Cisco found many vulnerabilities in Ethereum's clients

According to Cisco's security experts, Ethereum network can face the risk of a simultaneous attack on all nodes immediately after the hardfork implementation
11 January 2018   1252

Specializing in cyberthreats, a division of the technological conglomerate Cisco Systems Inc. has detected a number of vulnerabilities in the software of Ethereum-client Parity and Ethereum C ++ (CPP).

As Cisco experts concluded, incorrect processing of smart contracts with the operational code create2 can trigger a DoS attack. An attacker can use the SHA1 function to handle a huge amount of data.

The implementation of create2 in the main network of Ethereum is planned within the second phase of the Metropolis' hardfork called Constantinople.

This vulnerability currently threatens only those nodes that already use the create2 opcode. However, in potential, the Ethereum network can run the risk of concurrently attacking all nodes immediately after the implementation of the hardware, when create2 will enter the default settings list.

In addition, according to Cisco, an attacker can obtain confidential information in the form of a smart contract address as a result of data leakage in the virtual machine Ethereum (EVM).

The Parity Ethereum client software is written in the Rust programming language and by default provides a JSON-RPC interface that supports a fairly "liberal" cross-domain query policy. When visiting malicious sites, an incorrect configuration of the daemon stream of the interface can lead to the leakage of confidential information. In addition, an attacker can access Parity settings and network configurations.

Security specialists also note that many APIs in CPP in JSON-RPC interface implementation are subject to the risk of malicious JSON-requests, which can help an attacker gain administrative rights to the limited functionality of such APIs bypassing the authorization process.

It is noteworthy that even the converter of IP-addresses in this case remains unprotected from CSRF- and SSRF-attacks.

Vulnerability in server implementation of JSON-RPC can also become a loophole for a potential DoS attack. Due to errors in the handling of some APIs, an attacker can send an incorrectly compiled JSON package and thereby block the normal operation of the node.

Fidelity Investments to Launch BTC & ETH Platform

New platform is designed for institutional investors
16 October 2018   121

One of the world's largest asset managers, Fidelity Investments, announced the launch of a unit focused on providing institutional investors with Bitcoin and Ethereum services. The Forbes reports.

The new division received the name Fidelity Digital Assets and, possessing a staff of 100 employees, will provide a platform for trading cryptocurrencies and consulting services 24/7.

The platform already has first customers, but its launch for a wider range of investors is scheduled for the beginning of 2019.

This is a recognition that there is institutional demand for these assets as a class. Family offices, hedge funds, other sophisticated investors are starting to think seriously about this space.

Tom Jessop

Founding head, Fidelity Digital Assets

In particular, Fidelity Digital Assets will offer a transaction service that, using internal cross-connect and order routers, will trade through third-party liquidity providers.

One of the most popular offers by the company can also be a service for storing Bitcoin and other cryptocurrencies. It is physical storage, distributed in different geographical locations and offering the so-called "cold" storage of digital assets. This way of storing cryptocurrencies without access to the Internet and with a multi-level control system is considered to be one of the safest and most resistant to hacking today.

As the CEO of Fidelity Investments, Abigail Johnson, said, the goal of the new platform is to make digital assets like Bitcoin more accessible to investors.

Fidelity Investments is considered the fifth largest asset manager in the world, offering investment and custody services to 13,000 consulting firms and brokers. In total, the company manages assets worth $ 7.2 trillion.