Developers Debate Disclosure Protocols After ‘Accidental’ Ethereum Hard Fork

Ethereum’s largest client Geth hard-forked after a bug was tripped Wednesday. Developers are now weighing the merits of security disclosures methods.

AccessTimeIconNov 13, 2020 at 5:52 p.m. UTC
Updated Aug 19, 2021 at 5:37 a.m. UTC

Presented By Icon

Election 2024 coverage presented by

Stand with crypto

Ethereum developers are weighing changes to publicly disclosing critical bugs following the Nov. 11 "accidental hard fork." 

According to a technical write-up published by Geth – the largest Ethereum client written in the Go language – a denial-of-service (DoS) attack vector was intentionally triggered by a downstream user as a test, resulting in a 30-block minority chain.

  • Bitcoin Mining in the U.S. Will Become 'a Lot More Decentralized': Core Scientific CEO
    13:18
    Bitcoin Mining in the U.S. Will Become 'a Lot More Decentralized': Core Scientific CEO
  • Binance to Discontinue Its Nigerian Naira Services After Government Scrutiny
    05:10
    Binance to Discontinue Its Nigerian Naira Services After Government Scrutiny
  • The first video of the year 2024
    04:07
    The first video of the year 2024
  • The last regression video of the year 3.67.0
    40:07
    The last regression video of the year 3.67.0
  • Geth had fixed the bug in early October following a disclosure, but it still existed in prior versions of Geth. The bug temporarily caused nodes that had not updated to the correct version of Geth to go down a different path than other clients.

    Now, developers are reordering the disclosure process for security vulnerabilities in the aftermath of what some developers have called the biggest threat against Ethereum since 2016’s attack on The DAO. 

    That question comes with baggage. A common ethos in open-source software (OSS) such as Ethereum is that vendors are tasked “to notify those affected by vulnerabilities in a timely manner,” Summa founder James Prestwich told CoinDesk in a message. In other words, Geth has a responsibility to give dependent users a heads-up on possible complications, he said.

    'Disclosure is a complex topic'

    Yet, blockchains, at their very core, are financial settlement mechanisms. The traditional methods of disclosing bugs in OSS can lead to undesirable outcomes for other players with money on the line.

    In Friday’s All Core Developers’ call, Ethereum developer Micah Zoltu and Geth team leader Peter Szilágyi both disagreed with the issuance of a notification list for critical vulnerabilities. Zoltu claimed such a list would create an uneven playing field for projects, while Szilágyi said that every bug disclosure creates a weak point in Ethereum’s infrastructure. 

    For example, disclosing the bug early to service provider Infura – which most of decentralized finance (DeFi) uses to connect to the Ethereum blockchain – would be an unfair advantage against its competitors. Moreover, the consequences for the larger ecosystem could be severe if privileged information from the list leaked to adversarial parties.

    Given the option again, Szilágyi said he would go about the recent disclosure in the same manner – meaning, keeping the consensus bug under wraps (although he said at one point during the call they should have let users know a past version of Geth held a vulnerability). Geth has done so for other consensus vulnerabilities, he said.

    “Disclosure is a complex topic and user safety is paramount,” Prestwich concluded.

    Update (November 13 21:00 UTC): A prior version of this article incorrectly stated that 80% of the network went down the wrong chain. Only nodes that had not updated to the correct Geth version joined the minority chain.

    Disclosure

    Please note that our privacy policy, terms of use, cookies, and do not sell my personal information have been updated.

    CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. CoinDesk has adopted a set of principles aimed at ensuring the integrity, editorial independence and freedom from bias of its publications. CoinDesk is part of the Bullish group, which owns and invests in digital asset businesses and digital assets. CoinDesk employees, including journalists, may receive Bullish group equity-based compensation. Bullish was incubated by technology investor Block.one.


    Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.