search

ethereum / go-ethereum

Go implementation of the Ethereum protocol
https://geth.ethereum.org
GNU Lesser General Public License v3.0
47.19k stars 19.98k forks source link

CVE-2022-37450 Mitigation #27765

Closed sartimo closed 1 year ago

sartimo commented 1 year ago

Hi Guys.

Do you know how to mitigate the CVE-2022-37450 at version <=1.10.21 of geth. (Severity rated 5.9/10). Here is the official description:

Go Ethereum (aka geth) through 1.10.21 allows attackers to increase rewards by mining blocks in certain 
situations, and using a manipulation of time-difference values to achieve replacement of main-chain blocks, 
aka Riskless Uncle Making (RUM), as exploited in the wild in 2020 through 2022.

System information

Geth version: 1.10.21 CL client & version: e.g. geth@<=1.10.21 OS & Version: Ubuntu 20:04

MariusVanDerWijden commented 1 year ago

I don't think we can help you maintain a fork of go-ethereum. There are some issues with PoW and the only real solution is to move to PoS. IIRC the issue here was that mining pools would manipulate timestamps to increase the difficulty of their block in order to win over other miners. The solution was to prioritize the existing block in a reorg afair.

sartimo commented 1 year ago

Allright. Thanks. Seems that geth <=1.10.21 is an external dependency. I will upgrade it to PoS. Thanks for your help!