Security alert [Implementation of BLOCKHASH instruction in C++ and Go clients can potentially cause consensus issue – Fixed. Please update.]

Summary: Erroneous implementation of BLOCKHASH can trigger a chain reorganisation leading to consensus problems

Affected configurations: All geth versions up to 1.1.3 and 1.2.2. All eth versions prior to 1.0.0.

Likelihood: Low

Severity: Medium

Impact: Medium

Details: Both C++ (eth) and Go (geth) clients have an erroneous implementation of an edge case in the Ethereum virtual machine, specifically which chain the BLOCKHASH instruction uses for retrieving a block hash. This edge case is very unlikely to happen on a live network as it would only be triggered in certain types of chain reorganisations (a contract executing BLOCKHASH(N – 1) where N is the head of a non-canonical subchain that is not-yet reorganised to become the canonical (best/longest) chain but will be after the block is processed).

pyethereum is unaffected.

Effects on expected chain reorganisation depth: none

Remedial action taken by Ethereum: Provision of hotfixes as below.

Geth:

PPA: sudo apt-get update then sudo apt-get upgrade

Brew: brew update then brew reinstall ethereum

Windows: download the updated binary from https://github.com/ethereum/go-ethereum/releases/tag/v1.2.3

Building from source:

git fetch origin && git checkout origin/master

Eth:

PPA: https://gavofyork.gitbooks.io/turboethereum/content/chapter1.html