Gavin Wood, founder of Ethcore, maintainers of Parity, Ethereum’s second most used client, has called for a hardfork stating that it would instantly fix “the underlying flaws that the attacker is exploiting.”
For more than two weeks Ethereum has been undergoing a number of Dos attacks which exploit an underlying flaw: “EVM operations are grossly underpriced compared to the rest” – says Wood. The attacker has exploited this “with an inventive array of DoS contracts, all revolving around making clients do more work or consume more memory than the gas the transactions spent pays for,” according to Nick Johnson, Ethereum Go developer which is currently used by most of the network. There have been a number of releases, with the latest today. Johnson states:
“Our approach to fixing the issues has been to reduce the amount of work we do until it’s in line with what the gas actually pays for – optimisations, effectively. The upcoming release has more or less the ultimate in that series of optimisations, by actually journalling all the state changes, so we can play back the journal if we need to revert, rather than having to copy anything at all.”
Wood, however, states that the Dos attacks will “most certainly continue for months” until metropolis when the network is to undergo an upgrade. Wood states:
“The attacker seems happy testing the protocol thoroughly, so they’ll probably continue. A hard fork will fix many of the most grievous problems we know of, though others may be lurking.
I have been calling for a fast hard fork since day 1. It would be around 4 minor changes to the yellow paper and each implementation, yet there has been little movement on it. I just hope the foundation doesn’t hope to bundle these hotfixes in with all the most substantial metropolis feature additions. If they do, then these attacks will almost certainly continue for months.”
Some in the public blockchain space are averse to hardforks, but as this is to fix the protocol, it is unlikely to be controversial with the general public if an overall understanding is reached that a quick hardfork is the best solution. However, it isn’t clear whether there is such understanding. One of the Ethereum developers who replied in time for publishing, Jeffrey Wickle, an Ethereum Go developer, stated that there were no plans for a hardfork:
“We need to revise our gas costs, surely. Doing it quickly isn’t an option.”
It isn’t clear who is launching the attacks which, according to Johnson, have cost the attackers $5,000 to $10,000. The very first was just hours before Devcon2’s opening, suggesting malicious intentions, but their continuation thereafter has had little effect on the market save for taking up devs time and strengthening the network in what some are calling playing whack amole. Emin Gün Sirer, Cornell professor, who has recently been traveling and has not looked at specific proposals to address the dos, stated:
“My guess is that they are sponsored attacks. There’s nothing to gain by launching [those] attacks, yet some people are spending substantial amounts of time on them.”
Bitcoin Core developers have previously stated that bitcoin’s network is very vulnerable to DDos with few defenses available, but in this dos case for Ethereum, Wood states the flaw being exploited by the attacker would “instantly vanish” with a quick hardfork which would:
“[I]ncrease the gas price of certain EVM operations; EXTCODESIZE, EXTCODECOPY, BALANCE and *CALL* according to the amount of work that’s actually happening, in particular regarding database i/o.”
If there is general agreement, a fork could be a non-event as was the case back in March due to its non-controversial nature, but with many moving to Parity, which has an implementation that minimizes the dos effects on node operation, Go Ethereum developers might use the same implementation approach and make do until metropolis.
Parity, however, is also affected and has launched a number of client updates to address the dos, so it is not very clear whether waiting or a quick network upgrade is the best option.
Featured image from iStock.