Ethereum News: While Ethereum’s Constantinople upgrade is expected to massively improve the working of the Ethereum (ETH) network, the release date has been pushed multiple time. This time around the delay can be blamed to a critical vulnerability that was discovered in one of the planned changes.
ChainSecurity, smart contract audit firm pointed out on Tuesday that Ethereum Improvement Proposal (EIP)1283 could provide hackers easier access to the code for stealing user funds. A discussion on a call between ETH developers, the developers of clients and other projects running the network agreed that the hard fork shall be delayed temporarily to asses the issue.
The on-call participants included ETH creator Vitalik Buterin, developers Hudson Jameson, Nick Johnson, Evan Van Ness, and Parity release manager Afri Schoedon, among others. The new release date will be decided during another ethereum dev call on Friday.
The original timing for release was set to be 04:00 UTC on Jan. 17. The project’s core developers have decided that the bug would take longer to be fixed, thus the delay was inevitable. Dubbed as a reentrancy attack, the bug will enable an attacker to “reenter” the same function multiple times without updating the user about it.
As a result, the attacker could essentially be “withdrawing funds forever,” explained the CTO of blockchain analytics firm Amberdata, Joanes Espanol, in a previous interview with CoinDesk.
“Imagine that my contract has a function which makes a call to another contract… If I’m a hacker and I’m able to trigger function a while the previous function was still executing, I might be able to withdraw funds.”
A similar vulnerability could be attributed to the now-infamous DAO attack of 2016. The post by ChainSecurity elaborated that prior to Constantinople, storage operations on the network would cost 5,000 gas, exceeding the 2,300 gas usually sent when calling a contract using “transfer” or “send” functions.
If the upgrade is implemented, the “dirty” storage operations would cost 200 gas. An “attacker contract can use the 2300 gas stipend to manipulate the vulnerable contract’s variable successfully.”
Previously expected to activate last year, the Constantinople upgrade was delayed after issues were found while launching the upgrades on the Ropsten testnet.