ChianSecurity discovered a new bug in Ethereum Constantinople upgrade that would allow attackers to exploit the hard fork software code and continuously withdraw user funds.
It looks like Ethereum supporters and enthusiasts will have to wait some more time for the arrival of the much-awaited Constantinople hard fork. Citing the critical security vulnerability during the software upgrade by smart contract auditing firm ChainSecurity, the core developer team decided to postpone the launch.
[SECURITY ALERT] #Constantinople upgrade is temporarily postponed out of caution following a consensus decision by #Ethereum developers, security professionals and other community members. More information and instructions are below. https://t.co/p2znO8HGxf
— Ethereum Foundation (@ethereum) January 15, 2019
The official announcement on the Ethereum blog reads:
“Security researchers like ChainSecurity and TrailOfBits ran (and are still running) analysis across the entire blockchain. They did not find any cases of this vulnerability in the wild. However, there is still a non-zero risk that some contracts could be affected.”
It further adds:
“Because the risk is non-zero and the amount of time required to determine the risk with confidence is longer the amount of time available before the planned Constantinople upgrade, a decision was reached to postpone the fork out of an abundance of caution.”
Vulnerability Detected In Ethereum Improvement Proposal (EIP) 1283
ChainSecurity noted that if the Ethereum Improvement Proposal (EIP) 1283 is implemented, it would create a loophole for attackers to exploit the software code and steal users’ funds. Referring to it as the reentrancy attack, the vulnerability will allow attackers to “reenter” the same function multiple times without updating the user about the situation. this would allow the attackers to continuously withdraw the funds.
In its Medium blog post, ChianSecurity explained:
“The upcoming Constantinople Upgrade for the ethereum network introduces cheaper gas cost for certain SSTORE operations. As an unwanted side effect, this enables reentrancy attacks when using address.transfer(…) or address.send(…) in Solidity smart contracts. Previously these functions were considered reentrancy-safe, which they aren’t any longer”.
The post further explains that before the Constantinople hard fork, storage operations on the network would cost 5000 gas. This would considerably exceed the normally used 2300 gas while calling a contract through the “transfer” or “send” functions. But if the upgrade was implemented, “dirty” storage operations would have cost an additional 200 gas. ChainSecurity notes that an “attacker contract can use the 2300 gas stipend to manipulate the vulnerable contract’s variable successfully.”
This vulnerability is quite similar to the one found in the DAO attack in 2016.
Node Operators Should Upgrade to Emergency Software Clients
Now that the Constantinople hard fork is delayed further, node operators and miners are requested to upgrade to the emergency versions of the Ethereum software clients or else need to downgrade to the earlier pre-fork release. Failing to do so will cause you to become completely disconnected from the main network as the fork software is not compatible with the previous versions.
For Ethereum users who don’t run full nodes, need to take no action at the moment. Their wallets are secure in the current state. Currently, the developers have postponed the hard fork for an unspecified time. However, the Ethereum developers are likely to announce the date during the next conference meeting on Friday.
Following the delay in Constantinople, popular Ethereum clients like Go-Ethereum (Geth) and Parity have released the software updates. In the Ethereum Core developers chat platform, Kirill Pimenov – head of security at Parity Technologies – advised the upgrade to its new beta release 2.3.0 instead of downgrading the software. He wrote:
“I want to restate — downgrading Parity to pre-Constantinople versions is a bad idea, we don’t recommend that to anyone. Theoretically it should even work, but we don’t want to deal with that mess.”
Ethereum Price Drops
The announcement of delaying the Constantinople hard fork resulted in the Ethereum price drop. Ethereum (ETH) dropped by nearly 5% on Tuesday and is currently trading at $124 with a market cap just below $13 billion. However, in the anticipation of Constantinople launch, already 19 crypto exchanges worldwide have pledged their support to the hard fork.
next