Ethereum’s Constantinople hard fork after ChainSecurity, a smart contract auditing firm has found a major vulnerability in one of the objectives of the upgrade.
ChainSecurity said yesterday that EIP 1283, which was one of the planned changes is vulnerable to attacks as it can provide hackers a loophole in the smart contract code to take over the user’s funds. As a result, the ethereum developers, the client developers as well as all other projects have agreed to delay the Constantinople hard fork for the time being till the issue is evaluated and resolved.
The next date for the Constantinople hard fork shall be decided on 18th of January during the Ethereum dev call which would include people such as Vitalik Buterin, Nick Johnson, Hudson Jameson, Evan Van Ness, Afri Schoedon and others.
The ethereum developers have decided to delay the Constantinople hard fork for now as according to them the issue might take longer to be resolved. The Constantinople hard fork was earlier planned to be executed on 17th January at around 04:00 UTC.
According to Joanes Espanol, the CTO of Amberdata, the vulnerability found in the EIP 1283 is known as Reentrancy Attack. The following attack allows the hacker or attacker to reenter the identical function multiple times in the absence of the user knowing about the state of affairs. Under the Reentrancy attack, the hacker or the attack could withdraw the user’s funds forever.
According to ChainSecurity, the storage operations on the ethereum network is currently costing 5000 gas which exceeds the 2300 gas which is sent while calling a contract using ‘send’ or ‘transfer’ function. After Constantinople is implemented dirty storage operations will start to cost 200 gas and the attacker contract can then use 2300 gas stipend to control the endangered contract’s variable.
This is the second time that the Ethereum hard fork Constantinople is being delayed. Previously, it was scheduled to be launched last year but was delayed due to issues with the Ropsten testnet.