Cryptonews Ethereum News

Disclosed: Ethereum ‘Lived’ With a Major Threat for 18 Months

Community

Ethereum Ethereum Classic Security Transparency

Journalist

Sead Fadilpašić

Journalist

Sead Fadilpašić

About Author

Sead specializes in writing factual and informative articles to help the public navigate the ever-changing world of crypto. He has extensive experience in the blockchain industry, where he has served...

Author Profile

Last updated:

June 26, 2023

Why Trust Cryptonews

Cryptonews has covered the cryptocurrency industry topics since 2017, aiming to provide informative insights to our readers. Our journalists and analysts have extensive experience in market analysis and blockchain technologies. We strive to maintain high editorial standards, focusing on factual accuracy and balanced reporting across all areas - from cryptocurrencies and blockchain projects to industry events, products, and technological developments. Our ongoing presence in the industry reflects our commitment to delivering relevant information in the evolving world of digital assets. Read more about Cryptonews

Here’s what we knew: Ethereum (ETH) executed the Berlin hardfork last month. Here’s what we didn’t know: it came with a solution that lowered the risk of a major DoS attack, looming over the network for more than a year and a half.

According to the May 18 post written by Ethereum developer Péter Szilágyi and the Security Lead at the Ethereum Foundation Martin Holst Swende, the Foundation “officially disclose[d] a severe threat against the Ethereum platform, which was a clear and present danger up until the Berlin hardfork.”

This vulnerability has been an “open secret” for a long time, they said, publicly disclosed by mistake at least once. As the Berlin upgrade is done, and Geth nodes are using snapshots by default, “we estimate that the threat is low enough that transparency trumps, and it’s time to make a full disclosure about the works behind the scenes,” said the report.

They added that it’s “important that the community is given a chance to understand the reasoning behind changes that negatively affect the user experience, such as raising gas costs and limiting refunds.”

The report shortly went into technical details, explaining that the Ethereum state consists of a patricia-merkle trie, and as new accounts are added to the network, new “leaves” form, so to say, with the trie becoming denser.

Furthermore, as the network grew, new Ethereum Improvement Proposals (EIPs) were introduced to increase the gas prices for operations that access the trie, and to protect against DoS attacks. One of these was EIP-1884, activated in December 2019, during the Istanbul upgrade.

But in October 2019, an exploit was ‘weaponized’ by Ethereum security researchers Hubert Ritzdorf, Matthias Egli, and Daniel Perez, and submitted to the Ethereum bug bounty program. It was then discovered that “the changes in EIP 1884 were definitely making an impact at reducing the effects of the attack, but it was nowhere near sufficient.”

Developers from Geth, Parity, and Aleth were informed about the submission that same day on a channel dedicated to cross-client security, said the report, adding that Ethereum Classic (ETC) developers also received the report. But Parity Ethereum soon left, and a new client coordination channel was created with Geth, Nethermind, OpenEthereum, and Besu.

“As 2019 were drawing to a close, we knew that we had larger problems than we had previously anticipated, where malicious transactions could lead to blocktimes in the minute-range.”

Additionally, developers were already unhappy about EIP-1884 which had made a certain contract-flows break, and “users and miners alike were sorely itching for raised block gas limits.”

There were two approaches to a solution:

trying to solve the problem at the protocol layer, preferably without breaking contracts and without penalizing ‘good’ behavior, but managing to prevent attacks;
solving it through software engineering, by changing the data models and structures within the clients.

On April 15 this year, after several rejected proposals, EIP-2929 and its companion EIP-2930 went live with the Berlin upgrade – which do not break any contract flows and which raised gas prices “only for things not already accessed” to prevent the attack.

It’s relevant to note that this isn’t the first time we’re seeing a threat disclosed a couple of years after it had been discovered, and developers argue it’s for a very good reason.

As reported, in September 2020, a research paper revealed that Bitcoin (BTC) had harbored a severe denial-of-service vulnerability – which was discovered and patched back in June 2018, without the public knowing for two years.

Per developers speaking to Cryptonews.com at the time, keeping software bugs a closely guarded secret – swiftly notifying only a few essential developers/code owners or maintainers via encrypted messages – at least until a fix is rolled out, is in the best interests of the network and its users.

At 11:47 UTC, ETH is trading at USD 2,683. It dropped 24% in 24 hours, 36% in a week, and 39% from its all-time high of USD 4,357 (per Coingecko).
____
Learn more:
– Why Ethereum is Far From ‘Ultrasound Money’
– Ethereum Won’t Hide From Quantum Computers Behind PoS Shield
– Proof-of-Disagreement: Bitcoin’s Work vs. Ethereum’s Planned Staking