The developers Parity fixed a critical vulnerability discovered in one of the most popular clients of the Ethereum blockchain. A message appeared in the blog Parity Technologies.
“Please update your nodes as soon as possible and double check that you are using version 1.10.6-stable or 1.11.3-beta,” reads the blog.
According to the report, the bug causing desyncs the client with other members of the network and, as a consequence, the inability of users using other software to take the transaction from those who have installed the client Parity. A vulnerability has been found in a test network, but the fact that it could be used in the core network, a cause for concern, especially when you consider that Parity is used about 30% of users of Ethereum.
However, according to the Parity, the vulnerability was fixed earlier than would appear in the “live blockchain” Ethereum.
About updating their client version is already announced, several companies, including mining-pool Bitfly, however, it is believed that blackany working at Parity, may still be affected — we are talking about Ethereum holders Classic (ETC).
“It could destroy $ETC. My opinion — it takes less than 24 hours,” tweeted the developer of the project Cosmos Adrian brink (Adrian Brink).
It is worth noting that Parity has for some time been under scrutiny over several similar cases, causing issues in terms of security. As you know, the greatest resonance was caused by the situation when, in November last year, a bug in one of the wallets of the company led to the fact that 513,774.16 ETH or $313 million at the current exchange rate was frozen and became inaccessible to their owners. While the debate about how to return the frozen funds to the owners, continue Parity declares his intentions to focus on security issues.
“We will be glad, if our bugs will be the catalyst for development of more safe Ethereum,” wrote representatives of the company.
In terms of new vulnerabilities, it is, according to developer Parity Wei Tang (Wei Tang), who worked on fixing it, is related to the code of suggestions for improving Ethereum (EIP) 86.
So, EIP 86 was initially developed based on the upgrade of the network, creating especially for the so-called “abstraction” account that allows you to send transactions without the signature of the sender. Subsequently a full upgrade with EIP Ethereum 86 was delayed due to its complexity, although, as explained by the developer, the code was integrated by representatives of the Parity — perhaps in connection with its relevance to the upcoming changes in the mechanism of consensus.
As noted by Tang Wei, the team responsible for implementation of the solution in Parity, overlooked three lines of code, which led to the emergence of a bug.
“We missed a condition check in our code that resulted in the ability to full Parity nodes accept the block containing invalid transactions,” explained the developer.
Several similar transactions were discovered in the test network Robsten, and, because of incompatibilities between the transactions with the main Ethereum, they have caused the fork between Parity and Geth is the largest provider of software for Ethereum, preferred 60% of users.
According to the head of the security service Parity Kirill Pimenov, in the “worst case” such transactions could result in invalid blocks in the main Ethereum that would be regarded as “valid” nodes affected other customers Parity. Given “enough hash-power”, Pimenov suggests that this could lead to a split network.
“The reaction to this situation was active, so we can prepare accordingly before anybody could really use a bug. As a result, we managed to prevent the split of the core network,” — said Pimenov.
Wei Tang agreed, noting that fixing the bug did not require much effort.
“We added these three lines missing check condition in our code. But Yes, these three lines have serious consequences,” said Tang, adding that the code has been thoroughly tested by many developers.
