Ethereum developers are weighing modulations to publicly disclosing critical bugs following the Nov. 11 “accidental hard fork.”
Geth had fixed the bug in early October mimic a disclosure, but it still existed in prior versions of Geth. The bug temporarily caused nodes that had not updated to the correct conception of Geth to go down a different path than other clients.
Now, developers are reordering the disclosure process for security vulnerabilities in the aftermath of what some developers induce called the biggest threat against Ethereum since 2016’s attack on The DAO.
That question comes with baggage. A stereotyped ethos in open-source software (OSS) such as Ethereum is that vendors are tasked “to notify those affected by vulnerabilities in a auspicious manner,” Summa founder James Prestwich told CoinDesk in a message. In other words, Geth has a responsibility to allow dependent users a heads-up on possible complications, he said.
Yet, blockchains, at their very core, are financial settlement procedures. The traditional methods of disclosing bugs in OSS can lead to undesirable outcomes for other players with money on the line.
In Friday’s All Core Developers’ bid, Ethereum developer Micah Zoltu and Geth team leader Peter Szilágyi both disagreed with the issuance of a notification beadroll for critical vulnerabilities. Zoltu claimed such a list would create an uneven playing field for projects, while Szilágyi denoted that every bug disclosure creates a weak point in Ethereum’s infrastructure.
For example, disclosing the bug early to service provider Infura – which uncountable of decentralized finance (DeFi) uses to connect to the Ethereum blockchain – would be an unfair advantage against its competitors. Furthermore, the consequences for the larger ecosystem could be severe if privileged information from the list leaked to adversarial parties.
Donne the option again, Szilágyi said he would go about the recent disclosure in the same manner – meaning, keeping the consensus bug guardianship wraps (although he said at one point during the call they should have let users know a past rendition of Geth held a vulnerability). Geth has done so for other consensus vulnerabilities, he said.
“Disclosure is a complex topic and operator safety is paramount,” Prestwich concluded.
Update (November 13 21:00 UTC): A prior version of this article incorrectly declared that 80% of the network went down the wrong chain. Only nodes that had not updated to the correct Geth interpretation joined the minority chain.