On Tuesday (January 15th), Zurich-based blockchain security firm ChainSecurity announced that it had discovered a critical bug in Ethereum's code changes for the Constantinople upgrade that could leave some smart contracts vulnerable to attacks that could lead to loss of user funds. This means that the Constantinople hard fork, which was expected to be activated around 20:00 PT on January 16th (i.e. 04:00 UTC on January 17th) at block number 7,080,000, has had to be delayed.
ChainSecurity offers three types of services:
- smart contract audits (based on its "proprietary audit platform");
- a secuity audit platform (a set of "automated tools for developers and auditors" -- this takes a smart contract and its formal specification as inputs and produces a security report as the output; and
- security monitoring ("ideal for exchanges and response teams") -- this type of monitoring "inspects smart contracts on-chain to ensure compliance and absence of security exploits".
ChainSecurity's Medium blog post, which was published around 16:00 UTC on January 15th, was titled "Constantinople enables new Reentrancy Attack." Here is the summary of the critical vulnerability that ChainSecurity had discovered:
"The upcoming Constantinople Upgrade for the ethereum network introduces cheaper gas cost for certain SSTORE operations. As an unwanted side effect, this enables reentrancy attacks when using address.transfer(...) or address.send(...) in Solidity smart contracts. Previously these functions were considered reentrancy-safe, which they aren’t any longer."
So, basically, ChainSecurity was saying that the implementation of one of the Constantinople's five main changes, Ethereum Improvement Proposal (EIP) 1283 contained a critical bug. This discovery led to Ethereum's core developers, as well as other key stakeholders such as Ethereum creator Vitalik Buterin, speaking via Zoom audio call and agreeing to delay the hard fork while they studied this issue, with a further meeting scheduled for this Friday to decide on a new fork date.
This is how the Ethereum Foundation announced (at 21:45 on January 15th) the news about the postponement of the Constantinople hard fork:
[SECURITY ALERT] #Constantinople upgrade is temporarily postponed out of caution following a consensus decision by #Ethereum developers, security professionals and other community members. More information and instructions are below. https://t.co/p2znO8HGxf— Ethereum (@ethereum) January 15, 2019
Ethereum Foundation's blog post had this avice for anyone running a node:
"Out of an abundance of caution, key stakeholders around the Ethereum community have determined that the best course of action will be to delay the planned Constantinople fork that would have occurred at block 7,080,000 on January 16, 2019. This will require anyone running a node (node operators, exchanges, miners, wallet services, etc…) to update to a new version of Geth or Parity before block 7,080,000. Block 7,080,000 will occur in approximately 32 hours from the time of this publishing or at approximately January 16, 8:00pm PT / January 16, 11:00pm ET / January 17, 4:00am GMT."
This blog post pointed out that "if you are a person who simply interacts with Ethereum (you do not run a node), you do not need to do anything." This includes smart contract owners (since "the change that would introduce this potential vulnerability will not be enabled").
As for those running an Ethereum node, it advised them to update their "Geth and/or Parity instances when they are released." (These new releases should become available by around 02:00 UTC on January 16th.)
At press time, according to CryptoCompare, ETH is trading at $120.15, down 7.31% in the past 24-hour period.
Featured Image Credit: Photo via Pexels.com