Rise of Replay Attacks Intensifies Ethereum Divide

in #crypto-news8 years ago

 The unintended consequences of the ethereum hard fork continued to  mount this week as new problems became apparent due to the ongoing  popularity of two competing networks. A week ago, there was one ethereum,  a decentralized computing platform that’s drawn outside attention for  applying the cryptocurrency concept to develop new Internet  applications. But due to a schism in how people think the platform  should work, there are now two ethereum networks (ethereum and ethereum classic), both of which use an almost identical history. The thinking was one blockchain 'winner' would quickly emerge and  that the other would eventually fall to the wayside. However, both have  continued to exist despite these predictions. At issue is that, by having two separate networks with two separate  blockchains, anyone who held funds in the first iteration (ethereum) is  now the owner of funds on the second (ethereum classic). Complicating  matters is that, for users, both their ETH funds on ethereum and ETC  funds on ethereum classic have the same address and private keys. The present conditions have set the stage for "replay attacks". In computer science terms, this simply means a network action that is  repeated that isn’t supposed to be. In digital currency terms, when  someone broadcasts a transaction using one of the networks, there is a  risk that that transaction gets included in both blockchains. This means users who try to buy ETH today won’t be affected, but  anyone who had funds in any contract prior to the fork was essentially  duplicated on the other fork. Ethereum developer Zsolt Felföldi, who works on the platform’s Go  implementation, explained that this shouldn’t happen if both networks  were taking proper precautions. "Separating these two networks was never really planned," he said. Given the attention paid to ethereum by major banks and financial  professionals, the incident has caught the interest of even those  outside the open-source blockchain community. To these observers, the  situation appears to be a crossroads of indecision. IBM blockchain leader of the Latin American division Martin Hagelstrom told CoinDesk: 

"The problem is that changing these rules imply making a  new hard fork. So ethereum is saying [ethereum classic] should do it.  And the classic guys are saying that [ethereum creator] Vitalik  [Buterin] should have considered it on their hard fork, so they should  do it."

Neither ethereum nor ethereum classic seemed to prepare for the  attacks, but the resulting gap in communications means that neither side  is really pursuing action. "They are acting like kids if you ask me," Hagelstrom added. 

'Attack' semantics

Users on both the ETC and ETH networks are vulnerable to the  “attack,” though there is even disagreement about whether this is an  accurate way to describe what’s going on. For one, it's unclear whether users could fall into one category or  the other, unless they opted out of one network for ideological reasons  and chose to sell their ETH or ETC. Felföldi described it as a necessary inconvenience: 

"I wouldn’t say the replay problem is quite an ‘attack’  because this is just something that happens always. No one does this  maliciously, I think. This is just some inconvenience. The network  wasn’t designed for this situation."

The biggest risk may be that users "lose" funds by intending to  execute a contract with ETH, and by virtue of the address and private  key similarities, end up sending ETC as well. Should this account not be accessible to the user, this could mean additional value is lost in a manner that wasn’t intended. 

Exchange impact

At present, it appears that exchanges have been most affected by the vulnerability. For example, at one time, traders seemed to be using Coinbase’s  exchange as a vehicle to get "free" ETC. The steps required to do game  the exchange are public, and people appear to be using them. Whether this particular attack vector might have been resolved is unclear, but signs on social media suggest that users have been able to withdraw both currencies today. Coinbase was unavailable for comment at press time. In a blog post, Coinbase CEO Brian Armstrong claims that the exchange  anticipated the replay attacks, but didn’t expect ethereum classic to  be so popular. He claims that they then "began work to nullify the replay attacks." Earlier this week, Coinbase announced that it doesn't plan to support ethereum classic, whether on its wallet service or its new exchange GDAX. It’s unclear whether this is ongoing, and if it is, who's paying for it, because it might not even be the exchange. Coinbase doesn’t appear to be guarding against it, although it’s hard to tell. Coinbase’s Charlie Lee said via Slack that the Ethereum Foundation advised the payment processor not to guard against the replay attacks. Coinbase, however, isn't the only exchange impacted. In a message posted to the  exchange’s website this week, BTC-e staff indicated that its ETC  holdings had been drained when users transferred their funds to  Poloniex, and went as far as declaring that “ethereum classic in the  current circumstances is a scam”. China-based exchange Yunbi said in blog post  earlier this week that it had lost 40,000 ETC due to the replay  vulnerability. The exchange said that it would effectively eat the  losses and pay out ETC balances corresponding to user ETH balances. 

Future fix unclear

So how do ethereum users and exchanges guard against it? One way to get around the risk is to run a transaction through an open-source "splitter contract",  effectively moving ETC to a new account. But this is pretty burdensome  as it’s dependent on each exchange or each individual to do for every  account that they have. Poloniex automatically generates new addresses for users so that they  can avoid unintentionally sending their ETH or ETC in the mirrored  process. Kraken did the same, claiming  that if users don’t "split" their ETH and ETC, they can still deposit  ETH at the exchange and receive ETH and ETC in their account. It’s possible to stop this across the network wholesale, rather than  trusting exchanges to pull through. If either network incorporated the  fix by hard forking their network to update the transaction formats,  they could resolve this problem, but neither has expressed plans to do  so. On the other hand, Felföldi mentioned that ethereum does eventually  want to update the network to resolve the problem by incorporating the  necessary change to the transaction formats in Metropolis, the next  version of ethereum, which is due in fall 2016. The worry is that changing it earlier than that would require yet  another hard fork, or moving to a new blockchain, but people are afraid  it will be one fork too many. "We just did one fork. We don’t want to do any more rash updates  because it’s dangerous," he said. "It will probably be here for quite  some time." Classic project manager Arvicco said that, in his view,  the responsibility for resolving the relay vulnerability falls on those  who executed the split in the first place. "The facts are clear, ethereum classic is still keeping a consensus  of original legacy network, while those following forked ethereum left  this consensus," he told CoinDesk, going on to argue: 

"For the ones forking off (leaving consensus), it stands  to reason that they are liable to institute a clean split, and not  expect to push the burden to the ones still in consensus."

Others see the situation persisting because of these entrenched positions. Peter Vessenes, security expert and Bitcoin Foundation founder, said: 

"Creating chaos is clearly a goal for some participants."

Souce : Coindeks

Sort:  

desantis Andrew T. DeSantis tweeted @ 27 Jul 2016 - 00:57 UTC

1/ Earlier today I theorized a mechanism for doubling one's $XBT balance in light of the #Ethereum fork. Here's how: https://t.co/zW88ZheyyL

Disclaimer: I am just a bot trying to be helpful.

Coin Marketplace

STEEM 0.26
TRX 0.20
JST 0.038
BTC 96485.07
ETH 3625.95
USDT 1.00
SBD 3.91