The developers of the Ethereum client Geth urge all users to immediately install an update to the patched version v1.10.8 called “Hades Gamma” due to a security gap. There is a serious vulnerability in Geth’s Ethereum Virtual Machine (CVE-2021-39137). If used, it could lead to a node operated with Geth no longer being able to process the Ethereum blockchain.
Further details about the gap will not be disclosed until a later date, according to the statement on Tuesday. This should give node operators and software-dependent projects enough time for an update. Vulnerable are all Geth versions that support the hard fork called “London” that was implemented at the beginning of August and, among other things, changed the transaction fees at Ethereum. The bug is much older, however, and ultimately all Geth users should definitely update. The security researcher Guido Vranken discovered the gap.
Chains split in the last hotfix
Geth, or Go-Ethereum, is the implementation of a client for the Ethereum network, written in the Go language. As a command line tool, the application is aimed primarily at advanced users and developers – and is very popular among them. According to the analysis service Ethernodes.org, around 75 percent of all nodes in the Ethereum network are operated via Geth. It is therefore important for the integrity of the Ethereum blockchain that Geth users have the same software status.
In November 2020, such an update campaign for Geth went wrong: The Geth developers had submitted a new version with a patch for a bug without pointing out or warning. Since not all node operators switched to the new version, there was a brief split in the Ethereum blockchain, which separated the old Geth versions from the rest. Among other things, the infrastructure service provider Infura was affected, which operates Ethereum nodes as a service for numerous other projects, for example from the decentralized finance (DeFi) ecosystem.
“With our last hotfix, people were upset that we didn’t announce it. This time we’re doing it differently,” explained Ethereum developer Péter Szilágyi via Twitter. “Let’s see what works better”.