Unpatched Ethereum Clients Pose 51% Attack Risk, Says Report

Ethereum clients that still haven't patched known vulnerabilities pose a security risk to the entire network, according to new research.

AccessTimeIconMay 17, 2019 at 1:00 p.m. UTC
Updated Aug 18, 2021 at 11:26 p.m. UTC

Presented By Icon

Election 2024 coverage presented by

Stand with crypto

Ethereum clients that still haven't patched known vulnerabilities pose a security risk to the entire network, according to new research.

A report from Security Research Labs that used ethernodes.org data, indicates that a large number of nodes using the most popular clients Parity and Geth have been left exposed for "extended periods of time" after patches for security flaws have been released.

  • Bitcoin Mining in the U.S. Will Become 'a Lot More Decentralized': Core Scientific CEO
    13:18
    Bitcoin Mining in the U.S. Will Become 'a Lot More Decentralized': Core Scientific CEO
  • Binance to Discontinue Its Nigerian Naira Services After Government Scrutiny
    05:10
    Binance to Discontinue Its Nigerian Naira Services After Government Scrutiny
  • The first video of the year 2024
    04:07
    The first video of the year 2024
  • The last regression video of the year 3.67.0
    40:07
    The last regression video of the year 3.67.0
  • SRLabs says it reported a vulnerability in the Parity client in February that can open nodes up to being crashed remotely.

    The report states:

    "According to our collected data, only two thirds of nodes have been patched so far. Shortly after we reported this vulnerability, Parity released a security alert, urging participants to update their nodes."

    Another patch, released on March 2, was also not picked up by 30% of Parity nodes, it says, while 7 percent of Parity nodes still have a version vulnerable to a critical consensus vulnerability patched last July.

    While the Parity client does have an automated update process, it "suffers from high complexity" and not all updates are included, the report says.

    eth-patch-s

    The patch scenario for Geth is even worse, the research indicates.

    "According to their announced headers, around 44% of the Geth nodes visible at ethernodes.org were below version v.1.8.20, a security-critical update, released two-month before our measurement.," say the SR Labs team, noting that Geth does not have an auto-update feature, apparently by design.

    SR Labs goes on to say that by leaving large numbers of clients potentially open to attacks, the whole ethereum network, which relies on having nodes highly available, is vulnerable too.

    It warns:

    "If a hacker can crash a large number of nodes, controlling 51% of the network becomes easier. Hence, software crashes are a serious security concern for blockchain nodes (unlike in other pieces of software where the hacker does not usually benefit from a crash)."

    To address the issue, the team suggests that "more reliable" processes for auto-updating clients are required. Further decentralizing the ethereum network by moving hashing power away from concentrations of miners would also help, it adds, although that looks unlikely to happen and wide security awareness would be key to the move's success.

    Disclosure

    Please note that our privacy policy, terms of use, cookies, and do not sell my personal information have been updated.

    CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. CoinDesk has adopted a set of principles aimed at ensuring the integrity, editorial independence and freedom from bias of its publications. CoinDesk is part of the Bullish group, which owns and invests in digital asset businesses and digital assets. CoinDesk employees, including journalists, may receive Bullish group equity-based compensation. Bullish was incubated by technology investor Block.one.


    Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.