Ethereum just released an update for their Geth client, fixing a potentially disastrous and easy-to-exploit attack vector. The exploit was called Eclipse, and it was so easy to execute that even a relatively inexperienced hacker, a so-called “script kiddie, ” could have pulled it off.
What is it?
Most cryptocurrencies, like Bitcoin and Ethereum, immediately connect a user to a number of other computers, “peers” in computing parlance, as they launch their wallet software. The user then downloads from these peers every new block that’s been added to the Blockchain since the last time they started their wallet.
Eclipse is an exploit that allows an attacker to substitute his own nodes for the nodes of peers. In other words, the user would immediately connect not to random peers on the network, but to the attacker’s own computers.
From the attacker’s nodes, the user’s software would download an inaccurate version of the Blockchain. Eclipse can be used to trick users into sending their funds to the attacker or to double pay for something. It can also be used to interfere with the operation of smart contracts.
In two instances, in 2015 and 2016, Bitcoin has been vulnerable to the Eclipse attack. However, because of the design of Bitcoin’s software, in both cases, it would have taken a massive army of bots to execute the attack.
The scary thing about Ethereum’s vulnerability is that it could be executed by somebody with only a couple of computers. This suddenly put it in range of anybody, even the kid in his parent’s basement.
Researchers presented their findings to the Ethereum team in January, and the developers immediately began working on a fix. Ethereum developer Felix Lange wrote:
"We have done our best to mitigate the attacks within the limits of the protocol. The paper is concerned with 'low-resource' eclipse attacks. As far as we know, the bar has been raised high enough that eclipse attacks are not feasible without more substantial resources, with the patches that have been implemented in Geth v1.8.0.”