The Go Ethereum (Geth) development team has fixed a high-severity security vulnerability in the most popular Ethereum software client.
Geth v1.10.8 is out, fixing a security vulnerability in all live versions of Geth. All Geth users need to update.
— Go Ethereum (@go_ethereum) August 24, 2021
Attack Vector to be disclosed at a later Date
According to Ethernodes.com, 75% of all nodes use Geth, making the Etherereum blockchain highly vulnerable to an attack. Geth users are encouraged to update their clients immediately to the new version 1.10.8, dubbed Hades Gamma.
According to an early security advisory post on Github, the security flaw could lead to a node outage. So far, Geth has not disclosed any details about the exploit which has been patched with the update, underscoring the severity of the vulnerability. To cite the release notes of the patched version:
The exact attack vector will be provided at a later date to give node operators and dependent downstream projects time to update their nodes and software. All Geth versions supporting the London hard fork are vulnerable (the bug is older than London), so all users should update.
Geth credits Sentnl auditor Guido Vranken with finding the bug and forwarding it to the [email protected] email address.
Another Chain Split to be avoided
The Geth developer team has seemingly learned from the last time a bugfix was released in November 2020. Back then, the fix was applied silently, without notifying users to update their nodes.
Since nodes did not update their software client simultaneously, the update unintentionally led to a chain split, which caused several Ethereum infrastructure services to become desynchronized or unusable. Ironically, the fix was deliberately applied in silence to avoid such a chain split. Via Twitter, Geth developer Péter Szilágyi commented on the more transparent update procedure:
Last time we did a hotfix, people were angry that we didn’t announce it. This time we decided to try it differently. Lets see which works better.