In brief

  • Jelurida co-founder Lior Yaffe claims he has found a potential vulnerability in the Ethereum testnet.
  • The potential vulnerability focuses on the level of participation rates in the network.
  • Raul Jordan, an Ethereum developer, says the proposed attack would be more expensive than Yaffe says.

Lior Yaffe, co-founder of Jelurida and lead core developer of Ardor and Nxt blockchains, has discovered what he claims is a vulnerability in the way Ethereum 2.0 works. Currently the blockchain is in testing mode, on the Medalla Testnet (and others) to check for any issues.

Yaffe considered a situation where the network participation rate is low and some whales are quietly using multiple accounts. Since the network has a minimum participation rate of 66%, if a whale drops out suddenly—knocking it below this threshold—it could cause issues. And if there’s not much money being staked, this could be surprisingly feasible.

“Let’s assume that 10% of the ETH is now staking and that network participation is 75% (which is pretty much what we see on testnet now). In this case to drop the participation rate by 9% to halt the chain only requires control of 0.9% of the ETH in circulation. Certainly achievable by a large whale or a mid size exchange,” Yaffe told Decrypt

“So all you need in order to stop the network maliciously, is to hold the difference between the current participation level [and] 66%,” he added.

Ethereum audit is finished
How will the Ethereum 2.0 network fare when it goes to mainnet? Image: Shutterstock.

On the blockchain, users cannot stake more than 32 Ethereum per account. But, according to Yaffe, there is nothing preventing a single user from splitting a large stake into chunks of 32 Ethereum stored on different accounts. This would allow a user to participate with multiple accounts, something that Yaffe has already observed taking place on the Medalla Testnet block generators.

So, if the participation rate is low, then whales could have a much bigger impact. “Entities that currently hold more than 0.16% of Ethereum tokens, Binance, Coinbase, Vitalik, each one of them now have the right to shut down the network whenever they like,” he added.

Matthew Tan, CEO and founder of Ethereum block explorer Etherscan, acknowledged that there could be an issue. “I haven't done calculations to verify the above, but yes if participation drops below 66% the chain becomes unhealthy and there will be finality issues as seen in the previous medalla testnet rough-time incident we witnessed,” he said. 

The attack would be much more expensive

However, the assumption that the network might have a low participation rate might be unfounded.

Raul Jordan, a Go developer working on the Ethereum blockchain protocol, told Decrypt that the network will have “more than 16,384 validators at mainnet, my bet is likely around 25,000 at genesis, so the amount needed would be higher.” 

As a result, it would be much more expensive to carry out the attack. Jordan said the participation rate should hover around 99%, meaning “an attacker would need around 33% of the stake, of maybe 25,000 validators, which is around $100 million to carry out an attack that will lose everyone, including the attacker, a lot of money.”

Jordan added that “the attacker must be willing to burn a lot of money and bleed funds to half finality, which is not in their best interest unless they are willing to lose a lot of cash.”