The long-awaited Ethereum hard fork upgrade “Constantinople” was delayed yesterday after a sensitive security vulnerability was unearthed during one of the scheduled changes to the platform.
ChainSecurity, a smart contract audit firm were responsible for discovering that the Ethereum Improvement Proposal (EIP) 1283 could give hackers a loophole in the code which would allow them to steal funds if implemented. During a conference call between ETH devs, client devs as well as other project leaders running the network it was decided to delay the anticipated hard fork at least for now, while the issue is assessed and resolved.
Participants on the call included Ethereum founder Vitalik Buterin, Parity release manager Afri Schoedon, developers Evan Van Ness, Nick Johnson, Hudson Jameson and many others. The new date of the hard fork will be decided during another ETH call this coming Friday.
During the discussion between the developers, the core developers of Constantinople came to the conclusion that it would be too much of a lengthy process to fix the bug before the original date of the hard fork which was set to take place at 04:00 UTC on Jan. 17.04:00 UTC on Jan. 17.
So just what was the vulnerability that was found? It’s called a reentrancy attack, which would, in a nutshell, allow attackers to “reenter” a specific function multiple times without updating the user. During this attack, a hacker could easily be “withdrawing funds forever said CTO of Amberdata, Joanes Espanol in an interview.
Espanol explained:
“Imagine that my contract has a function which makes a call to another contract… If I’m a hacker and I’m able to trigger function a while the previous function was still executing, I might be able to withdraw funds.”
This attack bears a striking resemblance to one of the vulnerabilities found in the infamous DAO attack of 2016.
ChainSecurity’s report explained that before the arrival of Constantinople, storage operations on the ETH network would cost 5,000 gas which exceeds the 2,300 gas which is usually required when calling contracts by using the transfer or send functions.
Here’s where the network would have been vulnerable. If the upgrade were implemented, “dirty” storage operations would only cost 200 gas. This means that an “attacker contract can use the 2300 gas stipend to manipulate the vulnerable contract’s variable successfully.”
Hopefully, this will be the last of the woes faced by the ETH network with regards to the upcoming Constantinople hard fork. Only time will tell. Let us know your thoughts on the pending upgrade by leaving a comment below.
Follow CoinBeat on Facebook, Twitter & Telegram
Subscribe to our CoinBeat Newsletter
Submit an article to CoinBeat
View live Marketcap Prices here
Comments