Ethereum Software Parity to Update After Critical Bug Detected

A critical bug was found in Parity's software within a testing environment and users are hurrying to update so it doesn't affect the mainnet.

AccessTimeIconJun 6, 2018 at 2:03 p.m. UTC
Updated Sep 13, 2021 at 8:01 a.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global hub for everything crypto, blockchain and Web3.Register Now

A critical consensus bug has been uncovered in a testing environment used by one of the two principal softwares crucial to the operation of the world's second-largest blockchain.

Revealed last night by UK-based Parity Technologies in a blog post, the issue was found to cause those running the software to fall out of sync, meaning others using different software would not recognize their transactions. While the vulnerability was found on a testnet, the worry is that it could be exploited on the mainnet as well.

As such, Parity is now urging all users to update their software to a newly patched version.

suggests the bug could have impacted roughly 30 percent of the ethereum network – those that use software issued by Parity to stay in sync with the wider network. But according to representatives of Parity, the issue was patched before it reached nodes operating the live ethereum blockchain.

Still, companies must update to the new software to remain safe from the vulnerability on the mainnet.

Speaking on Twitter, several companies, including mining pool Bitfly, have come forward to state they've updated their software to the newly secured iteration (1.10.6-stable or 1.11.3-beta).

As companies that operate on ethereum begin updating their software to avoid the issue, it has been theorized that it could still impact any blockchains that run Parity software, including users of ethereum classic (ETC).

The news of the vulnerability comes at a time when Parity has been under increased scrutiny for several similar security issues. Most notably, last November, a bug in one of the company's wallet offerings led 513,774.16 ETH, or $311 million according to current metrics, being frozen and in turn, inaccessible to its owners.

Discussion as to whether the frozen funds should be returned is ongoing, but in the interim, Parity has stated its commitment to a refined security process, writing:

"We would like for our bugs to be a catalyst for more secure ethereum development."

Three lines of code

Speaking to CoinDesk, Wei Tang, a Parity developer who assisted with yesterday's code patch, said that the bug is linked to a piece of code from ethereum improvement proposal (EIP) 86.

Formerly planned for ethereum's upgrade last year, EIP 86 aimed to introduce what is called "account abstraction," allowing for transactions to be sent without a signature from the sender. The full ethereum upgrade to EIP 86 was postponed due to its complexity, however, Wei explained that Parity nevertheless implemented the code, possibly due to its role in ethereum's upcoming consensus switch.

According to Wei, the team in charge of implementing it within Parity's software had overlooked three lines of code that led to yesterday's consensus issue.

"We missed a conditional check in our code that caused full node Parity to accept a block containing invalid transactions," Wei told CoinDesk.

Several such transactions were discovered on the Ropsten test network yesterday, and due to the transactions incompatibility with the wider ethereum blockchain, the transactions led a fork to occur between Parity and Geth (the largest provider of ethereum software accounting for 60 percent of users) clients.

Speaking in a press release, Kirill Pimenov, head of security at Parity, said that in the "worst case" such transactions would have resulted in corrupted blocks on the ethereum mainnet that "would still be treated as valid by other affected Parity ethereum nodes."

Given sufficient hashpower, such an exploit would result in a blockchain split, Pimenov continued.

"The response to this situation was proactive, meaning we were able to prepare a fix before anyone was actually able to exploit the bug. As a result, we have managed to avert a mainnet split," Pimenov stated in the press release.

Wei echoed this, saying the fix, which was released mere hours ago, was simple.

"We add those three lines of the missing conditional check in our code," Wei told CoinDesk, adding:

"But yeah this three lines have severe effect. We've also got many eyes to review the code during the process."

Red emergency button image via Shutterstock

Disclosure

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.


Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.