A critical consensus bug has been uncovered in a testing environment used by one of the two principal softwares crucial to the operation of the world’s second-largest blockchain.
Revealed last night by UK-based Parity Technologies in a blog post, the issue was found to cause those running the software to fall out of sync, meaning others using different software would not recognize their transactions. While the vulnerability was found on a testnet, the worry is that it could be exploited on the mainnet as well.
As such, Parity is now urging all users to update their software to a newly patched version.
Publicly available data suggests the bug could have impacted roughly 30 percent of the ethereum network – those that use software issued by Parity to stay in sync with the wider network. But according to representatives of Parity, the issue was patched before it reached nodes operating the live ethereum blockchain.
Still, companies must update to the new software to remain safe from the vulnerability on the mainnet.
Speaking on Twitter, several companies, including mining pool Bitfly, have come forward to state they’ve updated their software to the newly secured iteration (1.10.6-stable or 1.11.3-beta).
As companies that operate on ethereum begin updating their software to avoid the issue, it has been theorized that it could still impact any blockchains that run Parity software, including users of ethereum classic (ETC).
The news of the vulnerability comes at a time when Parity has been under increased scrutiny for several similar security issues. Most notably, last November, a bug in one of the company’s wallet offerings led 513,774.16 ETH, or $311 million according to current metrics, being frozen and in turn, inaccessible to its owners.
Discussion as to whether the frozen funds should be returned is ongoing, but in the interim, Parity has stated its commitment to a refined security process, writing:
“We would like for our bugs to be a catalyst for more secure ethereum development.”
Speaking to CoinDesk, Wei Tang, a Parity developer who assisted with yesterday’s code patch, said that the bug is linked to a piece of code from ethereum improvement proposal (EIP) 86.
Formerly planned for ethereum’s upgrade last year, EIP 86 aimed to introduce what is called “account abstraction,” allowing for transactions to be sent without a signature from the sender. The full ethereum upgrade to EIP 86 was postponed due to its complexity, however, Wei explained that Parity nevertheless implemented the code, possibly due to its role in ethereum’s upcoming consensus switch.
According to Wei, the team in charge of implementing it within Parity’s software had overlooked three lines of code that led to yesterday’s consensus issue.
“We missed a conditional check in our code that caused full node Parity to accept a block containing invalid transactions,” Wei told CoinDesk.
Several such transactions were discovered on the Ropsten test network yesterday, and due to the transactions incompatibility with the wider ethereum blockchain, the transactions led a fork to occur between Parity and Geth (the largest provider of ethereum software accounting for 60 percent of users) clients.
Speaking in a press release, Kirill Pimenov, head of security at Parity, said that in the “worst case” such transactions would have resulted in corrupted blocks on the ethereum mainnet that “would still be treated as valid by other affected Parity ethereum nodes.”
Given sufficient hashpower, such an exploit would result in a blockchain split, Pimenov continued.
“The response to this situation was proactive, meaning we were able to prepare a fix before anyone was actually able to exploit the bug. As a result, we have managed to avert a mainnet split,” Pimenov stated in the press release.
Wei echoed this, saying the fix, which was released mere hours ago, was simple.
“We add those three lines of the missing conditional check in our code,” Wei told CoinDesk, adding:
“But yeah this three lines have severe effect. We’ve also got many eyes to review the code during the process.”
Red emergency button image via Shutterstock