Security Research Labs:
Many Ethereum nodes running popular clients like Parity and Geth take months to apply security patches, which may leave the network vulnerable to 51% attacks
https://srlabs.de/bites/blockchain_patch_gap/SRLabs research suggests that security vulnerabilities remain unpatched for many Ethereum blockchain participants for extended periods of time, putting the blockchain ecosystem at risk.
Crypto currencies provide a popular alternative to centralized payment systems, and promise transactions between mutually anonymous parties, often called “trustless” transactions. More specifically, blockchain participants rely on a majority of participants taking rational actions, rather than having to rely on a single banking institution or government. However, the required rational actions seem to extend beyond what many blockchain users are willing to do. In particular, we found early evidence that blockchain participants do not sufficiently patch and hence carry known vulnerabilities.
A month after its release, a critical security patch has not reached a third of Parity Ethereum nodes.
Ethereum is a cryptocurrency realized through a peer-to-peer network. With a market capitalization in excess of USD 19 billion, Ethereum is a highly attractive target for hackers.
Each participant needs a software client to access the Ethereum network: The most common choices are Parity-Ethereum (Parity) and Go-Ethereum (Geth).
Ethereum relies on high availability to prevent double spending. A hacker who controls more than 51% of the computational power in the network can double spend coins, enriching the hacker and undermining the trust in the ecosystem. If a hacker can crash a large number of nodes, controlling 51% of the network becomes easier. Hence, software crashes are a serious security concern for blockchain nodes (unlike in other pieces of software where the hacker does not usually benefit from a crash).
For that reason, denial of service vulnerabilities have a particularly high severity in cryptocurrency networks; they can be used to massively reduce the amount of computational power needed to perform a 51% attack and double-spend. Ethereum has to rely on the node software to be very hard to crash remotely. However, creating perfect software is near impossible and bugs that allow for remote crashes appear from time to time in blockchain clients.
Unpatched Parity Ethereum nodes can be remotely crashed. In February 2019, we reported a vulnerability in the Parity Ethereum client that could be used to remotely crash any Parity Ethereum node prior to version 2.2.10. The crash is caused by an integer overflow during chain synchronization between two nodes, which can be remotely triggered. Since every node accepts such connection requests to stay synchronized with the main network, the vulnerability allows an attacker to crash any unpatched Parity node active in the Ethereum network.
This is quite serious. In early versions of Bitcoin there was a kind of alert, which could be emitted by satoshi. Today, all blockchain are extremely dependent on scattered information. And many do not download the latest updated version.
