Ethereum developers are weighing changes to publicly disclosing critical bugs following the Nov. 11 "accidental hard fork."
According to a technical write-up published by Geth – the largest Ethereum client written in the Go language – a denial-of-service (DoS) attack vector was intentionally triggered by a downstream user as a test, resulting in a 30-block minority chain.
Geth had fixed the bug in early October following a disclosure, but it still existed in prior versions of Geth. The bug temporarily caused nodes that had not updated to the correct version of Geth to go down a different path than other clients.
Now, developers are reordering the disclosure process for security vulnerabilities in the aftermath of what some developers have called the biggest threat against Ethereum since 2016’s attack on The DAO.
That question comes with baggage. A common ethos in open-source software (OSS) such as Ethereum is that vendors are tasked “to notify those affected by vulnerabilities in a timely manner,” Summa founder James Prestwich told CoinDesk in a message. In other words, Geth has a responsibility to give dependent users a heads-up on possible complications, he said.
'Disclosure is a complex topic'
Yet, blockchains, at their very core, are financial settlement mechanisms. The traditional methods of disclosing bugs in OSS can lead to undesirable outcomes for other players with money on the line.
In Friday’s All Core Developers’ call, Ethereum developer Micah Zoltu and Geth team leader Peter Szilágyi both disagreed with the issuance of a notification list for critical vulnerabilities. Zoltu claimed such a list would create an uneven playing field for projects, while Szilágyi said that every bug disclosure creates a weak point in Ethereum’s infrastructure.
For example, disclosing the bug early to service provider Infura – which most of decentralized finance (DeFi) uses to connect to the Ethereum blockchain – would be an unfair advantage against its competitors. Moreover, the consequences for the larger ecosystem could be severe if privileged information from the list leaked to adversarial parties.
Given the option again, Szilágyi said he would go about the recent disclosure in the same manner – meaning, keeping the consensus bug under wraps (although he said at one point during the call they should have let users know a past version of Geth held a vulnerability). Geth has done so for other consensus vulnerabilities, he said.
“Disclosure is a complex topic and user safety is paramount,” Prestwich concluded.
Update (November 13 21:00 UTC): A prior version of this article incorrectly stated that 80% of the network went down the wrong chain. Only nodes that had not updated to the correct Geth version joined the minority chain.