CVE-2020-26240

Go Ethereum, or Geth, is the official Golang implementation of the Ethereum protocol. An ethash mining DAG generation flaw in Geth before version 1.9.24 could cause miners to erroneously calculate PoW in an upcoming epoch (estimated early January, 2021). This happened on the ETC chain on 2020-11-06. This issue is relevant only for miners, non-mining nodes are unaffected. This issue is fixed as of 1.9.24

Weakness

The product performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.

Affected Software

Potential Mitigations

• Use languages, libraries, or frameworks that make it easier to handle numbers without unexpected consequences.
• Examples include safe integer handling packages such as SafeInt (C++) or IntegerLib (C or C++).
• Use languages, libraries, or frameworks that make it easier to handle numbers without unexpected consequences.
• Examples include safe integer handling packages such as SafeInt (C++) or IntegerLib (C or C++).

Related Attack Patterns

• https://cwe.mitre.org/data/definitions/128.html
• https://cwe.mitre.org/data/definitions/129.html

References

• https://blog.ethereum.org/2020/11/12/geth_security_release/
• https://github.com/ethereum/go-ethereum/commit/d990df909d7839640143344e79356754384dcdd0
• https://github.com/ethereum/go-ethereum/pull/21793
• https://github.com/ethereum/go-ethereum/security/advisories/GHSA-v592-xf75-856p