Ethereum’s Constantinople Hard Fork Gets Further Delayed Due to Security Vulnerabilities

16. Jan 2019 Posted by Akolkar B on News

The much-awaited Ethereum Constantinople Hard Fork which was earlier scheduled this month, is now delayed for an indefinite time period. Citing a security vulnerability discovered during one of the planned changes, the Ethereum Core Developers arrived at this decision, on Tuesday, January 15.

ChainSecurity, the smart contract audit firm, found a bug that if Ethereum Improvement Proposal (EIP) 1283, it would create a loophole allowing attackers to manipulate the code and steal user funds. Hence while speaking on the call, the Ethereum Core Developers and the Ethereum Security Community collectively took the decision to delay the hard fork until the issue is resolved.

Security researchers like ChainSecurity and TrailOfBits ran (and are still running) analysis across the entire blockchain. They did not find any cases of this vulnerability in the wild. However, there is still a non-zero risk that some contracts could be affected,” the statement read.

“Because the risk is non-zero and the amount of time required to determine the risk with confidence is longer the amount of time available before the planned Constantinople upgrade, a decision was reached to postpone the fork out of an abundance of caution.”

The decision-making panel included big names like Parity release manager Afri Schoedon, Ethereum creator Vitalik Buterin, developers Hudson Jameson, Nick Johnson and Evan Van Ness, and others. The team will decide the actual date of the hard fork during a developer call on Friday.

Referred to as the reentrancy attack, the vulnerability will allow the attacker to “reenter” the same function several times without even notifying the users about the state of the matter. In an interview with CoinDesk, Joanes Espanol, CTO of blockchain analytics firm Amberdata, said that under such scenario, the attackers can withdraw funds forever.

He further explains that Imagine that my contract has a function which makes a call to another contract… If I’m a hacker and I’m able to trigger function a while the previous function was still executing, I might be able to withdraw funds.”

The latest vulnerability is similar to the one found in the infamous DAO attack of 2016. The Constantinople hard fork was earlier expected to be released in 2018, however, has been pending yet due to one or the other reason.

Soon as the news broke out yesterday, Ethereum (ETH) lost more than 5% in the last 24-hours and is currently trading at $124 with a market cap of $13 billion.