Tech 9 months agoAdmin
Ethereum fixes yet another vulnerability—eclipse attacks
Users are urged to upgrade to the patched version, Geth v1.8.1.
A team of researchers from Boston University and the University of Pittsburgh quietly disclosed a vulnerability they found on the Ethereum network during a bug bounty program launched by the network in January. In what is referred to as an eclipse attack, an attacker can “eclipse” a node’s view of the blockchain by monopolizing a target’s connections, and using the victim’s mining power to compromise the network’s consensus algorithm.
According to the research, the vulnerability stems from Ethereum’s deployment of the Kademlia peer-to-peer protocol.
“Our eclipse attacker monopolizes all of the victim’s incoming and outgoing connections, thus isolating the victim from the rest of its peers in the network. The attacker can then filter the victim’s view of the blockchain, or co-opt the victim’s computing power as part of more sophisticated attacks. We argue that these eclipse-attack vulnerabilities result from Ethereum’s adoption of the Kademlia peer-to-peer protocol, and present countermeasures that both harden the network against eclipse attacks and cause it to behave differently from the traditional Kademlia protocol,” the research stated.
Ethereum Foundation Security lead Martin Holst Swende says however, that users shouldn’t worry since “an eclipse-attack is a targeted attack against a specific victim” but that users should upgrade to the patched version as recommended by the researchers. “Upgrade to geth 1.8.1. Geth versions prior to 1.8 are vulnerable,” the researchers urged.
Eclipse attacks are not unique to Ethereum. Bitcoin itself is vulnerable to eclipse attacks but it’s far more difficult—and far more expensive, as the same researchers did a study on it in 2015. In the Bitcoin network, attackers need a large amount of IP addresses, whereas for Ethereum, they only need two hosts with a single IP address each. “That part surprised me a little bit,” says Sharon Goldberg, the Ph.D. candidate at Boston University who did the eclipse attack study on both Ethereum and Bitcoin.
Additionally, Bitcoin turned out to be more resilient to the attack because it employs an unpredictable mechanism where nodes connect with each other at random. Ethereum, on the other hand, uses Kademlia supposedly to make connections more efficiently—but also allowed attackers to exploit the generation of an unlimited number of nodes even with a single IP address, and get victims to choose to connect to their node ID’s instead of legitimate ones.
Note: Tokens in the SegWit chain are referred to as SegWit1X (BTC) and SegWit Gold (SWG) and are no longer Bitcoin. Bitcoin Cash (BCH) is the only true Bitcoin as intended by the original Satoshi white paper. Bitcoin BCH is the only public block chain that offers safe and cheap microtransactions.
Note: Tokens on the Bitcoin Core (segwit) Chain are Referred to as BTC coins. Bitcoin Satoshi Vision (BSV) is today the only Bitcoin implementation that follows Satoshi Nakamoto’s original whitepaper for Peer to Peer Electronic Cash. Bitcoin BSV is the only major public blockchain that maintains the original vision for Bitcoin as fast, frictionless, electronic cash.
Tech 6 hours ago
New York Media integrates blockchain in publishing platform
New York Media, whose sites include New York Magazine and Slate, is collaborating with Po.et, a blockchain protocol for creative content management. According to a press statement, the partnership will involve integration of blockchain technology ...
Tech 1 day ago
PayPal rolls out blockchain rewards scheme for staff
Payments giant PayPal has become the latest company to deploy blockchain technology, in this case as a means of delivering a new incentive platform for the company’s employees, financial news outlet Cheddar reported. Launched in ...
Tech 1 day ago
Latest Mastercard patent filing covers anonymous blockchain transactions
Prolific patent filer Mastercard has applied for protection of yet another blockchain innovation—a platform that would allow anonymous blockchain transactions, using a somewhat familiar method. In what has been likened to a coin mixing or ...