The Ethereum blockchain, a decentralized peer to peer smart contract network is reported less secure and vulnerable to a potential 51% according to information shared by a security researcher. Aiding the decentralization properties of the network are a group of miners operating systems that help verify and confirm transactions, also called nodes. A majority of these nodes are running two popular Ethereum clients – Parity Ethereum (Parity) and Go-Ethereum (Geth) clients.
Global hacking research collective Security Research Labs (SRLabs) has recently released a report that claims as much as a third of the nodes running Parity clients and more than 40% of those running Geth clients are running outdated versions of these clients. This means that the nodes have not installed some security vulnerability patches that have been recently released by the respective client developers.
In the report, SRLabs cites a security vulnerability with the Parity client that it identified and reported earlier this year in February. This particular vulnerability exposed the nodes up to be controlled and crashed by a remote hacker effectively taking them offline. “Shortly after we reported this vulnerability, Parity released a security alert, urging participants to update their nodes,” the report details. However, not all miners have heed o the call several months following the release of the patch.
“According to our collected data, only two-thirds of nodes have been patched so far.”
Furthermore, Parity Technologies released a patch to another vulnerability on March 2nd this year which SRLabs reports that as many as 30% of the nodes have not installed. There is a further 7% of the nodes that are still vulnerable to a vulnerability that was patched back in July 2018. SRLabs notes that Parity clients have an auto-update feature that should be aiding the upgrade process but it “suffers from high complexity” which mostly necessitates the miners to update the software manually. Sadly, many do not.
In the case of Geth, the problem is more prevalent considering that Geth does not offer the auto-update feature. According to the report,
“Around 44% of the Geth nodes visible at ethernodes.org were below version v.1.8.20, a security-critical update released two-month before our measurement.”
The report does not reveal the amount of hash power that these vulnerable nodes contribute to the network, however, it is safe to assume that at least 40% of the Ethereum nodes could be vulnerable to an attack. If (and when) the nodes get attacked it will be easier for the hackers to commandeer at least 51% of the network hash rate effectively taking over the network.
“Hence, software crashes are a serious security concern for blockchain nodes (unlike in other pieces of software where the hacker does not usually benefit from a crash),” the report advises.