According to Ethereum security experts Martin Holst Swende and Péter Szilágyi, the leading smart contract platform fixed a major security problem with the recent network upgrade, dubbed Berlin.
#Ethereum's DoS that never came to be.
For over a year, mainnet could have been brought down with a few thousand $. As we've left it in the past, it's time to shed some light on those troubled times.https://t.co/xbPgbyWpcp
— Go Ethereum (@go_ethereum) May 18, 2021
Berlin Hard Fork fixed a major Security Problem
In a blog post published by the Ethereum Foundation last week, the two seasoned developers disclosed a security flaw that had been discussed among Ethereum devs since March 2019.
According to the researchers, the problem was due to a specialized form of the Merkle Tree data structure that describes a blockchain’s state. As the number of Ethereum accounts were steadily on the rise, lookups on the patricia-merkle trie [sic], as it is called on the Ethereum network, have become more computationally expensive.
This forced Ethereum to increase the gas price of operations that require these lookups with the Tangerine Whistle upgrade in October 2016, and once more with the Istanbul Upgrade in December 2019. Despite the increase in gas prices, this problem could have made DoS attacks on the Ethereum network possible that would have increase the block time of its current average of 13 seconds into the minute-range, at only miniscule costs incurred by the attacker.
Open Secret finally disclosed after two Years
Despite being know since at least March 2019, this security problem has only been disclosed now for the sake of transparency. As the blog post concludes:
It’s important that the community is given a chance to understand the reasoning behind changes that negatively affect the user experience, such as raising gas costs and limiting refunds.
Although it is not out of the ordinary to not discuss security flaws openly while they still exist, the question arises, why the Ethereum Foundation waited so long to go public with this issue. Even the two authors of the article acknowledged that this problem was an open secret within the Ethereum dev community and was mentioned in several ACD calls between developers and other Ethereum stakeholders.
According to the blog post, the issue was now fixed with the Ethereum Berlin upgrade, since the network now relies on snapshots to prove that a user owns the funds necessary to issue a transaction, with a fixed complexity, rather than merkle proofs, whose complexity increases at a logarithmic scale with the number of accounts. This makes the attack mentioned by Swende and Szilágyi economically inefficient. The caveat of this solution is that it doubles the storage space needed to run an Ethereum node from 25 GB to 50 GB.