EF Blog

ETH top background starting image
ETH bottom background ending image
Skip to content


Security updates related to the Ethereum protocol, tooling infrastructure and applications.

March 21, 2024


Sepolia Incident
Sepolia Incident

by Marius van der Wijden, Toni Wahrstätter, Parithosh Jayanthi

This blog post discloses a threat against the Ethereum network that was present from the Merge up until the Dencun hard fork.

May 18, 2021


Dodging a bullet: Ethereum State Problems

by Martin Holst Swende & Peter Szilagyi

With this blog post, the intention is to officially disclose a severe threat against the Ethereum platform, which was a clear and present danger up until the Berlin hardfork.

November 12, 2020


Geth security release

January 15, 2019


Security Alert: Ethereum Constantinople Postponement

by Hudson Jameson

The Ethereum Core Developers and the Ethereum Security Community were made aware of the potential Constantinople-related issues identified by ChainSecurity on January 15, 2019. We are investigating any potential vulnerabilities and will follow with updates in this blog post and across social media channels. Out of an abundance of caution, key stakeholders around the Ethereum community have determined that the best course of action will be to delay the planned Constantinople fork that would have occurred at block 7,080,000 on January 16, 2019. This will require anyone running a node (node operators, exchanges, miners, wallet services, etc...) to update to a new version of Geth or Parity before block 7,080,000. Block 7,080,000 will occur in approximately 32 hours from the time of this publishing or at approximately

December 15, 2017


Security alert — Chromium vulnerability affecting Mist Browser Beta

by Everton Fraga

Due to a Chromium vulnerability affecting all released versions of the Mist Browser Beta v0.9.3 and below, we are issuing this alert warning users not to browse untrusted websites with Mist Browser Beta at this time. Users of "Ethereum Wallet" desktop app are not affected. Affected configurations: Mist Browser Beta v0.9.3 and below Likelihood: Medium Severity: High Malicious websites can potentially steal your private keys. As Ethereum Wallet desktop app does not qualify as a browser — it accesses only the local Wallet Dapp — it is not subject to the same category of issues present in Mist. For now, it is recommended to use Ethereum Wallet to manage funds and interact with smart contracts instead. Mist Browser's vision is to be a complete user-facing bridge to the ethereum blockchain

December 19, 2016


Security alert [12/19/2016]: Ethereum.org Forums Database Compromised

by Hudson Jameson

On December 16, we were made aware that someone had recently gained unauthorized access to a database from forum.ethereum.org. We immediately launched a thorough investigation to determine the origin, nature, and scope of this incident. Here is what we know: The information that was recently accessed is a database backup from April 2016 and contained information about 16.5k forum users. The leaked information includes Messages, both public and private IP-addresses Username and email addresses Profile information Hashed passwords ~13k bcrypt hashes (salted) ~1.5k Wordpress-hashes (salted) ~2k accounts without passwords (used federated login) The attacker self-disclosed that they are the same person/persons who recently hacked Bo Shen. The attacker used social engineering to gain access to a mobile phone number that allowed them

November 25, 2016


Security alert [11/24/2016]: Consensus bug in geth v1.4.19 and v1.5.2

by Vitalik Buterin

Security Alert Affected configurations: Geth Severity: High Summary:  An issue has been identified with Geth's journaling mechanism. This caused a network fork at block #2686351 (Nov-24-2016 14:12:07 UTC). The new Geth release 1.5.3 fixes the journaling issue and repairs the fork. Details: Geth was failing to revert empty account deletions when the transaction causing the deletions of empty accounts ended with an an out-of-gas exception. An additional issue was found in Parity, where the Parity client incorrectly failed to revert empty account deletions in a more limited set of contexts involving out-of-gas calls to precompiled contracts; the new Geth behavior matches Parity's, and empty accounts will cease to be a source of concern

November 1, 2016


Security Alert - Solidity - Variables can be overwritten in storage

by Christian Reitwiessner

Summary: In some situations, variables can overwrite other variables in storage. Affected Solidity compiler versions: 0.1.6 to 0.4.3 (including 0.4.4 pre-release versions) Detailed description: Storage variables that are smaller than 256 bits are packed together into the same 256 bit slot if they can fit. If a value larger than what is allowed by the type is assigned to the first variable, that value will overwrite the second variable. This means if an attacker can cause an overflow in the value of the first variable, then the second variable can be modified. Creating an overflow in the first variable is possible using arithmetics or by directly passing in a value from the call data (values in call data are aligned to 32 bytes, and padding is neither verified nor

Newer posts

Older posts

Subscribe to Protocol Announcements

Sign up to receive email notifications for protocol-related announcements, such as network upgrades, FAQs or security issues. You can opt-out of these at any time.