 2020
Blockchain needs to walk before it runs to DeFi
Decentralized finance has become the fastest-growing sector of the blockchain industry. Today, there are over 200 projects working on a wide variety of decentralized financial products and services. That number continues to increase every day as new DeFi-related projects launch. The most telling figure of this rapid growth is the staggering amount of money that is locked in DeFi, recently having passed the $7 billion threshold. The challenge is that increased growth leads to higher risks. As DeFi continues to grow at a rapid pace, this burgeoning industry will experience severe growing pains along the way unless proactive measures are …
Technology / Sept. 10, 2020
Aurora pays $6M bug bounty to ethical security hacker through Immunefi
On Tuesday, Ethereum (ETH) bridging and scaling solution Aurora announced it had paid out a $6 million bounty to ethical security hacker pwning.eth, who discovered a critical vulnerability in the Aurora Engine. The exploit allegedly placed over $200 million worth of capital at risk. The sum was paid in collaboration with Immunefi, a leading platform for Web 3.0 bug bounties, with more than $145 million bounties available and over $45 million bounties paid out. On April 26, Immunefi received a report from pwning.eth about a critical flaw in the Aurora Engine that would have enabled the infinite minting of ETH …
Blockchain / June 7, 2022
Crypto hacks are set to hit all-time highs in 2022, analyst explains
Reducing the amount of hacking by improving cybersecurity should be considered a top priority for the crypto industry, said Kim Grauer, director of research of blockchain intelligence firm Chainalysis. As pointed out by the firm, this year could outpace 2021 in terms of crypto stolen through hacks. The vast majority of these exploits have been targeting the field of decentralized finance. “This can't go on in the industry because people are going to lose faith in investing in DeFi platforms”, Grauer said in an interview with Cointelegraph. Unlike centralized exchanges, which have improved their resiliency to crypto hacks, decentralized protocols …
Blockchain / Oct. 19, 2022
Uniswap DAO debate shows devs still struggle to secure cross-chain bridges
Over $2.5 billion was stolen in cross-chain crypto bridge hacks from 2021 to 2022, according to a report by Token Terminal. But, despite several attempts by developers to improve bridge security, a debate from December 2022 to January 2023 on the Uniswap DAO forums has laid bare security weaknesses that continue to exist in blockchain bridges. In the past, bridges like Ronin and Horizon used multisig wallets to ensure that only bridge validators could authorize withdrawals. For example, Ronin required five out of nine signatures to withdraw, whereas Horizon required two out of five. But attackers figured out how to …
Blockchain / Feb. 26, 2023