Unpatched nodes pose security risk to Ethereum network, according to study

A new research has found that Ethereum’s most popular clients pose a security risk to the whole Ethereum network, because of known vulnerabilities that haven’t been patched, ZDNet has reported.

Patch Gap

The study, released by Security Research Labs, indicates that a significant amount of nodes using the Parity and Geth clients have yet to upgrade the software to versions that address vulnerabilities found months ago.

“In February 2019, we reported a vulnerability in the Parity Ethereum client that could be used to remotely crash any Parity Ethereum node prior to version 2.2.10,” Security Research Labs wrote, adding that according to data it had collected, only two thirds of Parity nodes had been patched.

“Shortly after we reported this vulnerability, Parity released a security alert, urging participants to update their nodes,” Security Research Labs also said.

Using data from ethernodes.org, the security research firm found that one month after the alert, around 40% of all scanned Parity nodes were not patched at the time. Another patch released on March 2 reached 70% of nodes, SRLabs said. This data also showed that “7% of the Parity Ethereum nodes announce a version, which is vulnerable to a critical consensus vulnerability that was patched on July 5, 2018”.

Meanwhile, around 44% of the Geth nodes visible at ethernodes.org were below version v.1.8.20, a security-critical update, released two months before SRLabs made its measurement. The percentage of unpatched Geth nodes is higher, because the client lacks, seemingly by design, an auto update feature. However, while Parity has such a feature, it “suffers from high complexity and some updates are left out”.

Like other public blockchains, Ethereum relies on “high availability” to prevent double spending. However, if hackers take control over 51% or more of the computational power in the network, they can double spend crypto coins. Crashing a large number of nodes makes taking control over the network easier, SRLabs explains.

Centralisation

Another security issue stems from the fact that the vast amount of computational power is controlled by large mining pools, which “often share one node to communicate with the Ethereum network”. While “we can safely assume that those mining pools are very security aware and keep their nodes up-to-date”, this level of centralisation means that attackers would only need to crash a handful of nodes to break “the backbone of the Ethereum network”, SRLabs notes.

Featured image: kkssr / Shutterstock.com

More Resources

Dimitar Bogdanov: