The Ethreum project has released a hotfix to address a high-severity chain-split flaw in the “Geth” implementation of Ethereum protocol. This issue can cause corruption in blockchain applications, leading to network outages.
Developers of Go are being asked by Ethereum project maintainers to update their code to version 1.10.8, which fixes the chain-split vulnerability. The vulnerability (CVE-2021-39137) in the Geth open-source project can cause a “chain-split,” which would result in vulnerable instances rejecting accepting canonical chains.
The flaw in the Ethereum software was discovered by Guido Vranken, a security expert of blockchain security firm Sentnl. Until most developers have had the opportunity to update to the fixed version, the details on how to exploit the flaw have been withheld.
“The exact attack vector will be provided at a later date to give node operators and dependent downstream projects time to update their nodes and software,” said Péter Szilágyi, Ethereum’s team lead. “All Geth versions supporting the London hard fork are vulnerable (the bug is older than London), so all users should update.”
There are a number of known blockchain “chain-split” vulnerabilities, and they can cause server crashes and prevent cryptocurrency transactions.
Last year, services that rely on Ethereum’s network experienced an outage and withdrawal errors, which were caused by a vulnerable go-ethereum client.
Chain splits happen when two or more clients disagree whether a transaction is valid. This issue can result in the original blockchain being forked. If a chain-split occurs, the various blockchain services would suddenly show mismatched records, which could affect the integrity of the network.
“The probability after all that time for someone to accidentally trigger it is tiny,” explains R3 software engineer Dimos Raptis, who is involved in Corda blockchain development and who had analyzed Ethereum’s outage of last year.
However, the engineer does not rule out the possibility of malicious actors exploiting chain-split flaws.
“Opposed to that, the probability of someone maliciously triggering it if highlighted as a security issue is not insignificant,” warns the expert in his article.