Maintainers of the Ethereum network have issued an update for the network’s underlying codebase that fixes flaws described in a research paper released this week.
The researcher paper —authored by researchers from Boston University and University of Pittsburgh— describes a vulnerability named an “eclipse attack.”
Eclipse attacks are network-level attacks carried out by other nodes by hoarding and monopolizing the victim’s peer-to-peer connection slots, keeping the node in an isolated network.
These type of attacks are meant to isolate nodes by keeping up-to-date blockchain information from reaching the eclipsed node. The Bitcoin network was, too, vulnerable to eclipse attacks.
Two bad nodes are enough for an eclipse attack on Ethereum
Now, academics have discovered that Ethereum, the network of nodes that’s the backbone of the Ether cryptocurrency and the myriad of smart contracts that support many other digital currencies and ICOs, is also vulnerable to eclipse attacks.
But while carrying an eclipse attack against nodes of the Bitcoin network requires thousands of malicious nodes just to take out one victim’s node, an attacker only needs two malicious Ethereum nodes to isolate and affect another.
What can an eclipse attack do
A successful eclipse attack allows a malevolent party to “co-opt a victim’s mining power and use it to attack the blockchain’s consensus algorithm” or for “double spending and selfish mining.”
Furthermore, researchers explain that an eclipse attack can fool victims into viewing incorrect Ether transaction details and fool a seller into releasing products to an attacker for a transaction that has not yet completed.
Last but not least, an eclipse attack can also be aimed at Ethereum contracts by obscuring the eclipsed node’s view of the blockchain, hence delaying the node’s view of various parameters that may be used by the smart contract’s internal computations, resulting in an incorrect smart contract output that the attacker could take advantage of.
Fixed available for Ethereum nodes
The research team behind this paper didn’t just publish their findings out of the blue. They say they worked with the Ethereum Foundation to silently patch these issues.
Researchers say they recommended various countermeasures, and developers applied them in geth 1.8.0, the software that runs on Ethereum nodes, released two weeks ago.
The countermeasures don’t fully prevent eclipse attacks, but merely raise the number of malicious nodes needed to carry out such an attack from two to thousands.
More fine-grained details are available in “Low-Resource Eclipse Attacks on Ethereum’s Peer-to-Peer Network” by Marcus et al.