A security alert has been issued by the Ethereum team regarding users of the Windows AlethZero and eth client. The bug fails to write the private key of some identities, which could result in lost funds transferred to these “lost identities.” A hot fix update has been published in response.
Ethereum developers were not kidding when they said there might be traps and highway men lurking behind the shadows of this unexplored Ethereum Frontier. One of such traps was discovered earlier this August 7, which could fool some users into thinking they had the private keys of newly generated public addresses on Widows Ethereum clients.
Specifically, the clients affected are AlethZero and eth implementations on Windows. Users of Frontier command line interface geth are unaffected. Jutta Steiner of the ETH team writes:
“While setting privacy permissions on the keys directory, insufficient error handling can cause the key files to not be written; this may be widespread on the Windows platform. As such, current versions of AlethZero and eth may include identities for which there exists no underlying key. Ether Presale Claim functionality of AlethZero may result in funds automatically being transferred to these lost identities.”
As a specific work around, Steiner writes:
“Users of AlethZero version 0.9.39 and earlier should NOT use the “Claim Presale Wallet” function; users of AlethZero and eth versions 0.9.39 and earlier should not attempt to mine or receive funds into their addresses.”
Adding that “Users of eth and AlethZero on all platforms should consider themselves safe once they have confirmed that they do indeed have the underlying key. To check (with your existing setup) run:
You may assume that all listed addresses do indeed have a key behind them and are not suffering from this issue.
According to the official blog post, a hot fix has been published for immediate update of such clients, But a link to the hot fix was not posted. This article will be updated accordingly as soon as the hot fix is published.