The purse for Ethereum Parity again discovered the vulnerability

Critical consensus bug was discovered in the test environment used Parity — one of the two most common purses for the second capitalization of the blockchain in the world.

In a blog entry published by the British company Parity Technologies, it is reported that an issue has been identified that is able to sync with devices that run the purse Parity. This could lead to devices that are running other software will not recognize transactions that have not been synchronized. Although the vulnerability was discovered in the test network, attackers can use it and in the core network.

So now Parity encourages all users to update their software and download a version with the patch. Public data show that the bug could affect about 30% of the network Ethereum — those who use software Parity. In particular, the ability to sync with the main network. But, according to the Parity, the problem was fixed before it reached the nodes in the core network Ethereum.

Nevertheless, users must be update wallets to eliminate the possibility of the spread of this vulnerability on the main network. On Twitter several companies, including mining pool Bitfly, stated that it had updated their clients to the new version (1.10.6-stable or 1.11.3-beta).

Later came the assumption that the vulnerability can affect any blackany that use software Parity, including users Ethereum Classic (ETC).

Information about the vulnerability has appeared at a time when Parity is already under scrutiny because of several similar security issues. In particular, in November last year error
in one of the wallets of the company led to the fact that 513 774 16 ETH or $311 million, in accordance with the current rate, were frozen and ceased to be available for their owners. Discussion on whether to return frozen funds continues
and to this day.

While Parity said
their commitment to improving the security process, writing: «We would like to let our mistakes become a catalyst for improving safety in Ethereum».

Three little lines of code

Wei Tang (Tang Wei), developed by Parity, which participated in the creation of the patch, said that the error is part of the code from the proposal EIP 86.

The main objective of the proposal EIP 86 was the addition of so-called «abstract of account» function that allows you to send transactions without the signature of the sender. A full update of the Ethereum to EIP 86 has been delayed due to its complexity, however, Wei explained that Parity is still implemented code, perhaps in connection with her role in the upcoming transition Ethereum on a new algorithm for consensus.

According to Wei, the team responsible for implementing updates to Parity, lost sight of three lines of code that led to the emergence of vulnerability.

«We missed the test conditions in our code, and it made full node Parity make the block containing an invalid transaction,» said Wei.

The test network Ropsten was discovered a few such transactions, and because of the incompatibility of transactions bloccano Ethereum, there was a fork between Parity and Geth.

In a press release, the head of security Parity Kirill Pimenov said that in the «worst case» of such a transaction would result in appearance of corrupted blocks in the network Ethereum, which «is still considered to be valid for the other affected nodes Parity». And with the support of a sufficient capacity of the hash, this vulnerability would lead to a fork in the blockchain.

«The reaction to this situation was proactive, we were able to prepare a fix before someone actually was able to use the error for their own purposes. As a result, we managed to prevent a fork of the network,» — said Pimenov in a press release.

Wei confirmed this and noted that the hotfix that was released just a few hours ago, it was simple. «We just added these three lines to our code,» said Wei. «But Yes, their lack could lead to serious problems. We will continue to test the code».

Добавить комментарий