The Existential Threat to ETH Stakers: The Client Majority Risk

NEFTURE SECURITY I Blockchain Security
Coinmonks
9 min readApr 24, 2024

--

ETH stakers could face an existential threat, with the potential for 90% of Ethereum stake to be wiped out.

At the core of this threat lies the lack of client software diversity within Ethereum.

Ethereum Execution Layer, Client Software and the Overreliance on Geth

In the Etherum network, the execution layer executes smart contracts and processes transactions according to the blockchain’s rules and protocols, while client software enables users to interact with the blockchain network.

Source: Gnosis Chain

Client software facilitates communication with nodes responsible for the execution layer, ensuring that transactions are executed correctly and reflected on the blockchain. Thus, the execution layer and client software are closely interconnected in the operation of a blockchain network like Ethereum.

Hence, client software plays a crucial role in the Ethereum ecosystem by providing users and developers with essential tools. These tools facilitate various functions such as transaction validation, consensus integration, smart contract execution, block validation, security enforcement, and interaction with decentralized applications (DApps), among others.

Due to their crucial nature, the Ethereum Foundation, in its guidelines on “Nodes and Clients,” strongly emphasizes the necessity for protocols to have multiple client implementations. This is aimed at significantly reducing the risks associated with overreliance on a single client, which could face security breaches and potentially compromise the entire protocol:

“Multiple client implementations can make the network stronger by reducing its dependency on a single codebase. The Ethereum community maintains multiple open-source execution clients… developed by different teams using different programming languages.

This makes the network stronger and more diverse.

The ideal goal is to achieve diversity without any client dominating to reduce any single points of failure.” — The Ethereum Foundation

The issue is that Ethereum has a supermajority client issue.

Supermajority client status is acquired by a client software when it’s used by more than 2/3 of all active validators. Ethereum’s supermajority client is Geth.

Data Date — January 25, 2024 — Source: Ethereum Foundation

If this execution client is so popular and trusted that protocols dare to take considerable risks by overly relying on it, it’s due to multiple factors:

Early Adoption and Ethereum Foundation’s Stamp of Approval — Geth was one of the first client implementations for Ethereum, developed shortly after the launch of the Ethereum network in 2015. Its early availability allowed it to establish itself as a prominent choice among Ethereum node operators and developers.

Performance and Efficiency — Geth is written in Go (also known as Golang), a programming language known for its efficiency and performance. This design choice has made Geth relatively lightweight and fast compared to some other client implementations, appealing to users who prioritize speed and resource efficiency.

Geth is compatible with various operating systems and platforms, including Windows, macOS, and Linux, making it accessible to a wide range of users. Its compatibility with other Ethereum client implementations ensures network interoperability and resilience against potential software bugs or vulnerabilities.

Active Development and Security — Geth is open-sourced and has been actively developed and maintained by a dedicated team of developers. The Ethereum Foundation, among other contributors, has provided ongoing support for the project, ensuring its compatibility with the latest Ethereum protocol upgrades and security patches.

Over the years, Geth has earned a reputation for reliability, security, and stability, further solidifying its position as a trusted and preferred choice among Ethereum node operators and developers. Geth has run faultlessly since its inception, while its rivals have encountered their share of bugs and downtime.

For all those reasons, Geth is perceived as the more robust option.

However, its outsized market share could prove to be nightmarish, leading to scenarios such as wiping out a colossal amount of staked ETH or triggering an Ethereum fork.

The Nightmare Scenarios

Since Ethereum Shanghai, as well as the advent of liquid staking and restaking, the Ethereum staking scene has been nothing short of electrifying, with almost 27% of the ETH supply now staked.

Source: Dune

In January 2024, Geth accounted for 83.7% of network execution clients and was heavily relied upon by top entities for Ethereum staking, such as Lido Finance and Coinbase.

Source: Dune

In January 2024, two incidents would take place almost back to back and trigger a much-needed debate on Geth.

On January 6th, 2024, client software Besu started showing invalid blocks due to a critical flaw.

On January 21st, 2024, client software Nethermind experienced an issue where around 8% of Ethereum proof-of-stake (PoS) transaction validators suddenly began producing invalid blocks following the release of Netherland’s v1.23.0 update.

Soucre: Twitter

Now they both account for less than 12% of network execution clients, but what would happen if anything were to befall Geth?

According to Ethereum experts, Geth’ supermajority put the network at risk of two main threats:

I — Staked ETH Being Wiped Out

Lachlan Feeney, founder and CEO of Ethereum infrastructure firm Labrys, theorized in his report “Yes, you really can lose all your ETH if you stake with Geth” that the vulnerability of Ethereum’s supermajority execution clients could potentially lead to the loss of most of the 32 million Ethereum staked.

To understand why, we first need to look at how Ethereum operates its validator network: a mix of rewards ( 3–5% APR on staked Ethereum) and punishment, including slashing, offline penalty and inactivity leak.

If a minority client like Besu or Nethermind fails and starts producing invalid blocks, as was the case in January 2024, the penalty a minority client receives is to lose ETH at the same rate it was gained.

In the case of the supermajority client Geth, the scenario of punishment is completely different. As more than ⅔ of the validators run Geth, if Geth faces any critical issues, it is the entire Ethereum chain that would stop finalizing. The penalty for impeding the chain from finalizing is met with a much harsher penalty called “the inactivity leak.”

The “inactivity leak” is triggered when validators stop finalizing for 4 epochs (approximately 25 minutes) or more, and offline validators would then see their staked Ethereum melt away at an alarming speed.

