Cryptocurrency is like a financial trust exercise. Because most of them are decentralized, their users rely on the underlying network to make sure everything is on the up-and-up. Security Research Labs revealed last week that Ethereum’s network could be vulnerable to attack because node operators are terrible at installing updates. This apparent disregard for the network's integrity could lead to serious problems for Ethereum owners.
Many enthusiasts are probably familiar with Ethereum because its boom and bust had significant impacts on the graphics market. During the boom it was all but impossible to find a graphics card, and the ones that could be found were outrageously priced. The bust then left companies like AMD and Nvidia scrambling to deal with excess GPUs. A market that usually belongs to gamers and large businesses was basically subject to a crypto-drive-by.
But the cryptocurrency relies on more than just graphics cards and spite. Its network relies on nodes running various clients, two of the more popular of which being Parity and Geth. Security Research Labs found that many of these nodes are vulnerable to attack because they’re running old versions of their respective client software. These vulnerabilities shouldn't be a problem anymore, but they are because node operators didn't update their clients.
Security Research Labs discovered a vulnerability in February that let attackers crash nodes running Parity. That could be disastrous because if someone manages to gain control over 51% of nodes, the firm said they would be able to double-spend the cryptocurrency. Their victims could be left penniless--or at least Ether-less depending on the transaction--and it would be significantly more difficult for the network to regain any trust.
The firm said that 30% of Parity nodes hadn't installed the update addressing this vulnerability one month after Parity released it. Some 7% hadn't been updated in 18 months, and another 44% of examined Geth nodes were running old versions of the client. That's a lot of nodes left vulnerable to known attacks because their operators hadn't updated them. All together, this failure to install vital updates led Security Research Labs to write:
“Lack of basic patch hygiene undermines the security of the Ethereum ecosystem. The lack of patch hygiene among Ethereum users suggests that more serious vulnerabilities might also survive for days, weeks, or months among a significant number of Ethereum users, putting their own security and the integrity of the Ethereum ecosystem at risk. The consequences of the patch gap would be most severe if a remote code execution were found in a popular client software.”
Part of the blame lies with the clients: Parity's automatic updates are said to be confusing, which is the opposite of what people want from an automatic update, and Geth doesn't offer automatic updates at all. Many people can't be bothered to update the operating systems on their PCs, smartphones, and tablets, so it's hardly a surprise that nodes would receive the same treatment. The difference here is that an entire cryptocurrency could be at stake.
Are things really that dire right now? It doesn't seem like it. But that's what makes Security Research Labs' findings important--the company is giving Ethereum node operators the chance to defend the network's integrity before a more serious problem is found. The point of a popular trust exercise, the trust fall, is to be ready to catch someone before they even start to fall. Promptly installing security updates is the best way to do that for Ethereum.