Zurich-based blockchain security firm ChainSecurity has discovered a critical bug in Ethereum’s Constantinople upgrade which could leave smart contracts vulnerable to attacks. The Ethereum Foundation has therefore decided to delay the hard fork, which was expected to be activated around 6am UTC tomorrow.
ChainSecurity’s Medium blog post, published the 15th January, explained the critical vulnerability:
“The upcoming Constantinople Upgrade for the Ethereum network introduces cheaper gas cost for certain SSTORE operations. As an unwanted side effect, this enables reentrancy attacks when using address.transfer(…) or address.send(…) in Solidity smart contracts. Previously these functions were considered reentrancy-safe, which they aren’t any longer.”
As a result, Ethereum’s core developers and stakeholders, including Ethereum creator Vitalik Buterin, spoke via conference call and agreed to delay the upgrade while they studied this issue. A further meeting is scheduled for this Friday to decide on a new date for the fork.
This is how the Ethereum Foundation announced he news about the postponement of the Constantinople hard fork last night:
[SECURITY ALERT] #Constantinople upgrade is temporarily postponed out of caution following a consensus decision by #Ethereum developers, security professionals and other community members. More information and instructions are below. https://t.co/p2znO8HGxf
— Ethereum (@ethereum) January 15, 2019
Ethereum Foundation’s blog post had this advice for anyone running a node:
“Out of an abundance of caution, key stakeholders around the Ethereum community have determined that the best course of action will be to delay the planned Constantinople fork that would have occurred at block 7,080,000 on January 16, 2019. This will require anyone running a node (node operators, exchanges, miners, wallet services, etc…) to update to a new version of Geth or Parity before block 7,080,000. Block 7,080,000 will occur in approximately 32 hours from the time of this publishing or at approximately January 16, 8:00pm PT / January 16, 11:00pm ET / January 17, 4:00am GMT.”
The blog post points out that “if you are a person who simply interacts with Ethereum, you do not need to do anything.” This includes smart contract owners since “the change that would introduce this potential vulnerability will not be enabled”.