Ethereum Network Fixes Eclipse, Disastrous and Easy to Exploit Bug

Mon, 03/05/2018 - 06:36
David Dinkins
Eclipse would have allowed anybody to hack smart contracts or cause double spends, with very few resources required
Ethereum Network Fixes Eclipse, Disastrous and Easy to Exploit Bug
Cover image via U.Today

Ethereum just released an update for their Geth client, fixing a potentially disastrous and easy-to-exploit attack vector. The exploit was called Eclipse, and it was so easy to execute that even a relatively inexperienced hacker, a so-called “script kiddie, ” could have pulled it off.

What is it?

Most cryptocurrencies, like Bitcoin and Ethereum, immediately connect a user to a number of other computers, “peers” in computing parlance, as they launch their wallet software. The user then downloads from these peers every new block that’s been added to the Blockchain since the last time they started their wallet.

Eclipse is an exploit that allows an attacker to substitute his own nodes for the nodes of peers. In other words, the user would immediately connect not to random peers on the network, but to the attacker’s own computers.

From the attacker’s nodes, the user’s software would download an inaccurate version of the Blockchain. Eclipse can be used to trick users into sending their funds to the attacker or to double pay for something. It can also be used to interfere with the operation of smart contracts.

Bitcoin too?

In two instances, in 2015 and 2016, Bitcoin has been vulnerable to the Eclipse attack. However, because of the design of Bitcoin’s software, in both cases, it would have taken a massive army of bots to execute the attack.

The scary thing about Ethereum’s vulnerability is that it could be executed by somebody with only a couple of computers. This suddenly put it in range of anybody, even the kid in his parent’s basement.

The fix

Researchers presented their findings to the Ethereum team in January, and the developers immediately began working on a fix. Ethereum developer Felix Lange wrote:

"We have done our best to mitigate the attacks within the limits of the protocol. The paper is concerned with 'low-resource' eclipse attacks. As far as we know, the bar has been raised high enough that eclipse attacks are not feasible without more substantial resources, with the patches that have been implemented in Geth v1.8.0.”

About the author

David Dinkins is a freelance writer who holds a Master of Arts in history from Louisiana Tech University and has extensive teaching experience both at LSU – Shreveport and University of Phoenix. He got involved with cryptocurrency in early 2014 working as part of the Dash Core Team and have served in the role of writer/editor (mostly editor) during that time. He has edited a huge number of documents for the Core Team, including the Evolution whitepaper, the PrivateSend whitepaper, and many of Evan Duffield’s communications with the Dash Community.