Posted on September 10th, 2015.
Summary: Implementation bug in the go client may lead to invalid state Affected client versions: Latest (unpatched) versions of Go client; v1.1.2, v1.0.4 tags and develop, master branches before September 9. Likelihood: Low Severity: High Impact: High Details: Go ethereum client does not correctly restore state of execution environment when a transaction goes out-of-gas […]
Posted on September 3rd, 2015.
Implementation bug in the go client leads to steady increase of difficulty independent of hashing power. Affected configurations: All Go client versions v1.0.x, v1.1.x, release and develop branches. The bug was introduced in a recent update and release through commit https://github.com/ethereum/go-ethereum/commit/7324176f702a77fc331bf16a968d2eb4bccce021 which went into the affected client versions. All miners running earlier mentioned versions are […]
Posted on September 2nd, 2015.
State transition and consensus issue in geth client causes panic (crash) when processing a (valid) block with a specific combination of transactions, which may cause overall network instability if block is accepted and relayed by unaffected clients thus causing a DoS. This may happen in a block that contains transactions which suicide to the block […]
Posted on August 29th, 2015.
Insecurely configured Ethereum clients with no firewall and unlocked accounts can lead to funds being accessed remotely by attackers. Affected configurations: Issue reported for Geth, though all implementations incl. C++ and Python can in principle display this behavior if used insecurely; only for nodes which leave the JSON-RPC port open to an attacker (this precludes […]
Posted on August 20th, 2015.
This alert is related to a consensus issue that occurred on the Frontier network at block 116,522, mined on 2015-08-20 at 14:59:16+02:00 – Issue has been fixed, see “Fix” below. Impact: High Issue description: State database consensus issue in geth with deletion of account data, which could happen during SUICIDE instructions. Affected implementations: All geth implementations […]
Posted on August 7th, 2015.
This affects users of Alethzero GUI client on Windows. Users of eth CLI client or not on the Windows platform are unlikely to be affected but should take action detailed below. Users of Frontier command line interface geth are unaffected. Issue description: While setting privacy permissions on the keys directory, insufficient error handling can cause the […]
Posted on July 7th, 2015.
As I’m writing this, I’m sitting in the London office and pondering how to give you a good overview about the work we’ve been doing to secure Ethereum’s protocols, clients and p2p-network. As you might remember, I joined the Ethereum team at the end of last year to manage the security audit. As spring has […]
Posted on March 20th, 2015.
Hi, Jutta writing again – I initially introduced myself when we started the bounty program earlier this year and I’m happy to provide you with an update on what’s happening on the security side prior and throughout launch. We have had some high quality submissions by bounty hunters – kudos for the creative exploits sent […]
Posted on December 18th, 2014.
Hi, I’m Jutta! As some of you might have read in earlier posts, I’ve recently been busy setting up a security audit prior to the Ethereum genesis block release. Ethereum will launch following a world-class review by experts in IT security, cryptography and blockchain technology. Prior to the launch, we will also complete a bug bounty […]