Cisco found many vulnerabilities in Ethereum's clients

According to Cisco's security experts, Ethereum network can face the risk of a simultaneous attack on all nodes immediately after the hardfork implementation
11 January 2018   276

Specializing in cyberthreats, a division of the technological conglomerate Cisco Systems Inc. has detected a number of vulnerabilities in the software of Ethereum-client Parity and Ethereum C ++ (CPP).

As Cisco experts concluded, incorrect processing of smart contracts with the operational code create2 can trigger a DoS attack. An attacker can use the SHA1 function to handle a huge amount of data.

The implementation of create2 in the main network of Ethereum is planned within the second phase of the Metropolis' hardfork called Constantinople.

This vulnerability currently threatens only those nodes that already use the create2 opcode. However, in potential, the Ethereum network can run the risk of concurrently attacking all nodes immediately after the implementation of the hardware, when create2 will enter the default settings list.

In addition, according to Cisco, an attacker can obtain confidential information in the form of a smart contract address as a result of data leakage in the virtual machine Ethereum (EVM).

The Parity Ethereum client software is written in the Rust programming language and by default provides a JSON-RPC interface that supports a fairly "liberal" cross-domain query policy. When visiting malicious sites, an incorrect configuration of the daemon stream of the interface can lead to the leakage of confidential information. In addition, an attacker can access Parity settings and network configurations.

Security specialists also note that many APIs in CPP in JSON-RPC interface implementation are subject to the risk of malicious JSON-requests, which can help an attacker gain administrative rights to the limited functionality of such APIs bypassing the authorization process.

It is noteworthy that even the converter of IP-addresses in this case remains unprotected from CSRF- and SSRF-attacks.

Vulnerability in server implementation of JSON-RPC can also become a loophole for a potential DoS attack. Due to errors in the handling of some APIs, an attacker can send an incorrectly compiled JSON package and thereby block the normal operation of the node.

UN's World Food Programme Can Use ETH Blockchain

Ethereum blockchain can help to fight world hunger
20 February 2018   83

The head of the World Food Program (WFP) Robert Opp said that his department is developing a financial infrastructure for more efficient use of distributed ledger technology. With the help of the Ethereum blockchain, the organization has already saved millions of dollars on bank commissions. 

We felt we could replace the services offered by banks with blockchain. Blockchain helps promote collaboration by providing enormous amounts of data. We’re putting in place a financial infrastructure.
 

Robert Opp

Director, UN WFP

 It is worth noting that WFP didn't talk about specific plans for the further implementation of Ethereum technology.

Earlier, the UN launched a pilot program Building Blocks to assist refugees in Jordan. As part of the program, cryptographically unique coupons representing a certain number of local dinars were distributed among several dozen stores in five refugee camps.