In a developer call, Vitalik Buterin along with other high-rank developers postponed the long-anticipated Ethereum hard fork “Constantinople”. An audit firm found a critical vulnerability in Proposal (EIP) 1283, that could provide attackers a loophole in the code to steal other users’ funds.
Ethereum faces an audit
A Smart contract audit firm called ChainSecurity audited Ethereum’s hard fork proposal (EIP) 1283 and found critical vulnerabilities. This is the reason for delaying the hard fork for an unknown period of time. The vulnerability, called a reentrancy attack, allows an attacker to “reenter” the same function multiple times without updating the user about the state of affairs, an attacker could essentially be “withdrawing funds forever,” said Joanes Espanol, CTO of blockchain analytics firm Amberdata.
“Imagine that my contract has a function which makes a call to another contract… If I’m a hacker and I’m able to trigger function a while the previous function was still executing, I might be able to withdraw funds,”
What is wrong with the code?
ChainSecurity explains this in their medium blog post:
“The upcoming Constantinople Upgrade for the ethereum network introduces cheaper gas cost for certain SSTORE operations. As an unwanted side effect, this enables reentrancy attacks when using address.transfer(…) or address.send(…) in Solidity smart contracts. Previously these functions were considered reentrancy-safe, which they aren’t any longer,” further explaining that “Before Constantinople, every storage operation would cost at least 5000 gas. This far exceeded the gas stipend of 2300 sent along when calling a contract using transfer or send.”
Constantinople hard fork execution not specified
After this security issue, Vitalik Buterin, Hudson Jameson, Nick Johnson, and Evan Van Ness came to a consensus to delay this Hard Fork. However, they failed to deliver a specific date when the actual upgrade could take place. At this moment this is unclear because it is very essential to develop a proper code.