The whole Ethereum network could be facing the threat of a 51% attack due to some clients that remain unpatched, according to a recent report from Berlin-based hacking research collective and consulting think tank Security Research Labs. This is due to a whole third of Ethereum Parity nodes not yet having applied a critical security patch a month after it has been published.
Controlling more than half the computational power on a network, also known as a 51% attack, means that a malicious actor can override the decisions made by other participants of the network, which enables them to double spend funds, among other concerns. Nodes that use the software client Parity to access the Ethereum network that have not yet updated their clients can be remotely crashed due to a bug in the system, the think tank claims. According to Security Research Labs, ever since a patch was released for this bug, only two thirds of all Parity nodes have been updated.
“One month after this alert [made in February 2019], we used data from Ethernodes.org to assess the security of the Ethereum node landscape and found that around 40% of all scanned Parity Ethereum nodes, making up 15% of all scanned nodes, remained unpatched and thus vulnerable to the mentioned attack. Another patch that was released on Mar 2, 2019 reached around 70% of Parity Ethereum nodes, still leaving another 30% outdated,” they report.
The report goes on to add that “more reliable update mechanisms are needed” to which they propose using an automated update feature - something Parity does have, but “it suffers from high complexity and some updates are left out.” When using the default settings for Parity, the client only downloads patches that it considers critical, and the threshold for that seems to be set too low.
Parity is not the only client with this problem. Geth, another popular choice of Ethereum client, does not have this automated update mechanism by design, which brings problems for them too: “According to their announced headers, around 44% of the Geth nodes visible at ethernodes.org were below version v.1.8.20, a security-critical update, released two-month before our measurement.”
Still, the report adds that not all nodes contribute the same amount of computing power, so the risks may be diminished, as “the computing power appears highly concentrated among a small number of nodes.” If these nodes are well-maintained, other participants have very little to worry about - but the risk is very much present and should not be underestimated.
This is not the first time the Ethereum network was facing serious risks. In December 2018, a number of Ethereum mining rigs were attacked due to a port that was exposed when it shouldn’t have been, likely due to miners tinkering with it without being aware of the risks.
Also, ISE, a security consulting firm headquartered in Baltimore, Maryland, said recently that they discovered 732 private keys as well as their corresponding public keys that committed 49,060 transactions to the Ethereum blockchain.