A bug found in the Parity node/wallet software threatened a considerable proportion of the Ethereum infrastructure. Fortunately, the company has already issued a patch to fix the vulnerability.
The issue was discovered on February 3rd when Parity received several reports that attackers were able to send a specially-crafted RPC request to public Parity Ethereum nodes.
“On February 3rd, we received several reports that an attacker can send a specially-crafted RPC request to a public Parity Ethereum node (any version pre 2.2.9-stable and pre 2.3.2-beta) and that node will crash,” the announcement read.
The bug had opened up an attack vector to allow nodes to be forced offline by potential attackers. If undiscovered, the attack could have threatened a sizeable portion of the Ethereum infrastructure.
It would appear that the only affected nodes were the ones synced up to the JSON-RPC public services like Infura, MyEtherWallet, and MyCrypto, however, all Parity node operators are encouraged to update to the latest upgrade.
The fix is out—please update your nodes ASAP. https://t.co/t2bJLNuyZV
While the vulnerability only directly affects Parity Ethereum nodes that serve JSONRPC as a public service (e.g., Infura, MEW, MyCrypto, etc), we recommend everyone to update their nodes immediately.
— Parity Technologies (@ParityTech) February 3, 2019
According to Etherscan, Parity clients serve more than a quarter of the Ethereum nodes, specifically those that use public JSONRPC Ethereum service and operate some very important Ethereum apps, including Infura, MyEtherWallet, and MyCrypto.
Described as “the secret weapon of Ethereum infrastructure,” Infura alone provides connectivity to the Ethereum network for a number of key products and projects, such as Metamask, CryptoKitties, the 0x Protocol, and many others.
Much of the attention lately has been on the delay of Constantinople, Ethereum’s major update, caused by potential security issues. The vulnerability, identified by security audit company ChainSecurity on January 15, could potentially make some smart contracts on Ethereum vulnerable to a so-called “re-entrancy attack,” enabling an attacker to steal other people’s ETH.
There was confusion following the delay, as many Ethereum nodes that already upgraded were forced to downgrade back to the stable build. What’s more, Parity developer Afri Schodeon noticed that Ethereum’s “difficulty bomb” had been activated, which might cause problems before the Constantinople upgrade (scheduled for February 27) is finally activated.