According to Feeney, two months’ worth of staking rewards would evaporate in two days, an entire year’s worth in five days, 50% of the stake would be lost within approximately 20 days, and 90% within approximately 40 days.

Source: Labrys

A six-week outage may seem impossible, but when taking risks, one must assume that anything can happen.

Feeney hypothesizes that validators would not simply sit by as their stake disappears; instead, they would quit altogether, all rushing to the exit simultaneously. Unfortunately, only one in twelve validators would be able to salvage more than 50% of their stake, while others would suffer colossal losses.

Despite minor client software suffering from bugs and downtimes, they are, counterintuitively, intrinsically less risky for Ethereum stakers than Geth in a scenario where Geth is the supermajority client.

II — An Ethereum Fork

But there are even more dire consequences for Geth encountering mishaps.

According to Feeney, in a scenario where Geth produces an invalid block, given its supermajority status, that block could be added to the Ethereum blockchain.

It may not sound very dramatic at first sight, but this single invalid block could result in an Ethereum fork, with the forked chain becoming the dominant one.

This newly created chain would create repercussions of epic proportion for Geth Ethereum validators, as they would find themselves trapped in the new forked chain, and registered as offline on the ‘true’ Ethereum blockchain, also resulting in this scenario in facing the inactivity leak punishment.

For Feeney, Geth Ethereum validators will simply and purely “be bled out until their stake represents <⅓ of the network, allowing the non-Geth chain to finalize.”

Although no major staking actors truly wanted to diversify their client software and deal with the uncertainties of minor clients, the January 2024 incidents triggered heated discussions that revealed their dramatic vulnerabilities, ultimately forcing their hands to implement change.

Mitigating the Supermajority Threat: A Community Effort

As aforementioned, when the January 2024 incidents took place, Geth accounted for around 84% of network execution clients. Almost three months later, Geth’s domination was significantly diminished to 63%.

On the left, January 23rd, 2024 date — On the right, April 8th, 2024 data — Source: Client Diversity

Proof that the January incidents acted as a wake-up call across the board.

Lido Finance announced on January 23rd, 2024, their serious commitment to reducing reliance on Geth, a supermajority client. From 93% usage in 2022, they’ve brought it down to 67%

This is an ongoing process, as they have committed to further reducing their reliance on Geth and participating in reducing the supermajority client risk for Ethereum.

Lido’s Client Diversity — Source: HEX

On its overreliance on Geth, crypto exchange Coinbase tweeted on January 22nd, 2024, that when they launched their ETH staking service, only Geth met their requirements, and since then, they never looked back:

“Although we’ve evaluated execution clients since 2020, none have met Coinbase Cloud’s requirements to date.

Many other operators on the network have reached the same conclusion, which is part of the reason why 84% of Ethereum validators run Geth.

However, the tide is turning.”

They promised that they would add another execution client to their infrastructure, and they actually did so in March 2024.

As of now, they rely half on Geth and half on Nethermind.

Source: Super Majority

In the future, Coinbase announced its will to also use client software Erigon.

Kiln, Octant, Ankr, Sigma Prime and Twinstake have reportedly also reduced their reliance on Geth.

Nevertheless, crypto exchanges like Binance, OKX, and Kraken did not come forward to share a plan on how to circumvent their own total reliance on Geth.

According to the collected data — which does not claim full accuracy as “Researchers use other metrics to make deductions on which client a validator is most likely operating” — Geth accounts for only 63% of network execution clients.

This suggests that Geth has allegedly fallen below the ⅔ threshold or is (hopefully) on its way to doing so, potentially losing its supermajority client status and the associated systemic risks.

Although this news deserves to be celebrated, there is still a long way to go to ensure that Ethereum stakers are facing minimum risks.

As the data shows, Nethermind and Besu were the main winners of this paradigm shift, with Nethermind’s share increasing from 8% to 23%, and Besu’s from 5% to 12%, despite facing only minor bug issues.

While some minor clients are becoming more prominent, Ethereum needs a much more diversified pool of client software that is both secure and trustworthy, as Geth has proven to be to this day.

In a commentary about the recent development in the execution client software landscape, Feeney stressed that the ““real victory” would only be achieved when no single client controls more than a 33% share.

True victory would likely be achieved if Ethereum and Ethereum staking protocols were able to rely equally on a multitude of client software, each with a maximum 10% share.

Protecting the Ethereum network, along with Ethereum staking actors and stakers, demands ongoing effort and commitment from the entire community.

Concerted efforts have already demonstrated their ability to bring about the first fundamental changes to the space.

Let’s hope they will succeed in bringing about the full-blown revolution that Ethereum needs.

About Us

Nefture is a Web3 real-time security and risk prevention platform that detects on-chain vulnerabilities and protects digital assets, protocols, and asset managers from significant losses or threats through its monitoring tools.

Nefture’s core services include Real-Time Crypto Transaction Security and a Threat Monitoring Platform that provides accurate exploit detections and fully customized alerts covering hundreds of risk types, with clear expertise in DeFi.

Today, Nefture proudly collaborates with leading projects and asset managers, providing them with unparalleled security solutions that mitigate threats and ensure the security of their wallets and transactions.

Book a meeting 🤝 https://calendly.com/wafae-nefture

--

--

NEFTURE SECURITY I Blockchain Security
Coinmonks

Nefture secures crypto assets by detecting and mitigating malicious activities and system failures. - nefture.com