Security Research Labs Report Shows Large Number of Parity and Geth Nodes on ETH are Poorly Updated
Security is one of the most paramount features of blockchain technology. All the many prospects and uses coupled with the fact that this technology isn’t very pliable are driving factors for its increased use.
However, as with anything else, hackers will almost always find a way to circumvent measures or breach certain loopholes in security. To solve this, security checks are constantly being done with threats being forecasted and solutions released to prevent breaches.
Despite the known possibility of a threat, a recent report by the Security Research Labs (SRLabs) has shown that as much as a third of Ethereum nodes running on Parity have still not been patched even with the release of a security update.
Specifically, SRLabs has noted that the problem was a dire denial of service (DoS) error that affected the Ethereum Parity client causing a serious flaw. This flaw is grave enough to be manipulated by hackers such that if they are able to remotely control 51%, they could easily overpower the network and cause many fatal errors.
Sometime in February, Parity released an official update and asked that everyone running their software, download and install the new update very quickly. However, this report has it that “only two thirds of nodes have been patched so far.”
The report also shows more surprising negligence saying that at least 30% of nodes on Parity still haven’t used another patch which was released on the 2nd of March. Furthermore, at least 7% of Parity nodes currently run on a version of the software, terribly defenceless against a flaw which was noticed and patched since July, 2018.
BitMEX, sometime in march, also found that its Ethereum Parity full node had a bug, although they were noted that the chance of a serious breach through the bug, was considerably low.
The report also shows negligence with Geth. It says that:
“According to their announced headers, around 44% of the Geth nodes visible at ethernodes.org were below version v.1.8.20, a security-critical update, released two-month before our measurement.”
The report notes that these numbers are too large and could potentially be exploited, eventually breaching the entire network because “breaking the backbone of the Ethereum network requires crashing only a handful of nodes.”
According to the report, there is a certain unreliability to the update procedure on Parity. Even though it runs automatically, it is a highly complex process that’s almost entirely dependent on smart contracts on the blockchain.
Here, the data in the contracts must always be updated and all the data the contracts point to must be available at all times from all nodes. The specifics of configuration involved make this process very susceptible to errors and may ultimately be the reason why a large number of nodes aren’t being updated.
Geth on the other hand, does not use an automatic system and this might also be direct reason for such low numbers for properly updated nodes.
SRLabs notes that the best way to fix this problem is to optimise the update processes. This should identify the drawbacks and challenges faced by the nodes that may affect the timely and proper installation of updates.