London-based Parity Technologies has released updated software after patching a bug affecting the Ethereum client's consensus mechanics.
The Ethereum Parity client up to versions 1.10.5-stable and 1.11.2-beta were affected, resulting in a consensus mechanism vulnerability between Parity and other Ethereum clients, of which Geth is most prominent.
An official notice published today by Parity states that, under the right circumstances, the bug could have facilitated a culmination of hash power that might have "led to a chain split" of Ethereum. However, the issue was discovered while testing the 1.10.5-stable and 1.11.2-beta versions prior to their public release, and the latest updates eliminate the bug.
According to sources, when Parity introduced the special handling for Ethereum Improvement Proposal (EIP) 86, it missed a conditional check in one of the branches of a decision tree designed to validate transactions. This resulted in unsigned, nonvalid transactions made from certain addresses being regarded as valid transactions.
Consequently, when applicable transactions were submitted on the Ropsten testnet – most likely by accident while other system functionality was being tested – Ethereum Parity nodes treated those invalid transactions as legitimate and included their data in successive blocks.
Other Ethereum nodes, mostly running Geth, did not accept the blocks containing the invalid transaction data, effectively splitting Ethereum on Ropsten in two: one with invalid blocks maintained by Parity, and another maintained by the rest of Ethereum's clients. Apparently, the resulting bug went unnoticed in spite of several rounds of code review from testers both in and outside Parity.
While Parity noted the severity of this vulnerability as "critical," commonly accessible information suggests that it is unlikely that the client's nodes would have been able to corrupt the Ethereum network: To split Ethereum, 51 percent of nodes need to validate an invalid block, but Parity only operates on roughly one-third of Ethereum nodes.
A patch for the vulnerability was created and the ecosystem was notified of upgraded software, versions 1.10.6-stable and 1.11.3-beta, before most had even become aware of the vulnerability. (Parity's three-line patch can be found here.)
Parity head of security, Kirill Pimenov, told ETHNews:
"We are thankful to have noticed the issue on Ropsten quickly and [to] get back to the root problem in short order. Reacting this swiftly would not have been possible without support from the wider community of security researchers in Ethereum that we are constantly communicating with – they were of incredible help all the way through."