The exploit makes older versions of Go Ethereum Code vulnerable to 51% attacks; DeFi’s Yearn.Finance creator Andre Cronje warns against making any Ethereum blockchain transactions.
A major bug exploit affecting more than half of all Ethereum nodes has caused a fork in the No. 2 blockchain, leading top developers to recommend holding off on any transactions.
The exploited bug in the Go Ethereum node software’s Geth client has caused older versions — those running Geth 1.10.7 or earlier — to split off from the main Ethereum blockchain, opening the older Geth’s chain to 51% attacks. That would allow double spending of Ether (ETH).
While the bug had already been fixed in the latest version of Geth — 1.10.8 — a top DeFi developer warned users to delay Ethereum transactions until the issue is resolved.
Decentralized finance (DeFi) luminary and Yearn.finance creator Andre Cronje tweeted: “Fork between latest geth and older geth on mainnet. Stay away from doing txs for awhile till confirmed, unless you are sure you are submitting to latest geth,” at 6:15 a.m. UTC.
A few minutes later, Ethereum security expert and Geth coder Martin Swende said that the consensus bug had already been fixed in a recent hot patch. “Most miners were already updated, and the correct chain is also the longest,” he tweeted.
The bug was deep enough in the Ethereum Virtual Machine (EVM) code that other DeFi- focused blockchains based on it are vulnerable, including Binance Smart Chain and Polygon.
EVM is the environment in which Ethereum and Ethereum-compatible smart contracts are executed. The vast majority of all DeFi projects run on Ethereum, although a growing number of “Ethereum killer” protocols are gaining traction.
A Known Ethereum Vulnerability
The vulnerability had been found and reported by code auditing firm Sentnl's Guido Vranken while auditing Telos' new Ethereum Virtual Machine code.
Calling it a “a high severity security issue in Ethereum’s core code,” Telos noted that a hot patch — Geth 1.10.8 — was released on Aug. 24.
Urging nodes to update quickly, Ethereum developer Marius Van Der Wijden, who works on Go Ethereum, said on Twitter, “I'll release a writeup of what happened over the weekend.”
Swende added “I guess that concludes [Go Ethereum’s] experiment with public announcements for hotfixes.”
The Block Research said it had identified the address that exploited the bug “as funded by a Tornado Cash client.” It pointed out that about 73% of all Geth Ethereum nodes were running older, still-vulnerable versions of Geth, according to Ethernodes.com.
Last fall, an outage due to infrastructure provider Infura using outdated client software also caused Ethereum to undergo a chain split.
Check out our deep dive into Ethereum’s previous unexpected hard fork in November 2020.
