Developers Debate Disclosure Protocols After ‘Accidental’ Ethereum Hard Fork

Ethereum’s largest client Geth hard-forked after a bug was tripped Wednesday. Developers are now weighing the merits of security disclosures methods.

AccessTimeIconNov 13, 2020 at 5:52 p.m. UTC
Updated Sep 14, 2021 at 10:30 a.m. UTC

Ethereum developers are weighing changes to publicly disclosing critical bugs following the Nov. 11 "accidental hard fork." 

According to a technical write-up published by Geth – the largest Ethereum client written in the Go language – a denial-of-service (DoS) attack vector was intentionally triggered by a downstream user as a test, resulting in a 30-block minority chain.

Geth had fixed the bug in early October following a disclosure, but it still existed in prior versions of Geth. The bug temporarily caused nodes that had not updated to the correct version of Geth to go down a different path than other clients.

Now, developers are reordering the disclosure process for security vulnerabilities in the aftermath of what some developers have called the biggest threat against Ethereum since 2016’s attack on The DAO. 

That question comes with baggage. A common ethos in open-source software (OSS) such as Ethereum is that vendors are tasked “to notify those affected by vulnerabilities in a timely manner,” Summa founder James Prestwich told CoinDesk in a message. In other words, Geth has a responsibility to give dependent users a heads-up on possible complications, he said.

'Disclosure is a complex topic'

Yet, blockchains, at their very core, are financial settlement mechanisms. The traditional methods of disclosing bugs in OSS can lead to undesirable outcomes for other players with money on the line.

In Friday’s All Core Developers’ call, Ethereum developer Micah Zoltu and Geth team leader Peter Szilágyi both disagreed with the issuance of a notification list for critical vulnerabilities. Zoltu claimed such a list would create an uneven playing field for projects, while Szilágyi said that every bug disclosure creates a weak point in Ethereum’s infrastructure. 

For example, disclosing the bug early to service provider Infura – which most of decentralized finance (DeFi) uses to connect to the Ethereum blockchain – would be an unfair advantage against its competitors. Moreover, the consequences for the larger ecosystem could be severe if privileged information from the list leaked to adversarial parties.

Given the option again, Szilágyi said he would go about the recent disclosure in the same manner – meaning, keeping the consensus bug under wraps (although he said at one point during the call they should have let users know a past version of Geth held a vulnerability). Geth has done so for other consensus vulnerabilities, he said.

“Disclosure is a complex topic and user safety is paramount,” Prestwich concluded.

Update (November 13 21:00 UTC): A prior version of this article incorrectly stated that 80% of the network went down the wrong chain. Only nodes that had not updated to the correct Geth version joined the minority chain.

DISCLOSURE

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.


Learn more about Consensus 2024, CoinDesk’s longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.