News Talk

Geth Vulnerability

Ethreum project is urging developers to apply a hotfix to squash a high-severity vulnerability.

The chain-split vulnerability tracked as CVE-2021-39137, impacts "Geth," the official Golang implementation of the Ethereum protocol.

Ethernodes.org reports that nearly 75% of nodes on Ethereum run Geth. All these users are encouraged to upgrade immediately to the latest version of Geth, v.1.10.8.

"The exact attack vector will be provided at a later date to give node operators and dependent downstream projects time to update their nodes and software," said Péter Szilágyi, Ethereum's team lead.

"All Geth versions supporting the London hard fork are vulnerable (the bug is older than London), so all users should update," continued Szilágyi.

A bug in older versions of the Ethereum network client Geth has caused nodes running those versions to split from the main network.

**The concern is that this could lead to double spending attacks, where cryptocurrency is spent but then the transaction is overwritten by the alternative chain.

The bug also impacts other EVM-compatible chains like Binance Smart Chain and Polygon.**

Untitled

Stats from Beau's ETH Node that was running a vulnerable Geth version at the time:

Untitled

Untitled

Untitled

Exploit contract creation time matches up with odd Geth behavior (Stats above are on a 3 hour time scale):

Untitled

Poly Network Hack Update