The research subsidiary of BitMEX Crypto Exchange has announced their discovery of what they believe might well be a vulnerability in the popular Ethereum client, Parity.
According to a statement by BitMEX Research on Wednesday, March 13th, they came about the discovery in the process of analysing data sourced from Nodestats.org, which is a web-based tool they developed with a feature that enables the monitoring, aggregation and comparison of the statistics of Geth and Parity: two very popular Ethereum clients.
They believe that their discovery of this potential bug in Parity could be a possible vulnerability that might be exploited to launch a double-spend attack.
BitMEX Research which developed Nodestats.org in conjunction with one of its partners, TokenAnalyst, said the tool was designed to harvest data every five seconds from five different Ethereum nodes it establishes a connection with, the target being to provide “metrics related to the computational resources each Ethereum node requires.”
Design and Operation of Nodestats.org
Nodestats.org was designed with three objectives: derive sets of data from different implementations of Ethereum, that make it possible to compare their computational efficiencies; assess the resources required to run Ethereum Node Software, and contrast the findings with that of other crypto coins such as Bitcoin; and analyse the metrics associated with how fast and efficiently nodes process blocks, and using that information, determine the transaction processing speed of the Ethereum Point-to-point Network and its strength.
The tool analyses the performance of Geth and Parity in three different nodal configurations: archive node, fast node, and full node.
Every five seconds, Nodestats.org queries the five Ethereum nodes it is connected to, obtains its required data, and saves the data to a database.
BitMEX Research’s Report.
In their analysis of the operation of the tool at the time they filed their report, the BitMEX Research team observed that the Parity full-node Machine had still not yet achieved sync with the Ethereum blockchain in spite of the machine having been started on March 1st. They found that the machine was lagging by about 450,000 blocks, and expected it to level up in a few days.
They didn’t consider the slow initial sync as much of a problem, considering that the sync speed of the node is faster than the rate of growth of the Ethereum blockchain and as such, should catch up with it. What gives them greater worry is what they termed, “data integrity issues”, which they explained thus,
“The Parity full node also sometimes reports that it is in sync… The highest block number seen on the network figure, sometimes falls in value as time progresses and has remained consistently well behind the actual chain tip… On occasion this potentially buggy figure fell towards the height of the verified chain… and our website incorrectly reports the node as in sync. This may be of concern to some Ethereum users, since the Parity full node has many connections to the network, therefore this may be a bug.”
The implication, they said, is that this could lead to loss of integrity of their website and other nodes, leading to possible inaccuracies in their figures. The import is that the discrepancy in sync can open up a potential exploit to an attacker.
In a possible scenario, an incoming smart contract execution may be accepted as verified, while the user’s node claims to be at the tip of the network chain. At this time, the Parity client may not be at the chain tip. An intruder may take advantage of this to trick the recipient into delivering a good or service: “The attacker would need to double spend at a height the vulnerable node wrongly thought was the chain tip, which could have a lower proof of work requirement than the main chain tip”.
This type of intrusion is not likely to be successful anyway, because it is not plausible that the highest seen block feature would be engaged by users. Suffice it to say, nevertheless, that the potential is undoubtedly there.