Statement on Geth 1.10.8 Vulnerability

Hello Validators and Node Operators,

As you might be aware, the go-ethereum team released v1.10.8 yesterday to address a security vulnerability in their Ethereum client. The celo-blockchain client is a fork of go-ethereum.

cLabs developers analyzed the changes in order to determine the vulnerability’s implications and whether Celo was vulnerable. We determined that the bug fixed in go-ethereum v1.10.8 is present in Celo’s blockchain client, but that fixing it safely would have to be done as a hard fork.

We also determined that the bug only manifests itself in an extreme edge case, so that it can result only in specifically crafted smart contracts executing incorrectly. Therefore, there’s no possibility of loss of funds with this bug. Since Celo only has a single client implementation, it cannot lead to a consensus failure and the network stalling. We therefore decided that the fix is not urgent and does not warrant its own hard fork. Instead, we will include the fix in the upcoming regularly-scheduled “E” hard fork. We believe that neither network availability or safety of funds are at risk.

We will be covering this briefly in tomorrow’s Celo’s All-Core Dev Call as part of the E-Hardfork agenda and other topics.

We look forward to seeing you there.

The cLabs Team