Amberdata Discovers 'RPC Call' Bug in Parity Ethereum Client

A code vulnerability that could have forced computer shutdowns was found on Tuesday in the second most popular ethereum client.

Parity connects over 3,000 computer servers around the globe to the ethereum blockchain network.

On Thursday, Parity Technologies, the startup responsible for building and maintaining the ethereum client, released updated code to fix the bug.

Only a small subset of Parity servers were vulnerable to crashing, according to Scott Bigelow, the VP of engineering at blockchain analytics startup Amberdata. Amberdata first discovered the vulnerability and disclosed it to the Parity Technologies team.

“There was a vulnerability that [if exploited] would cause an immediate crash of the Parity client for all its services,” said Bigelow. “There is no possibility to steal funds or do other malicious things but you could shut down some portion of ethereum nodes.”

In a blog post published Thursday, Parity Technologies wrote:

“Please update your nodes to the newest version ASAP, especially if you’re running a node that has enabled tracing or a node that has enabled publicly-facing RPC."

What's RPC?

A remote procedure call, or RPC, is a protocol for requesting data and information from a program running on a third-party computer server. It is used on blockchains to request information about on-chain activities such as account balances, block numbers and other data.

It can be used privately by a user or opened for the broader public to access. Infura, one of the most popular applications on ethereum today, leverages public RPC ports to make data about the blockchain network accessible to users who don’t themselves run ethereum clients.

For the vulnerability found by the Amberdata team to be exploited, the ethereum node running Parity software must have enabled a public RPC port and activated a special module to enable the tracing of transaction history, according to Bigelow.

“It’s really this venn diagram,” said Bigelow. “You need to find people who are running Parity nodes, who have a Parity [RPC] port exposed and who also have the tracing module enabled on their system. If you have those three things, you can say that server is gone.”

Parity was susceptible to a similar attack vector back in February. That vulnerability impacted the software's entire user base, not just a specific subset.

Low likelihood of attack

At the same time, this tracing module on Parity is a highly detailed and developer-oriented module that Bigelow suspects only a small fraction of Parity users to have actually enabled.

What’s more, while RPC calls do exist on other ethereum clients, such as Geth, it is highly unlikely for the same kind of vulnerability to exploited on other software – due to how RPC implementations differ across ethereum software clients.

“The RPC interfaces of ethereum clients are not standardized and each client has addition calls for their specific features,” said a Parity Technologies spokesperson. “So it's unlikely they have a similar bug for their analogous call.”

Whatever the probability for attack, Parity Technologies encourages all its users to upgrade immediately, saying in their blog post:

"By default, Parity Ethereum does not enable tracing or public-facing RPC, so the majority of nodes should be not be affected. Regardless, we recommend everyone running Parity Ethereum nodes to update to this latest version."

Parity Technologies founder Gavin Wood image via CoinDesk archives