The Ethereum Parity client exposes RPC security vulnerabilities and users need to upgrade as soon as possible.

According to foreign media, a code leak that could cause the computer to shut down appeared in the popular Ethereum Parity client. The Ethereum client Parity connects more than 3,000 computer servers worldwide to the Ethereum blockchain network.


Image source:

On Thursday, Parity Technologies released updated code to fix the bug. The company is a startup that is responsible for building and maintaining the Ethereum client.

According to Scott Bigelow, vice president of engineering at blockchain analysis startup Amberdata, only a small percentage of Parity servers are prone to crash. Amberdata first discovered the vulnerability and disclosed it to the Parity Technologies team.

Bigelow said:

"Having a vulnerability (if exploited) will cause all services on the Parity client to crash immediately. It is impossible to steal funds or do other malicious things, but you can turn off some Ethereum nodes."

Parity wrote in a blog post on Thursday:

"Please update your node to the latest version as soon as possible, especially if the node you are running has tracing enabled or enabled for public-facing RPC nodes."

What is RPC?

A remote procedure call (RPC) is a protocol for requesting data and information from a program running on a third-party computer server. It is used on the blockchain to request information about activities on the chain, such as account balances, block numbers, and other data.

It can be used privately by users or open to the wider public. Infura is one of the most popular applications on Ethereum, using public RPC ports to allow users who do not run Ethereum clients to access data about the blockchain network.

Bigelow said that for the vulnerability discovered by the Amberdata team, the Ethereum node running the Parity software must enable a public RPC port and activate a special module to enable transaction history tracking.

Bigelow said:

"This is Venn diagram. You need to find the person who is running the Parity node, they expose the Parity (RPC) port, and the tracking module is enabled on their system. If you have these three things, you can say that the server is not It is."

In February of this year, Parity was vulnerable to similar attack vectors. This vulnerability affects the entire user base of the software, not just a specific part.

Low attack probability

At the same time, this Parity-based tracking module is a very detailed module for developers. Bigelow suspects that only a small number of Parity users actually enable this module.

More importantly, although the RPC call does exist on other Ethereum clients, such as Geth, the RPC implementation between different Ethereum software clients is very different, so it is unlikely to be used on other software. The same type of vulnerability.

A spokesperson for Parity Technologies said:

"The RPC interface of the Ethereum client is not standardized, and each client has additional calls for its specific functionality. So they are unlikely to have similar bugs for similar calls."

Regardless of the likelihood of an attack, Parity Technologies encourages all users to upgrade immediately, and they write in their blog:

"By default, the Parity Ethereum client does not support tracking or public-facing RPC, so most nodes should not be affected. In any case, we recommend that all users running the Parity Ethereum node update to the latest version."