Ethereum’s Most Popular Software Client Issues Hotfix to High Severity Bug

Ethereum’s most popular software client, Geth, has issued a hotfix to a high-severity security issue in its code. 

The release, titled Hades Gamma (v1.10.8), was posted to the Go Ethereum GitHub at 07:08 UTC Tuesday. Details of the attack vectors and their fixes weren’t disclosed “to give node operators and dependent downstream projects time to update their nodes and software,” according to a posting on the release page.

Ethernodes.org reports that nearly 75% of nodes on Ethereum run Geth. All these users are encouraged to upgrade immediately to the latest version of Geth, v.1.10.8. 

Guido Vranken, a software developer who specializes in finding code vulnerabilities in open-source software, announced he discovered the bug on Aug. 18. 

As stated in an early GitHub security advisory post, the vulnerability in Geth could cause a node to no longer be able to process blocks on Ethereum.

The last time a fix for a bug in Geth code was released, it caused a temporary chain split on Ethereum. Due to a deliberate lack of communication from Geth developers about the bug, several computers, also called “nodes,” did not upgrade their Geth client to the fixed implementation, which resulted in a blockchain consensus failure in November 2020

The Geth developer team said in a post-mortem blog post at the time that not speaking publicly about the security vulnerability was aimed at delaying any potential attacks on node operators who needed more time to upgrade to the latest version.

This time around, Geth developers emphasized in advance the urgent need for all users of their software to upgrade to the latest version, but the initial announcement on Aug. 18 did not explicitly describe the nature of the vulnerability.

“Last time we did a hotfix, people were angry that we didn’t announce it. This time we decided to try it differently. Let’s see which works better,” tweeted Geth developer Péter Szilágyi about Tuesday’s code release. 

Major Ethereum-based wallets and services such as Infura have publicly announced on Twitter their support for this new Geth release.