杏吧原创

Ethereum closed a big security hole with its energy-saving update

At least one cryptocurrency based on the old version of Ethereum is still vulnerable to a software flaw that enables attackers to steal funds
Ethereum is the world鈥檚 second-largest cryptocurrency
Steve Heap/Shutterstock

Ethereum, the world鈥檚 second-largest cryptocurrency, slashed its energy use with a major change to how it works last year. Security experts say the update also unknowingly sidestepped a serious security flaw that could have allowed hackers to steal funds. However, at least one cryptocurrency that 鈥渇orked鈥 from Ethereum by copying its code is still at risk.

Ethereum used to rely on 鈥減roof of work鈥 to secure its network, as bitcoin still does, meaning that computers performed huge numbers of calculations to 鈥渕ine鈥 new currency and verify transactions. This process uses聽vast amounts of electricity. But in September 2022, Ethereum switched to a new technique called proof of stake. That switch 鈥 known as the Merge 鈥 reduced energy consumption by 99.99 per cent.

Massimiliano Taverna and at ETH Zurich in Switzerland and developed a working demonstration of an attack around the same time as the Merge. It concerns software called Go Ethereum, the most popular tool used to run Ethereum nodes. Running an Ethereum node allows a user to create transactions and broadcast them across the network without relying on a third party. Versions of the Go Ethereum tool have been adapted by Ethereum Classic and EthereumPoW, two cryptocurrencies based on the old Ethereum code that are still based on proof of work.

When a node first comes online, it must synchronise with the rest of the network, which involves downloading an up-to-date version of the blockchain. This is the record of who owns what and which transactions have been made.

The attack described by Taverna and Paterson has several parts. One involves tricking a node into downloading a fake version of the blockchain. Another part uses flaws in a random number generator to predict which parts of the chain will be verified by the node, which makes a fake chain look real with minimal investment. A final part allows a real blockchain to be rejected as fake.

Individually, each of these attacks would require massive amounts of hardware 鈥 tens of thousands of graphics processing units (GPUs), which would cost tens of millions of dollars. But if they are combined, the computing resources are greatly reduced, says Taverna. 鈥淭hese [combined] attacks bring down the complexity by four or five orders of magnitude, so you could have launched this combined attack against a node in Ethereum with just five GPUs, which you can buy for $1000,鈥 he says.

Developers at Ethereum Classic patched the vulnerability after Taverna and Paterson warned them of the problem, but the two experts say EthereumPoW, which has a total value of around $226 million, hasn鈥檛 been updated and is still vulnerable 鈥 something Taverna puts down to a lack of developer activity on the project. 鈥淲e tried to contact them multiple times, but they unfortunately didn鈥檛 reply to us,鈥 says Taverna. New 杏吧原创 was also unable to contact any EthereumPoW developers.

Developers at Go Ethereum didn鈥檛 respond to a request for interview, but ETC Cooperative, which oversees development of Ethereum Classic, that the research represented a 鈥渓egitimate vulnerability鈥 and confirmed that it had now been patched.

Zhong Yang Chan at CoinGecko, a cryptocurrency data provider, says any attack would need to be focused on individual users and couldn鈥檛 be used to indiscriminately hoover up cryptocurrency from the wider network, but that it would be cost-effective for attackers to target Ethereum forks that are still vulnerable.

Topics: cryptocurrency / security