Critical LES Vulnerability

If you’re a validator or node operator for Celo, this forum post will be going over an LES (light server/client) vulnerability. Last Friday, the Geth team disclosed an LES Server DoS vulnerability that can cause LES servers to crash via malicious calls to GetProofsV2 as reported here.

Because celo-blockchain is a fork of Geth, the vulnerability also existed in the celo-blockchain code base, affecting any nodes serving light clients. We recently updated the “running a validator” docs to include the flag --light.serve 0 (in this pull request), and if you’re using that flag then your nodes are not vulnerable.

We have released a new patch version, 1.1.2, which includes the fix for this vulnerability, available here:

Here are the steps that you must take with your nodes to mitigate the issue:

If you want to serve light clients:

  • Please update your node to the latest celo-blockchain 1.1 version (version 1.1.2, linked above). This version has the fix for the LES vulnerability, so If you run this new release, you can then safely serve light clients as usual.

If you do not want to serve light clients:

  • Check whether you’re using --light.serve 0 in your celo-blockchain command. If not, add it and restart your node. If you wish, you can upgrade to version 1.1.2, but it is not necessary as the vulnerability only affects the LES server, which is not running if you use --light.serve 0.

Thank you for keeping our network secure!