Ethereum's Shanghai Attacks
It all began during the second Ethereum Developer’s Conference, held in Shanghai. A blackhat hacker or group started probing the Ethereum blockchain. We’ll use the term blackhat because it’s a reasonable one, as opposed to whitehat hackers who are more collaborative, for example participating in bug bounties like the Ethereum Bounty Program.
One of the exploits that the blackhat took advantage of was mispriced opcodes, or their inefficient implementation. Some opcodes in the EVM (Ethereum Virtual Machine) consumed little gas in relation to the amount of computation that would be necessary in real life. Gas economics was discussed in an audit of Ethereum by Least Authority conducted in the first quarter of 2015. (It’s also worth noting that the same audit was aware of “reentrancy hazards”, which was the The DAO’s downfall). The blackhats exploited mispriced opcodes to make Ethereum nodes perform useless computations as well as bloat the size of the blockchain.
In their exploits, the blackhat found a cheap way to create empty accounts on the blockchain. It’s unclear why empty accounts were allowed on the blockchain in the first place, because the “difference between zero-balance and nonexistent” accounts was a known issue. The mitigation that already existed was that a fee was associated with creating an account. However, the blackhat discovered a method to create empty accounts in a cheap manner by leveraging the selfdestruct opcode.
The EIP 150 hard fork fixed virtually all of the mispriced opcodes. This was released on October 18th, 2016 and provided substantial relief to Ethereum nodes and miners. EIP 150 was important to test thoroughly and release at that time, however, it was already a known factor that another hard fork would be needed to reduce blockchain bloat (and improve a remaining mispriced opcode).
As a step to deleting the empty accounts from the blockchain, the Spurious Dragon hard fork containing EIP 161 took place on November 22th, 2016. This hard fork did not delete the empty accounts. It had a consensus rule however, that any empty accounts that were touched, would be removed from the blockchain. Soon after, transactions touching empty accounts began to appear on the blockchain. The blackhat had created about 19 million accounts, and around 4 million of them had been cleared by November 24th, 2016, when a blockchain fork was observed.
Geth and Parity began producing different blocks at block #2686351. The developers investigated and discovered that when a transaction touching an empty account ended with an Out of Gas exception, Geth did not revert and restore the empty accounts. Prior to EIP 161, the rules of what happens when a transaction runs Out Of Gas were relatively clear: changes to the state would be reverted. In EIP 158, an earlier proposal to EIP 161, a community member asked an ominous question if “… empty accounts are deleted even in the case of an EVM exception, … would that not break the guarantee that EVM exceptions revert the state back as if the transaction was never made?”
Was this a conscientious member of the community foreshadowing the thorniness of the issue? A fix was made to Geth to bring consensus back on a single chain, but it’s worth pointing out how intricate the issues are because Parity was not perfect either and Geth 1.5.3 had to add a special case for a Parity bug. (In a world without the Geth bug, the Parity bug would have caused its own fork at block #2675119.)
The above experiences of the past two months suggest that blackhat activities have made Ethereum more resilient than any bug bounty can provide. But it also suggests that there is strength in the community and opportunities for its talent to be whitehats or kibitzers. We’d like the community to have, especially new members, a reading list if there is interest in a very deep-dive on Ethereum.
Some of the above news may have overshadowed other developments, like light clients and Swarm, and in the past week alone, we’ve seen the releases of ENS (Ethereum Name Service), Quorum (Ethereum permissioned chain for privacy) and Raiden PoC1 (Ethereum’s lightning network). The community has received priceless lessons and is poised for continuous innovation.
Special thanks to reviewers, your feedback and improvements is highly appreciated.
Original title was “From Shanghai to the Spurious Dragon”.