Last week, a team of security researchers from Boston University and the University of Pittsburgh published a report detailing an attack that would allow anyone to double-spend ether, the in-house cryptocurrency on the Ethereum network, with relative ease. Double-spending uses the same cryptocurrency token for two different transactions—an analogy with the physical world is difficult, but imagine it as being able to spend the same bill twice thanks to some glitch in the laws of physics.

Preventing double-spends is arguably one of the main functions of any blockchain technology, so an attack that enables double-spending is a critical threat to any cryptocurrency. The vulnerability was revealed to Ethereum developers in January and patched on February 14.

According to the researchers, however, “prior to the disclosure of this work in January, Ethereum’s peer-to-peer network was significantly less secure than that of Bitcoin.” The Ethereum “eclipse attack,” as it’s known, was developed by Boston University computer scientist Sharon Goldberg, University of Pittsburgh researcher Yuval Marcus, and Boston University PhD candidate Ethan Heilman, who was the first to execute an eclipse attack on the Bitcoin network in 2015 and was recently at the center of a controversy over security protocols for IOTA, a cryptocurrency optimized for the Internet of Things.

Although there are different ways of pulling off an eclipse attack, the effect is always the same: It isolates a targeted Ethereum node from other legitimate nodes on the network. The security of the Ethereum blockchain is ultimately dependent on the ability of nodes to communicate with one another to form a consensus about what the blockchain looks like at any given time—in other words, nodes are constantly sharing information on who owns which digital coins.

If a node doesn’t have access to the other nodes on the network, it can be tricked into double-spends or forced to waste its computing power on an obsolete version of the blockchain. The Ethereum eclipse attack is notable for its low cost to the attacker. Read more from motherboard.vice.com…

thumbnail courtesy of vice.com