The Ethereum development team has delayed the Constantinople hard fork, citing a security vulnerability in the upgrade’s code that would have reintroduced the possibility of a reentry attack. The vulnerability was discovered by the smart contract auditor ChainSecurity, who immediately alerted the proper crypto industry insiders.
What’s A Reentry Attack?
A reentry attack occurs when a malicious attacker simulates a secure treasury sharing service. In a normal treasury sharing service, parties can jointly receive funds and then reach an agreement on how to split those funds. An attacker spoofs this function by pretending to be a party involved, subsequently taking advantage of a contract that uses the treasury sharing service. This act allows attackers to steal holdings allocated for another entity via the fake contract.
While some Twitter users were evidently disconcerted by the emergency delay, others expressed concern about how the bug would affect future smart contracts on Ethereum. One commentator going by the handle of @nicksdjohnson told a critic who claimed the reported vulnerability was a “non-issue” the following:
“How much of other people’s money would you like to bet? For my part, I’ll happily take a bet with you that at least one contract is financially vulnerable as a result of this bug.”
ChainSecurity discovered the vulnerability in the upcoming Constantinople update, stating that data compiled by Eveem.org indicated no reentry attack vulnerabilities in current smart contracts on the popular blockchain.
However, this shouldn’t rule out the possibility that an upgrade wouldn’t affect future smart contracts on Ethereum, especially if Constantinople was to be rolled out as originally planned. In ChainSecurity’s public report on the issue, the organization pointed out a number of ways that developers could tell whether their contracts were vulnerable to the pertinent bug.
Ethereum Team Issues Emergency Update
In response to the reported vulnerability, Ethereum developers quickly created and released Geth Version 1.8.21 to postpone the blockchain upgrade. Developers, including Hudson Jameson, Vitalik Buterin, and Afri Schoedon, are looking to delay the upgrade until developers can procure a permanent fix.
Anyone running Geth should update to the new version as soon as possible. It may, however, take time for exchanges to update accordingly. So, some platforms may pause deposits and withdrawals as previously planned, so traders should be cautious when attempting to send ETH to exchanges.
The current version of Ethereum does not appear to be vulnerable to the reentry attack vulnerability. Its discovery did come at an awkward enough time for Ethereum’s price, as the asset has dropped by upwards of six percent in the past 24 hours. Yet, fears may be overblown, as the crypto project’s team were able to pause the upgrade before worse came to worst.
Title Image Courtesy of Marco Verch Via Flickr