Security

With this blog post, the intention is to officially disclose a severe threat against the Ethereum platform, which was a clear and present danger up until the Berlin hardfork.

The Ethereum Core Developers and the Ethereum Security Community were made aware of the potential Constantinople-related issues identified by ChainSecurity on January 15, 2019. We are investigating any potential vulnerabilities and will follow with updates in this blog post and across social media channels. Out of an abundance of caution, key stakeholders around the Ethereum community have determined that the best course of action will be to delay the planned Constantinople fork that would have occurred at block 7,080,000 on January 16, 2019. This will require anyone running a node (node operators, exchanges, miners, wallet services, etc...) to update to a new version of Geth or Parity before block 7,080,000. Block 7,080,000 will occur in approximately 32 hours from the time of this publishing or at approximately

Due to a Chromium vulnerability affecting all released versions of the Mist Browser Beta v0.9.3 and below, we are issuing this alert warning users not to browse untrusted websites with Mist Browser Beta at this time. Users of "Ethereum Wallet" desktop app are not affected. Affected configurations: Mist Browser Beta v0.9.3 and below Likelihood: Medium Severity: High Malicious websites can potentially steal your private keys. As Ethereum Wallet desktop app does not qualify as a browser — it accesses only the local Wallet Dapp — it is not subject to the same category of issues present in Mist. For now, it is recommended to use Ethereum Wallet to manage funds and interact with smart contracts instead. Mist Browser's vision is to be a complete user-facing bridge to the ethereum blockchain

On December 16, we were made aware that someone had recently gained unauthorized access to a database from forum.ethereum.org. We immediately launched a thorough investigation to determine the origin, nature, and scope of this incident. Here is what we know: The information that was recently accessed is a database backup from April 2016 and contained information about 16.5k forum users. The leaked information includes Messages, both public and private IP-addresses Username and email addresses Profile information Hashed passwords ~13k bcrypt hashes (salted) ~1.5k Wordpress-hashes (salted) ~2k accounts without passwords (used federated login) The attacker self-disclosed that they are the same person/persons who recently hacked Bo Shen. The attacker used social engineering to gain access to a mobile phone number that allowed them

Security Alert Affected configurations: Geth Severity: High Summary:  An issue has been identified with Geth's journaling mechanism. This caused a network fork at block #2686351 (Nov-24-2016 14:12:07 UTC). The new Geth release 1.5.3 fixes the journaling issue and repairs the fork. Details: Geth was failing to revert empty account deletions when the transaction causing the deletions of empty accounts ended with an an out-of-gas exception. An additional issue was found in Parity, where the Parity client incorrectly failed to revert empty account deletions in a more limited set of contexts involving out-of-gas calls to precompiled contracts; the new Geth behavior matches Parity's, and empty accounts will cease to be a source of concern

Summary: In some situations, variables can overwrite other variables in storage. Affected Solidity compiler versions: 0.1.6 to 0.4.3 (including 0.4.4 pre-release versions) Detailed description: Storage variables that are smaller than 256 bits are packed together into the same 256 bit slot if they can fit. If a value larger than what is allowed by the type is assigned to the first variable, that value will overwrite the second variable. This means if an attacker can cause an overflow in the value of the first variable, then the second variable can be modified. Creating an overflow in the first variable is possible using arithmetics or by directly passing in a value from the call data (values in call data are aligned to 32 bytes, and padding is neither verified nor

Mist leaks some low level APIs, which Dapps could use to gain access to the computer's file system and read/delete files. This would only affect you if you navigate to an untrusted Dapp that knows about these vulnerabilities and specifically tries to attack users. Upgrading Mist is highly recommended to prevent exposure to attacks. Affected configurations: All versions of Mist from 0.8.6 and lower. This vulnerability doesn't affect the Ethereum Wallet since it can’t load external DApps. Likelihood: Medium Severity: High