Core Ethereum ETH developers have delayed the scheduled Constantinople upgrade after a code audit revealed the proposed software updates introduced dangerous security vulnerabilities to Ethereum smart contracts.
“Out of an abundance of caution, key stakeholders around the Ethereum community have determined that the best course of action will be to delay the planned Constantinople fork that would have occurred at block 7,080,000 on January 16, 2019,” wrote software engineer Hudson Jameson.
Put simply, a planned reduction in network fees for storing Ethereum would have inadvertently enabled theft of funds kept in certain smart contracts by interacting with them multiple times.
“Some smart contracts (that are already on chain) may utilize code patterns that would make them vulnerable to a re-entrancy attack after the Constantinople upgrade took place,” continued Jameson.
It should be clear that this vulnerability is specifically at the contract-level. It does not exactly represent a flaw in the current Ethereum blockchain, with researchers noting that only post-Constantinople smart contracts were theoretically at risk.
No re-entrancy vulnerabilities were found in smart contracts currently deployed on the Ethereum blockchain.
Still, in order to maintain the integrity of the Ethereum blockchain, anyone running a node (such as node operators, exchanges, miners, and wallet services) need to update to a new version of Geth or Parity before block 7,080,000 is mined.
In 2016, autonomous blockchain organization The DAO was famously rocked by different kinds of re-entrancy attacks, after hackers exploited its code to steal 3.6 million ETH ($55 million) from its smart contract system.
For developers, here is a handy tool to determine if your smart contract is vulnerable to re-entrancy attacks, as well as guidelines on how best to avoid these kinds of vulnerabilities.
A new block signifying the launch of the Constantinople is yet to be decided.
Published January 16, 2019 — 13:41 UTC