Crypto Confronts Own Y2K Moment With Ethereum Network Upgrade

Olga Kharif | August 24, 2022

(Bloomberg) -- Airplanes wouldn’t be able to land. Power plants would shut down. Those were just some of the dire predictions faced by computer programmers and users worldwide as the year 2000 approached. In the end, the millennium bug that was widely expected to create computer chaos turned out to be more of a punch line to jokes than an actual problem. 

Two decades later, the crypto world could be facing its own Y2K moment, when the Ethereum network undergoes a major software upgrade in September. The revamp, known as the Merge, is being billed as a seamless transition that shouldn’t be noticeable to users of the most commercially important blockchain. Not everyone is convinced, especially when it comes to the more than 3,400 active distributed applications that are built on the platform.  

“You know there will be those edge cases that will be interesting and exploitable,” said Toby Lewis, chief executive officer of Novum Insights, a crypto analytics provider. “One thing I can guarantee, it’s going to be a very bumpy ride.”

Observers just need to look back to Ethereum’s 2016 upgrade, when the network was besieged for weeks by so-called replay attacks, where hackers replayed users’ transactions to steal tokens. The Yunbi exchange reportedly lost 40,000 Ethereum Classic coins. Developers have since implemented network-based protection measures. Even so, attacks could still take place if any of the self-executing software programs called smart contracts that run the myriad of apps on the network haven’t been built correctly, according to Josselin Feist, engineering director for blockchain assurance at Trail of Bits, a security firm that audits the self-executing contracts.  

Industry participants are already announcing safeguards. Coinbase Global Inc., the largest US crypto exchange, said it will pause withdrawals and deposits of all Ethereum-based tokens “briefly” around the time of the Merge. Most other crypto exchanges, and even many decentralized-finance apps, which let users trade, borrow and lend tokens, are expected to follow suit.

Ethereum is transitioning from a proof-of-work system where networks of computers known as miners pluck transactions out of a data pool, and arrange them into blocks that are added to the blockchain. The miners are being eliminated as part of a plan to reduce energy consumption. After the upgrade, a newly created participant in the new proof-of-stake system known as a builder will gather transactions into blocks, which it will then send to validators. The validators will sign off on the order of the blocks that will form the upgraded blockchain. 

The protective measures by the likes of Coinbase are being taken after some glitches took place during the final test of the upgrade. Some of the validators got out of sync with others, resulting in some changes to block ordering. That sort of issue can result in the need for the network to be paused, said Pedro Herrera, head of research at DappRadar. In such a scenario, a user facing liquidation, for instance, may be powerless to stop it on time.

The most disruptive issues could actually come from the emergence, around the time of the Merge, of offshoots of Ethereum. A fork in the chain would generate an almost exact replica of the Ethereum ecosystem, with copies of all its coins, nonfungible tokens and apps. People who hold an Ether token on the Ethereum blockchain will receive an additional EtherPOW token representing a forked blockchain. Some users may then try to offload POW coins -- and that’s where scammers can come in and execute replay attacks.

“Replaying attacks are possible during the Merge as the network becomes less secure and more vulnerable to attacks when forks happen,” Justin Sun, who is an investor in the Poloniex crypto exchange and the founder of Tron blockchain, said in a message.

Crypto investors who want to do transactions around the time of the upgrade may want to consider using alternative blockchains and other safeguards. 

“If you want to play with your POW assets, move them to another wallet, so there’s no way for an attacker to replay the transaction,” said Pedro Herrera, head of research at DappRadar.

For their part, Ethereum core developers are downplaying the risk, as opposed to the dire circumstances that many pundits warned of back in the 1990s that could result from the inability of many computers to interpret the date change at the millennium correctly.

“I don’t expect replay attacks to be a significant problem, if they occur at all,” said Ben Edgington, lead product manager at ConsenSys.      

More stories like this are available on bloomberg.com

©2022 Bloomberg L.P.