Ethereum operated for two years with a DoS exploit that could take the network offline

Ethereum Foundation developers disclosed information about a vulnerability that could enable a DoS attack on the blockchain of the second-largest cryptocurrency by market capitalization.

A disclosure about the #Ethereum state problems, which we’ve been working on fixing for the past two years: https://t.co/GQBh0rFYKf

— M H (((Swende))) (@mhswende) May 18, 2021

The vulnerability was discovered as early as March 2019, but it could be fixed only with the activation of hard fork Berlin in April 2021.

According to the developers, the vulnerability was ‘an open secret’ — it had previously been publicly disclosed by mistake. After the April update, the threat level had fallen enough to discuss it in detail.

«It is important that the community can understand the reasons for changes that adversely affect user experience, such as higher gas costs,» the statement says.

The state of Ethereum is described using a Merkle Patricia Tree. Each ‘leaf’ of this tree is an account in the network, so as the blockchain grows the structure becomes denser. Merkle Patricia Tree.

Between the root hash and user accounts there are several ‘intermediate’ nodes. To access a particular address the system must perform 8-9 operations.

Low transaction costs and network growth created DoS-attack risks. To execute it, one only needs to search for non-existent addresses.

To address this problem developers changed the gas-cost calculation algorithm and integrated into the Geth client a dynamic state snapshots mechanism. Such snapshots are a secondary data structure for storing network state in the format flat files.

With the Berlin activation, the attack’s effectiveness fell by a factor of 50.

In September 2020, Storj developer Braden Fuller described a serious vulnerability in Bitcoin Core software. The exploit allowed steal funds and delay payments.