A team of developers from Parity Technologies has patched a consensus bug and released updated software.
London-based Parity Technologies has released updated software after patching a bug affecting the Ethereum client's consensus mechanics.
The Ethereum Parity client up to versions 1.10.5-stable and 1.11.2-beta were affected, resulting in a consensus mechanism vulnerability between Parity and other Ethereum clients[1], of which Geth[2] is most prominent.
An official notice published today by Parity states[3] that, under the right circumstances, the bug could have facilitated a culmination of hash power that might have "led to a chain split" of Ethereum. However, the issue was discovered while testing the 1.10.5-stable and 1.11.2-beta versions prior to their public release, and the latest updates eliminate the bug.
According to sources, when Parity introduced the special handling for Ethereum Improvement Proposal (EIP) 86[4], it missed a conditional check in one of the branches of a decision tree designed to validate transactions. This resulted in unsigned, nonvalid transactions made from certain addresses being regarded as valid transactions.
Consequently, when applicable transactions were submitted on the Ropsten testnet – most likely by accident while other system functionality was being tested – Ethereum Parity nodes treated those invalid transactions as legitimate and included their data in successive blocks.
Other Ethereum nodes, mostly running Geth, did not accept the blocks containing the invalid transaction data, effectively splitting Ethereum on Ropsten in two: one with invalid blocks maintained by Parity, and another maintained by the rest of Ethereum's clients. Apparently, the resulting bug went unnoticed in spite of several rounds of code review from testers both in and outside Parity.
While Parity noted the severity of this vulnerability as "critical," commonly accessible information suggests that it is unlikely that
