Developers of Ethereum, the world’s No. 2 digital currency by market cap, have finally put out a patch ending the nightmare that was the “Eclipse Attack”. This attack, described in a paper published on Thursday, allowed “any kid with a machine and a script” to exploit the security flaw that plagued the Etherereum platform manipulating users’ access to the network.
In a new paper titled “Low-Resource Eclipse Attacks on Ethereum’s Peer-to-Peer Network,” Sharon Goldberg, an associate professor at Boston University; Ethan Heilman, a Ph.D. candidate at Boston University; and Yuval Marcus, a researcher at the University of Pittsburgh, describe two separate methods of attacks.
Many researchers believed that the resources necessary for a successful eclipse attack against Ethereum would considerably higher than the Bitcoin attacks. The new eclipse attacks make Ethereum’s peer-to-peer network significantly less secure than that of Bitcoin, the researchers explained. The security flaws have luckily now been patched.
Like most cryptocurrencies, Ethereum uses a peer-to-peer mechanism that compiles input from individual users into an authoritative blockchain. These exploits work by preventing a cryptocurrency user from connecting to honest peers.
Attacker-controlled peers then feed the target a manipulated version of the blockchain the entire currency community relies on to reconcile transactions and enforce contractual obligations. Potential targets can thus be tricked into paying for a good or service more than once and to co-opt the target’s computing power to manipulate algorithms that establish crucial user consensus. Because Ethereum supports “smart contracts” that automatically execute transactions when certain conditions in the blockchain are present, Ethereum eclipse attacks can also be used to interfere with those self-enforcing agreements.
“Given the increasing importance of Ethereum to the global blockchain ecosystem, we think it’s imperative that countermeasures preventing them be adopted as soon as possible,” the researchers wrote. “Ethereum node operators should immediately upgrade to geth v1.8.”
“Goldberg et. al. have responsibly shared the paper with us prior to public release and have graciously been of assistance evaluating the patches to Geth,” Ethereum Foundation’s Holst Swende confirmed.