BT

Ethereum Security Alert Issued, Ethereum Foundation Responds with “From Shanghai, With Love”

| by Kent Weare Follow 11 Followers on Sep 19, 2016. Estimated reading time: 2 minutes |

On September 18th, hours before the Ethereum Foundation devcon 2 conference was about to start, a DOS security alert was posted on the Ethereum blog. The alert was related to a vulnerability discovered on the Ethereum blockchain, in block 2283416, and was considered to have a high likelihood and severity.

Ethereum is an open blockchain platform that allows people to build decentralized applications, also known as DAPPs, through the use of distributed ledgers.  In a distributed ledger system, transactions get recorded across every node in the network, leading to greater transparency over closed systems.

The bug caused an out of memory error to occur within Go-based Ethereum 1.4.11 clients, known as Geth, halting the mining of further blocks. Parity, an Ethereum client written in Rust, was not affected during this time. During the outage to Geth, ether miners were encouraged to switch to the Parity client.

The offending smart contract transaction, which exposed the vulnerability, contained a message payload that included the message “Fahrt nach Hause” written in German which translates to “Go Home”. Some reddit contributors felt this message was a targeted at devcon 2 attendees. The following screenshot, illustrates the behavior of the vulnerability, by timing out and subsequently reporting “fatal error: out of memory.” 

Image Source: http://pastebin.com/Q77E74G2 via https://www.reddit.com/user/DeviateFish_

Alex Van de Sande, a UX designer at the Ethereum Foundation and lead of the Mist Wallet team, tweeted the following image showing the devcon 2 media room being transformed into a “war room” where Ethereum Developers worked on fixing the bug.

The patch, called “From Shanghai, with love (1.4.12)” was built, tested and made available on GitHub within hours. The timely response, drew applause from many in the Ethereum community, including reddit user actuallymentor: “I think most non-devs don't get how extraordinary it is to have such a fast and committed response from devs. This is what sets Ethereum apart in my mind. Yes, it is open source, but it also has professional and committed visionaries behind it. Thanks for the love from Shanghai, we love you back.”

Once the issue was publicly announced, some exchanges ceased Ethereum funding on their exchanges, including Kraken, but service quickly resumed after the patch was issued. The price of ether dropped to $12.36 USD on September 18th but since increased to more than $13 USD on September 19th. Once the bug had been fixed, Van de Sande proclaimed the “the total damage of the vulnerability was that devcon 2 presentations are running 30 min late.”

Devcon is the Ethereum Foundation’s annual conference where they bring together their development team and community to talk about their research, current issues and future plans. In this year’s edition, key topics include scaling, state channels, storage and security.

Rate this Article

Adoption Stage
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Discuss
BT