Only weeks after the execution of a hard fork to mitigate various DoS (denial-of-service) attacks, the Ethereum network and its developers are struggling to deal with yet another major flaw. This time, major issues in regards to smart contracts have emerged, which have rendered the efforts of decentralized applications in the Ethereum network purposeless.
On November 1, the Ethereum development team and the founder of Solidity warned users and developers against a bug that allowed variables to be overwritten in storage.
Variables in a smart contract are agreements made between two or more parties. Thus, if an attacker can gain access to the storage and alters the variables, crucial agreements in decentralized applications can be affected and funds may be extracted, which may pressure developers to discard previous smart contract-based projects to recompile contracts.
Christian Reitwiessner of Ethereum stated:
This means if an attacker can cause an overflow in the value of the first variable, then the second variable can be modified. Creating an overflow in the first variable is possible using arithmetics or by directly passing in a value from the call data (values in call data are aligned to 32 bytes, and padding is neither verified nor enforced).
Ethereum developers including Ansel Lindner stated that the development of an Ethereum application is failing to operate because of this bug.
“Imagine spending a year building an app for eth, just to find out the thing doesn’t work,” wrote Lindner.
He further noted that much like the memory bugs in Geth that continued to negatively affect the network for weeks, the recent smart contract bug will most likely lead to a series of other potentially fatal bugs.
“I could agree that it’s a molehill on the side of a big mountain of other similar potentially fatal bugs,” Lindner added.
Reitwiessner explains that luckily, Ethereum multi-signature wallet contracts are not affected. However, contracts containing two or more contracts will high likely be affected.
“The following contracts may be affected: Contracts containing two or more contiguous state variables where the sum of their sizes is less than 256 bits and the first state variable is not a signed integer and not of bytesNN type,” Reitwiessner wrote.
Reitwiesnner recommended developers to deactivate and remove funds from already deployed smart contracts and compile new agreements using the Solidity release 0.4.4. Failure to do so may result in the loss of funds and may hugely impact decentralized applications that rely on these contracts.
To date, the Ethereum development team has discovered 10 vulnerable Ethereum smart contracts, 7 of which were exploitable.
“It turns out that only ten contracts were vulnerable, so we were able to contact most of the contract owners/developers. Seven out of ten of those contracts are only exploitable by the owner in that they are allowed to change certain parameters outside their permitted range, or allowed to unlock a previously locked contract,” Reitwiesnner added.
Image from Shutterstock.