An unknown hacker exploited a bug in older versions of a popular Ethereum network client, Go Ethereum (Geth for short). Roughly 75% of nodes on Ethereum use the Geth client and a majority are still finding themselves on a different chain from the main network as a result of the exploit.
The patch for the bug was included in a recent update to the Geth client, v1.10.8, released on August 24, meaning that the danger can be averted by simply upgrading to the patched version. However, around 72.3% of Geth node operators are still running v1.10.7 or lower, and need to update their client.
On a positive note, the fact that roughly 27% of Geth nodes have already installed the update means that a majority of clients (including non-Geth clients) are already on the longest chain. Other node operators still need to upgrade their clients to return the network to maximum security levels.
It seems that someone found the bug we fixed in @go_ethereum v1.10.8 and exploited it causing all geth nodes with earlier versions to split from the network. If you are running v1.10.7 or earlier please update!!!
— MariusVanDerWijden (@vdWijden) August 27, 2021
“High Severity Security Issue”
The Geth client bug was publicly disclosed this week in a press release by Telos. Telos is a different blockchain that recently launched an Ethereum Virtual Machine (EVM) to make it possible for developers to run Solidity-based applications on Telos. It was during an audit of the Telos EVM that security researchers discovered the bug, termed it a “high severity security issue,” and coordinated with the Geth team to release a fix.
The particular issue was not disclosed. However, the release of an updated client meant that hackers could study the difference between the old and new code to discover what the bug was and try to exploit it before people upgrade their clients.
A report by TheBlockCrypto identified the Ethereum address that had exploited the bug and revealed it was funded by ETH from the privacy-focused wallet, Tornado Cash.
The bug affects other blockchain networks such as Binance Smart Chain (BSC), Polygon, Xdai, and many others that run an EVM. Following the announcement on August 24, the BSC team announced the release of a fix and urged node operators to upgrade.
