Author: Sophia Brown
Mist leaks some low level APIs, which Dapps could use to gain access to the computer’s file system and read/delete files. This would only affect you if you navigate to an untrusted Dapp that knows about these vulnerabilities and specifically tries to attack users. Upgrading Mist is highly recommended to prevent exposure to attacks. Affected configurations: All versions of Mist from 0.8.6 and lower. This vulnerability doesn’t affect the Ethereum Wallet since it can’t load external DApps. Likelihood: Medium Severity: High Summary Some Mist API methods were exposed, making it possible for malicious webpages to gain access to a privileged interface that could delete…
One of the important indicators of how much load the Ethereum blockchain can safely handle is how the uncle rate responds to the gas usage of a transaction. In all blockchains of the Satoshian proof-of-work variety, any block that is published has the risk of howbecoming a “stale”, ie. not being part of the main chain, because another miner published a competing block before the recently published block reached them, leading to a situation where there is a “race” between two blocks and so one of the two will necessarily be left behind. One important fact is that the more…
Summary: In some situations, variables can overwrite other variables in storage. Affected Solidity compiler versions: 0.1.6 to 0.4.3 (including 0.4.4 pre-release versions) Detailed description: Storage variables that are smaller than 256 bits are packed together into the same 256 bit slot if they can fit. If a value larger than what is allowed by the type is assigned to the first variable, that value will overwrite the second variable. This means if an attacker can cause an overflow in the value of the first variable, then the second variable can be modified. Creating an overflow in the first variable is…
This blog post provides an update on our findings following the discovery of the storage corruption bug last week. In summary, the bug was much less severe than we initially thought. The small number of affected contracts we found is either only exploitable by the owner, or the exploit can only cause a disruption in the user interface and not in the actual contract logic. All exploitable contracts/dapps we reviewed can be fixed without having to upgrade the contract itself. Of course, please still check your contracts to be safe. Following the discovery of the storage corruption bug in the Solidity compiler and the realization…
The Go Ethereum team is very proud to finally release Geth 1.5, which can almost be called a complete internal rewrite of the Go Ethereum (go-ethereum) codebase. We’ve packed a huge number of changes into this release, and simply listing them wouldn’t do them justice. Instead, we’ve decided to write them up in a more informal way, explaining not only what’s new, but also why it’s needed, and why it’s awesome! Go Ethereum website The go-ethereum project never really had a website. There was something auto-generated a long time ago by GitHub, but it couldn’t really be called a decent website as it…
The Ethereum network will be undergoing a hard fork at block number 2,675,000, which will likely occur between 15:00 and 16:00 UTC on Tuesday, November 22, 2016. A countdown timer can be seen at https://fork.codetract.io/. The Morden test network will be undergoing a hard fork at block number 1,885,000. As a user, what do I need to do? Download the latest version of your Ethereum client: What happens if I do not update my client? If you are using an Ethereum client that is not updated for the upcoming hard fork, your client will sync to the pre-fork blockchain once…
Testing a fork The Spurious Dragon hardfork is scheduled for the coming week; block 2675000 is likely to occur Tuesday evening (CET). The block number for the testnet “Morden” was scheduled at block 1885000. Performing the fork in the test network prior to performing it in the main network was an important measure taken in the testing process to ensure a smooth rollover into the post-fork state. The Morden fork occurred on Nov-20-2016, 06:12:20 +UTC, at block 1885000 as planned. A bit later, at block 1885074, there was a consensus issue between Geth and Parity. Morden replay protection The Morden…
Security Alert Affected configurations: Geth Severity: High Summary: An issue has been identified with Geth’s journaling mechanism. This caused a network fork at block #2686351 (Nov-24-2016 14:12:07 UTC). The new Geth release 1.5.3 fixes the journaling issue and repairs the fork. Details: Geth was failing to revert empty account deletions when the transaction causing the deletions of empty accounts ended with an an out-of-gas exception. An additional issue was found in Parity, where the Parity client incorrectly failed to revert empty account deletions in a more limited set of contexts involving out-of-gas calls to precompiled contracts; the new Geth behavior…
This week marks the completion of our fourth hard fork, Spurious Dragon, and the subsequent state clearing process, the final steps in the two-hard-fork solution to the recent Ethereum denial of service attacks that slowed down the network in September and October. Gas limits are in the process of being increased to 4 million as the network returns to normal, and will be increased further as additional optimizations to clients are finished to allow quicker reading of state data. In the midst of these events, we have seen great progress from the C++ and Go development teams, including improvements to Solidity tools and the…
The possibilities of zkSNARKs are impressive, you can verify the correctness of computations without having to execute them and you will not even learn what was executed – just that it was done correctly. Unfortunately, most explanations of zkSNARKs resort to hand-waving at some point and thus they remain something “magical”, suggesting that only the most enlightened actually understand how and why (and if?) they work. The reality is that zkSNARKs can be reduced to four simple techniques and this blog post aims to explain them. Anyone who can understand how the RSA cryptosystem works, should also get a pretty…