News

Report Highlights Ethereum’s Potentially Dangerous back-end

The Liquid Collective and Obol report says these correlation risks may impact the effectiveness of a major upcoming upgrade called Pecta, which is set to be implemented in 2025. The report says that for Ethereum to remain stable — cloud, operator, and client diversity needs to be improved.

The report, “Ethereum’s Correlation Risks: Poorly Understood, but Always Present”, explores risks like Ethereum’s slashed correlation penalties. Ethereum, like other Proof-of-Stake networks, disincentivizes bad validator behavior through slashing. If a validator messes with the network by, for example, double-signing a transaction, they lose their stake.

What makes Ethereum different is its correlated slashing model, where if more validators are slashed at the same time, each validator loses more stake than if they had been slashed separately. This model becomes ineffective and dangerous if a single operator in the network controls several nodes. The report states that multiple nodes deployed by the same operator are likely to have similar staking practices.

The report says there are several non-malicious reasons for nodes to be slashed including – Geographical cloud outages, bugs in client software, or unintentionally long downtimes. If an operator was to get large enough, an accidental slashing event could implode the network.

The report says this risk is further compounded by issues such as;

  • The popular client Geth is used by 84% of the network. If it were to crash or have a bug, the consequences would be severe. Diverse client usage would mitigate this risk.
  • Potential for regional AWS outages or policies affecting large chunks of the validator set. A greater geographical distribution of servers and operators using more cloud providers would mitigate this risk. As the image from the report shows, the Ethereum validator set is concentrated in Western Europe and the continental United States.

They note these concerns, alongside the limited adoption of Distributed Validator Technology (DVT). DVT is a form of validator security that spreads out key management and signing responsibilities across multiple parties, to reduce single points of failure and increase validator resilience.

The report also encourages future Ethereum Improvement Proposals (EIPs) to refine language around correlation penalties to mitigate risks further.

Questions About Solidity

Further to the validator and correlation issues raised in the Liquid Collective and Obol report, in a recent episode of The Crypto Conversation, Sui founder Evan Cheng also pointed to the Ethereum’s programming language Solidity as questionable from a security perspective. “People talk about security, but they still use, for example, Solidity. Well, let’s just be frank, from somebody with my background I can tell you Solidity will never, ever, ever be safe. It’s like, it hurts me. The first time I saw Solidity, I was like, no way, this is wrong. The software is written in a programming language that allows dynamic behavior which is not analyzable. So, you know, all these problems we’re seeing with reentrancy [reentrancy refers to a vulnerability that can occur when a smart contract function makes an external call to another untrusted contract], you know, it’s too fundamentally broken on that front. That this is what I mean by Solidity will never be safe. And this is why we are seeing and will continue to see these hacks happen, right? Because it’s the dominant smart contract language and it’s really, really bad.”

Conclusion

Critics say to secure Ethereum’s future, it is essential to address these correlation risks by enhancing cloud, operator, and client diversity, while also continuously refining security protocols and adopting innovative solutions like Distributed Validator Technology. Only then can Ethereum ensure its resilience against potential threats.

SOURCE

Leave a Comment