Ethereum Upgrade Delayed Following Security Flaw

Reading Time: 2 minutes

Ethereum developers faced almost as difficult a Tuesday evening as Theresa May, when blockchain research group ChainSecurity uncovered a “reentrancy attack” exploit within the Constantinople code, forcing them to delay the upgrade that was just days away. According to the ChainSecurity, the attack would have allowed a malicious actor to steal funds from someone with whom they engaged in a smart contract on the platform. Constantinople has already been delayed numerous times, with the latest delay coming in October last year.

Reentrancy Attack

ChainSecurity informed Ethereum of their findings earlier on Tuesday, with Ethereum requesting a public disclosure that evening having looked at the report and concluded that ChainSecurity were correct in their summations. ChainSecurity duly posted their findings to Medium, outlining the problems with the code and a scenario where an attacker could exploit the flaw. A reentrancy attack allows the attacker to ‘re-enter’ a smart contract they have previously engaged in and withdraw the agreed amount of funds over and over again until the execution runs out of ‘gas’ or the wallet is emptied. A variation of reentrancy attack was what brought down the DAO in 2016 and caused the Ethereum chain to split.

Update Expected Friday

Oddly, the entire market reacted in a negative way to the news rather than just Ethereum, although Ethereum was one of the worst affected, losing 5% of its value and dropping to $122. Responses to the news were supportive, with many congratulating ChainSecurity on the discovery and thanking Ethereum for taking swift action. No word has been given yet on the revised date of the upgrade, but discussions are due to take place Friday to determine a potential upgrade date.