Vulnerability Is Found in Constantinople Hours After ETH Devs Call It ‘Least Eventful’ Hard Fork
Ethereum’s (ETH) Constantinople hard fork faces a delay over a newly discovered security vulnerability allowing a reentrancy attack. The critical issue was detected by smart contract audit firm ChainSecurity and reported in a blog post Jan. 15.
According to the company’s report, the Constantinople upgrade introduces cheaper gas cost (transaction fees) for some operations on the Ethereum network. As an unexpected side effect, this allegedly enables reentrancy attacks via the use of certain commands in ETH smart contracts.
A reentrancy vulnerability allows a potential attacker to steal cryptocurrency from a smart contract on the network by repeatedly requesting funds from it while feeding it false data about the malicious actor’s actual ETH balance.
Afri Schoedon, the hard fork coordinator at Ethereum and release manager at blockchain infrastructure provider Parity Technologies, has confirmed on Reddit that the core developers of Ethereum are aware of the vulnerability.
Schoedon explained that an all-core-dev call has been scheduled on Friday, Jan. 18, to decide on further steps in relation to the newly discovered loophole. According to him, the launch of Constantinople has been postponed until at least the next week:
“We will decided (sic) further steps on Friday in the all-core-devs call. For now it will not happen this week. Stay tuned for instructions.”
On the same day that the vulnerability was discovered, Ethereum’s core developers said that they expect the upcoming fork to be the least eventful one in the history of Ethereum. Their remarks were reported in a Bloomberg article published Jan. 15.
Constantinople was first trialed on the Ethereum public testnet Ropsten in mid October last year, and had been intended to be swiftly activated on the main blockchain by the end of October–November 2018.
After facing technical hurdles, its launch was delayed to be implemented at Ethereum block 7,080,000, expected Jan. 16. Given the fork’s focus on primarily technical improvements, Ethereum core dev Lane Rettig told Bloomberg:
"I really can’t imagine a less contentious hard fork, to be honest. Of all the hard forks in the history of Ethereum, it’s probably the least eventful one."
As reported, in earlier discussions of Constantinople, some devs had proposed it would be less controversial, or even political, to change the term for the transition from hard fork to “update.”
The main impact of the shift will be the reduction of mining rewards for each block from the current 3 ETH to 2. The downward adjustment could reportedly help to reduce the inflation and volatility that is allegedly associated with miners selling ETH to cover their costs and boost revenue.
If reduced incentives equate to less support from miners, as Bloomberg notes, this could render the network more susceptible to the possibility of a 51 percent attack — a risk that has been robustly demonstrated in the recent attack on Ethereum Classic (ETC).
Yet, as reported, the reduction is unlikely to be controversial, as it has long been in the works to gradually reduce rewards to zero as the network readies for its planned transition to a Proof-of-Stake (PoS) consensus algorithm.
The high stakes involved in implementing hard forks were thrown into stark relief last November, when the Bitcoin Cash (BCH) community splintered into two warring factions over a scheduled hard fork.
Major United States cryptocurrency exchanges Coinbase and Kraken are the latest to have confirmed their support for Constantinople, joining other top global industry players such as Binance, Huobi and OKEx. Kraken has aligned with the devs in saying it expected the fork would not be controversial.