Tech 5 March 2018

Cecille de Jesus

Ethereum fixes yet another vulnerability—eclipse attacks

Users are urged to upgrade to the patched version, Geth v1.8.1.

A team of researchers from Boston University and the University of Pittsburgh quietly disclosed a vulnerability they found on the Ethereum network during a bug bounty program launched by the network in January. In what is referred to as an eclipse attack, an attacker can “eclipse” a node’s view of the blockchain by monopolizing a target’s connections, and using the victim’s mining power to compromise the network’s consensus algorithm.

According to the research, the vulnerability stems from Ethereum’s deployment of the Kademlia peer-to-peer protocol.

“Our eclipse attacker monopolizes all of the victim’s incoming and outgoing connections, thus isolating the victim from the rest of its peers in the network. The attacker can then filter the victim’s view of the blockchain, or co-opt the victim’s computing power as part of more sophisticated attacks. We argue that these eclipse-attack vulnerabilities result from Ethereum’s adoption of the Kademlia peer-to-peer protocol, and present countermeasures that both harden the network against eclipse attacks and cause it to behave differently from the traditional Kademlia protocol,” the research stated.

Ethereum Foundation Security lead Martin Holst Swende says however, that users shouldn’t worry since “an eclipse-attack is a targeted attack against a specific victim” but that users should upgrade to the patched version as recommended by the researchers. “Upgrade to geth 1.8.1. Geth versions prior to 1.8 are vulnerable,” the researchers urged.

Eclipse attacks are not unique to Ethereum. Bitcoin itself is vulnerable to eclipse attacks but it’s far more difficult—and far more expensive, as the same researchers did a study on it in 2015. In the Bitcoin network, attackers need a large amount of IP addresses, whereas for Ethereum, they only need two hosts with a single IP address each. “That part surprised me a little bit,” says Sharon Goldberg, the Ph.D. candidate at Boston University who did the eclipse attack study on both Ethereum and Bitcoin.

Additionally, Bitcoin turned out to be more resilient to the attack because it employs an unpredictable mechanism where nodes connect with each other at random. Ethereum, on the other hand, uses Kademlia supposedly to make connections more efficiently—but also allowed attackers to exploit the generation of an unlimited number of nodes even with a single IP address, and get victims to choose to connect to their node ID’s instead of legitimate ones.

Note: Tokens on the Bitcoin Core (SegWit) chain are referenced as BTC coins; tokens on the Bitcoin Cash ABC chain are referenced as BCH, BCH-ABC or BAB coins.

Bitcoin Satoshi Vision (BSV) is today the only Bitcoin project that follows the original Satoshi Nakamoto whitepaper, and that follows the original Satoshi protocol and design. BSV is the only public blockchain that maintains the original vision for Bitcoin and will massively scale to become the world’s new money and enterprise blockchain.

COMMENT

latest news

Pakistan eyes blockchain for digitalization of government processes

Tech 18 April 2019

Pakistan eyes blockchain for digitalization of government processes

A meeting chaired by Pakistan Prime Minister Imran Khan discussed ways in which technologies such as blockchain could be used to ensure efficiency of government processes.

Read More
Accenture, Generali taps blockchain for employee benefits

Tech 18 April 2019

Accenture, Generali taps blockchain for employee benefits

Global management consulting firm Accenture has teamed up with Generali Employee Benefits to develop what they referred to as a unique employee benefits system powered by blockchain.

Read More
Bitcoin SV and the roadmap to Genesis

Tech 17 April 2019

Bitcoin SV and the roadmap to Genesis

Coming soon will be a network upgrade called Quasar, which is currently scheduled for July 24 and centers on increased scaling capabilities.

Read More