There Are Vulnerabilities In The Ethereum Virtual Machine
On November 9, Netta Lab reported in Twitter about a vulnerability in the Ethereum virtual machine that allows users to endlessly execute smart contracts without paying for gas. The researchers also addressed to the operator of the American database of vulnerabilities, where they registered the corresponding discovery.
Upon Netta Lab's request, Google shows netto.io project website, which specializes on auditing smart contracts under the Netta Lab brand. At the same tome Twitter accounts of the projects do not match. Note that the profile that reported the vulnerability was registered in November.
Netta Labs discovered an Ethereum EVM vulnerability, which could be exploited by hackers. The vulnerability can cause smart contracts can be executed indefinitely without gas being paied.
— Netta Lab (@NettaLab) November 9, 2018
Many users expressed doubts about the authenticity of the information that has posted, but then NEO project creator, Da Hongwei, said that he spoke with the CEO of Netta Labs and asked the researchers to audit the NEO virtual machine.
Briefly talked with the CEO regarding the security issue. It seems quite serious. I am asking the team to check NeoVM also. https://t.co/2Vk9gUZn1S
— Da Hongfei (@dahongfei) November 9, 2018
Nevertheless, Vitalik Buterin wrote on Reddit that there is a vulnerability in the Python-implementation of the virtual machine, which was described on GitHub 9 days ago. This means that the main clients (go-ethereum; parity and cpp-ethereum) do not affect the problem.
On Friday, Bitcoin developer Matt Odell also reported a potential vulnerability in the Ethereum protocol, which threatens funds on cryptocurrency exchanges.
Potential ethereum vulnerability. No details publicly released yet. https://t.co/M6DtfJC0mt
— Matt Odell (@matt_odell) November 9, 2018
The dApp developer Level K was the first to announce the risks for the infrastructure of some platforms, but details have not yet been disclosed.
We will shortly disclose a security issue that could potentially cause exchanges a loss of funds. In order to receive advance notice prior to disclosure, please add your name to the following list via pull request, or by DM’ing @trailofbits or @levelk_io: https://t.co/2Y5niurffl
— Level K (@levelk_io) November 9, 2018