Ethereum developers faced almost as difficult a Tuesday evening as Theresa May, when blockchain research group ChainSecurity uncovered a “reentrancy attack” exploit within the Constantinople code, forcing them to delay the upgrade that was just days away. According to the ChainSecurity, the attack would have allowed a malicious actor to steal funds from someone with whom they engaged in a smart contract on the platform. Constantinople has already been delayed numerous times, with the latest delay coming in October last year.
[SECURITY ALERT] #Constantinople upgrade is temporarily postponed out of caution following a consensus decision by #Ethereum developers, security professionals and other community members. More information and instructions are below. https://t.co/p2znO8HGxf
— Ethereum (@ethereum) January 15, 2019
Reentrancy Attack
ChainSecurity informed Ethereum of their findings earlier on Tuesday, with Ethereum requesting a public disclosure that evening having looked at the report and concluded that ChainSecurity were correct in their summations. ChainSecurity duly posted their findings to Medium, outlining the problems with the code and a scenario where an attacker could exploit the flaw. A reentrancy attack allows the attacker to ‘re-enter’ a smart contract they have previously engaged in and withdraw the agreed amount of funds over and over again until the execution runs out of ‘gas’ or the wallet is emptied. A variation of reentrancy attack was what brought down the DAO in 2016 and caused the Ethereum chain to split.
Update Expected Friday
Oddly, the entire market reacted in a negative way to the news rather than just Ethereum, although Ethereum was one of the worst affected, losing 5% of its value and dropping to $122. Responses to the news were supportive, with many congratulating ChainSecurity on the discovery and thanking Ethereum for taking swift action. No word has been given yet on the revised date of the upgrade, but discussions are due to take place Friday to determine a potential upgrade date.
Thanks to @chain_security for discovering the vulnerability in Constantinople before the upgrade went live.
If you’re running a node, new Parity and Geth clients that contain a hotfix will be released shortly.
Discussions about a new upgrade date will be had on Friday.
— Anthony Sassano (@sassal0x) January 15, 2019