Cisco found many vulnerabilities in Ethereum's clients

According to Cisco's security experts, Ethereum network can face the risk of a simultaneous attack on all nodes immediately after the hardfork implementation
11 January 2018   709

Specializing in cyberthreats, a division of the technological conglomerate Cisco Systems Inc. has detected a number of vulnerabilities in the software of Ethereum-client Parity and Ethereum C ++ (CPP).

As Cisco experts concluded, incorrect processing of smart contracts with the operational code create2 can trigger a DoS attack. An attacker can use the SHA1 function to handle a huge amount of data.

The implementation of create2 in the main network of Ethereum is planned within the second phase of the Metropolis' hardfork called Constantinople.

This vulnerability currently threatens only those nodes that already use the create2 opcode. However, in potential, the Ethereum network can run the risk of concurrently attacking all nodes immediately after the implementation of the hardware, when create2 will enter the default settings list.

In addition, according to Cisco, an attacker can obtain confidential information in the form of a smart contract address as a result of data leakage in the virtual machine Ethereum (EVM).

The Parity Ethereum client software is written in the Rust programming language and by default provides a JSON-RPC interface that supports a fairly "liberal" cross-domain query policy. When visiting malicious sites, an incorrect configuration of the daemon stream of the interface can lead to the leakage of confidential information. In addition, an attacker can access Parity settings and network configurations.

Security specialists also note that many APIs in CPP in JSON-RPC interface implementation are subject to the risk of malicious JSON-requests, which can help an attacker gain administrative rights to the limited functionality of such APIs bypassing the authorization process.

It is noteworthy that even the converter of IP-addresses in this case remains unprotected from CSRF- and SSRF-attacks.

Vulnerability in server implementation of JSON-RPC can also become a loophole for a potential DoS attack. Due to errors in the handling of some APIs, an attacker can send an incorrectly compiled JSON package and thereby block the normal operation of the node.

Crypto Market Recovers $7 Billion as Augur and EOS grow

During the last 24 hours the cryptocurrency market has rebounded by $7 billion, inspite the oppose with bitcoin, ethereum, and other major cryptos
17 May 2018   141

Today, on May 17, it was declared by the Augur team that after years of extension, the smart contracts of Augur will be live on the Ethereum mainnet on July 9, 2018. The official announcement caused the market to react, making the price of REP (the native token of Augur) to rise by about 10 percent. 

Actually most effecient tokens in early May including EOS, 0x (ZRX), and WanChain (WAN), fell by large margins during the last 3 days. After that, the 10 percent gain of REP is quite noteworthy. Augur was established in 2014 by Joey Krug as a decentralized prediction platform. Krug displayed that the original Augur smart contracts on Ethereum were written before solidity, the most widely used Ethereum programming language, was invented. 

He underlined that Augur is undoubtedly the complex project on the Ethereum network and is about 10 times more complicated than MakerDAO, which he noted is the second most complex project on Ethereum. Krug affirmed that developing a resolve to decide consensus on real-world events, which Augur users can place bets on, has been as difficult as solving proof-of-stake consensus algorithm due to scalability flaws.

Solving consensus on real world events was initially a research problem, we thought some previous literature had solved it, but it turns out it really hadn’t and had severe scalability and inventive flaws the more we audited it. It’s imo about as difficult as solving PoS. Augur’s about 10x more complex than the second most complicated ethereum project, makerdao, which has about 10 contracts vs augur’s 100 [complexity isn’t a good thing, and the augur team has tried to make it as simple as possible, it’s just a really complicated endeavors.
Joey Krug
Augur Core Developer 

The 10 percent increase in the price of REP has shown the condition of the market which has been on a continuous decline since early May.