Ethereum’s long-anticipated Constantinople upgrade has been delayed after a crucial vulnerability was discovered in one of the proposed upgrades.
Loophole could lead to loss of funds
Smart contract audit firm ChainSecurity yesterday issued a report on Medium revealing a critical vulnerability in the Constantinople upgrade expected to be implemented tomorrow. According to the firm, the Ethereum Improvement Proposal (EIP) 1283 has a loophole in its code that would allow hackers to steal user funds.
Following this discovery, Ethereum developers and developers of clients and other projects running the network decided to delay the proposed hardfork. The developers would work on fixing the vulnerability, with the hardfork expected to be implemented afterward.
Vitalik Buterin, developers Hudson Jameson, Nick Johnson, and Evan Van Ness, and Parity release manager Afri Schoedon took part in the meeting. Ethereum developers will converge for another call on Friday, and a new fork date will be decided.
The project’s core developers while discussing the vulnerability agreed that it would take a while for them to fix the bug. They noted that they wouldn’t be able to fix the bug before the hardfork tomorrow. Thus it is best to fix another date for its implementation.
The loophole dubbed reentrancy attack will enable hackers to enter a similar function multiple times without the user knowing what is happening. Joanes Espanol, CTO of blockchain analytics firm Amberdata stated that with this loophole, the attacker could withdraw funds multiple times without the knowledge of the user.
He stated that “Imagine that my contract has a function which makes a call to another contract… If I’m a hacker and I’m able to trigger function a while the previous function was still executing, I might be able to withdraw funds.”
According to reports, the reentrancy attack is similar to the now-infamous DAO attack that took place in 2016.
ChainSecurity stated in their report that before Constantinople, storage operations on the Ethereum network would cost 5,000 gas. This is higher than the 2,300 gas usually sent when using the transfer or send functions on the network. If the upgrade had gone as planned, “dirty” storage operations would cost 200 gas. The report explained that an “attacker contract could use the 2300 gas stipend to manipulate the vulnerable contract’s variable successfully.”
Constantinople was expected to be launched last year. It was however delayed after issues were found when the upgrade was launched on the Ropsten testnet.
ETH price drops following hardfork delay
ETH price dropped following the news of the hardfork delay. The third largest cryptocurrency was trading at 129 USD yesterday but has lost more than 5 percent of its value and now trades at 121 USD.
Ethereum which was previously the second largest cryptocurrency in terms of the market cap had experienced a rough couple of months, losing its second spot to XRP.