Ethereum Fixes ‘Eclipse’ Security Flaw That Allowed Ledger Manipulation

Mar 06 2018

Ethereum is the second largest cryptocurrency in the world by market cap. The Ethereum platform is being used by millions of people around the world and has attracted a number of developers and entrepreneurs alike. Recently, a major flaw was discovered in the Ethereum network which allowed practically anyone to manipulate the ledger of any user. These attacks can also interfere with the functioning of Smart Contracts. 

The real danger of the Eclipse attack can be seen when you look at how it can be used to manipulate the markets. Basically, by altering the ledger transactions - the Eclipse bug can make a buyer pay more than once for the same service or product. The bug can also be used to trigger smart contracts. Smart contracts are self-executing contracts which run when a set of rules is met with. By manipulating the ledger transactions, these smart contracts can be triggered and executed without actually satisfying the conditions.

In the past, such an eclipse flaw was also discovered on the Bitcoin network. Many in the cryptocurrency community believe that setting off an eclipse attack for the Bitcoin network would be considerably easier than one for the Ethereum network because Ethereum’s network is perceived to be more robust and secure. However, a team of researchers who discovered the Bitcoin Eclipse flaw have commented, saying:

We demonstrate that the conventional wisdom is false. We present new eclipse attacks showing that, prior to the disclosure of this work in January 2018, Ethereum's peer-to-peer network was significantly less secure than that of Bitcoin. Our eclipse attackers need only control two machines, each with only a single IP address. The attacks are off-path-the attacker controls endhosts only and does not occupy a privileged position between the victim and the rest of the Ethereum network. 

By contrast, the best known off-path eclipse attacks on Bitcoin require the attacker to control hundreds of host machines, each with a distinct IP address. For most Internet users, it is far from trivial to obtain hundreds (or thousands) of IP addresses. This is why the Bitcoin eclipse attacker envisioned [in the 2015 research] was a full-fledged botnet or Internet Service Provider, while the BGP-hijacker Bitcoin eclipse attacker envisioned [in the 2016 paper] needed access to a BGP-speaking core Internet router. By contrast, our attacks can be run by any kid with a machine and a script.

The research team which came out with these reports didn’t just point out the flaws in the system. They also worked with the Ethereum network to help fix this critical flaw which could possibly have major, damaging impact. Researchers stated that they have implemented a number of countermeasures to ensure that the Ethereum Eclipse flaw is fixed. These security fixes came into action following geth 1.8.0 - the software that powers Ethereum’s Nodes - going live two weeks ago.

Finally, it needs to be kept in mind that even this does not fully prevent the Eclipse attack from happening. However, it raises the difficulty as the number of malicious nodes required to execute this attack are now up to thousands - from just two which were needed in the past. 

Comments