Amberdata Discovers 'RPC Call' Bug in Parity Ethereum Client

A new code release of the Parity ethereum client was released on Thursday to patch a security vulnerability found by blockchain startup Amberdata.

AccessTimeIconAug 29, 2019 at 10:30 p.m. UTC
Updated Aug 18, 2021 at 12:37 p.m. UTC

Presented By Icon

Election 2024 coverage presented by

Stand with crypto

A code vulnerability that could have forced computer shutdowns was found on Tuesday in the second most popular ethereum client.

Parity connects over 3,000 computer servers around the globe to the ethereum blockchain network.

  • Bitcoin Mining in the U.S. Will Become 'a Lot More Decentralized': Core Scientific CEO
    13:18
    Bitcoin Mining in the U.S. Will Become 'a Lot More Decentralized': Core Scientific CEO
  • Binance to Discontinue Its Nigerian Naira Services After Government Scrutiny
    05:10
    Binance to Discontinue Its Nigerian Naira Services After Government Scrutiny
  • The first video of the year 2024
    04:07
    The first video of the year 2024
  • The last regression video of the year 3.67.0
    40:07
    The last regression video of the year 3.67.0
  • On Thursday, Parity Technologies, the startup responsible for building and maintaining the ethereum client, released updated code to fix the bug.

    Only a small subset of Parity servers were vulnerable to crashing, according to Scott Bigelow, the VP of engineering at blockchain analytics startup Amberdata. Amberdata first discovered the vulnerability and disclosed it to the Parity Technologies team.

    “There was a vulnerability that [if exploited] would cause an immediate crash of the Parity client for all its services,” said Bigelow. “There is no possibility to steal funds or do other malicious things but you could shut down some portion of ethereum nodes.”

    In a blog post published Thursday, Parity Technologies wrote:

    “Please update your nodes to the newest version ASAP, especially if you’re running a node that has enabled tracing or a node that has enabled publicly-facing RPC."

    What's RPC?

    A remote procedure call, or RPC, is a protocol for requesting data and information from a program running on a third-party computer server. It is used on blockchains to request information about on-chain activities such as account balances, block numbers and other data.

    It can be used privately by a user or opened for the broader public to access. Infura, one of the most popular applications on ethereum today, leverages public RPC ports to make data about the blockchain network accessible to users who don’t themselves run ethereum clients.

    For the vulnerability found by the Amberdata team to be exploited, the ethereum node running Parity software must have enabled a public RPC port and activated a special module to enable the tracing of transaction history, according to Bigelow.

    “It’s really this venn diagram,” said Bigelow. “You need to find people who are running Parity nodes, who have a Parity [RPC] port exposed and who also have the tracing module enabled on their system. If you have those three things, you can say that server is gone.”

    Parity was susceptible to a similar attack vector back in February. That vulnerability impacted the software's entire user base, not just a specific subset.

    Low likelihood of attack

    At the same time, this tracing module on Parity is a highly detailed and developer-oriented module that Bigelow suspects only a small fraction of Parity users to have actually enabled.

    What’s more, while RPC calls do exist on other ethereum clients, such as Geth, it is highly unlikely for the same kind of vulnerability to exploited on other software – due to how RPC implementations differ across ethereum software clients.

    “The RPC interfaces of ethereum clients are not standardized and each client has addition calls for their specific features,” said a Parity Technologies spokesperson. “So it's unlikely they have a similar bug for their analogous call.”

    Whatever the probability for attack, Parity Technologies encourages all its users to upgrade immediately, saying in their blog post:

    "By default, Parity Ethereum does not enable tracing or public-facing RPC, so the majority of nodes should be not be affected. Regardless, we recommend everyone running Parity Ethereum nodes to update to this latest version."

    Parity Technologies founder Gavin Wood image via CoinDesk archives

    Disclosure

    Please note that our privacy policy, terms of use, cookies, and do not sell my personal information have been updated.

    CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. CoinDesk has adopted a set of principles aimed at ensuring the integrity, editorial independence and freedom from bias of its publications. CoinDesk is part of the Bullish group, which owns and invests in digital asset businesses and digital assets. CoinDesk employees, including journalists, may receive Bullish group equity-based compensation. Bullish was incubated by technology investor Block.one.


    Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.