Another critical bug surfaces for Ethereum client Parity

Another critical bug surfaces for Ethereum client Parity

The team clarifies that the issue has been resolved and that users should upgrade to the patched versions.

Last night, Ethereum client Parity disclosed in a security alert that they have discovered another critical bug, this time in their consensus contract.

“Examining the issues with our nodes on Ropsten, we have found out that there is a potential consensus-related issue between Parity Ethereum (up to versions 1.10.4-stable and 1.11.1-beta) and all other Ethereum clients,” they wrote.

“In the worst case, submitting a certain malformed transaction (coming from a 0xfff…fff address) to a mining Parity Ethereum node could have caused that node to produce a malformed block, which would still be treated as valid by other affected Parity Ethereum nodes.”

They add that it could lead to a chain split if the affected nodes held a majority of the hashpower, but the split chain would dissolve otherwise.

“In case of such affected nodes providing a majority of hashpower on the net, this could have led to chain split. (If the majority of the hashpower wouldn’t be controlled by the affected nodes, the “correct” chain would still be longer at all times, and the bad block would just be discarded.)”

According to Coindesk, roughly 30% of the Ethereum network use Parity, and that would have been the magnitude of damage.But according to Parity’s post, the issue has been fixed before any exploits could have been made, and they urge everyone to upgrade to their patched versions 1.10.6-stable and 1.11.3-beta.

Parity has been the subject of conversation for quite some time now, and not for good reasons. Late last year, an accidental kill code caused some multi-signature wallets, mostly from corporate accounts to be wiped of their code, leaving 513,000 ETH to be locked and inaccessible to their owners. Two months ago, Parity made it clear that they will not be instigating a fork to undo the mistake, and there is currently no definite solution to recovering the funds. Researchers classified this vulnerability as a greedy contract, and is only one of 34,200 at-risk contracts they found on Ethereum early this year.

Last month, they announced that they are issuing newly developed smart contract procedures and maintenance guidelines, and that they have hired Kirill Pimenov as their head of security. The announcement came with a statement:

“We founded Parity Technologies with the aspiration to write the best and safest software we can. We’ve learned a lot from our past mistakes,” they wrote. “Having users affected by software bugs is an experience we would not wish on anyone. We would like for our bugs to be a catalyst for more secure Ethereum development.”

New to blockchain? Check out CoinGeek’s Blockchain for Beginners section, the ultimate resource guide to learn more about blockchain technology.