Major Ethereum update postponed over vulnerability

The next major update to the Ethereum network has been delayed because smart contract audit firm ChainSecurity detected a critical issue. A vulnerability in the blockchain would allow a so-called reentrancy attack. The weakness in the blockchain was published on Tuesday, and the team behind Ethereum postponed the deployment of the new network immediately.

The Constantinople upgrade is upgrading a variety of features to the Ethereum blockchain. One of them is the introduction of cheaper transaction fees for certain operations. However, a side effect of this upgrade is that certain commands allow a potential attacker to steal currency from a smart contract. This would be possible by repeatedly requesting funds while feeding the contract with false data.

(Image 1) In this example there are two purchases done before the first purchase has been confirmed with the command “updatePurchasingState()”. This is also an example of a reentrancy attack.

According to Ethereum’s hard fork coordinator Afri Shoedon the update has been delayed for at least a week. On Friday the team will have a meeting to discuss the issues with their blockchain.

The weaknesses in the Ethereum blockchain couldn’t pop-up at a more inconvenient time. Bloomberg just reported, from the mouths of several Ethereum developers, that this hard fork would be the smoothest in the history of Ethereum. However, not everybody thought things would be smooth.

Constantinople was tested on the Ropsten testnet in October 2018, and was intended to launch in November. The launch was delayed after several technical hurdles were discovered. For the time being Ethereum is still a Proof-of-Work blockchain, but the Constantinople update would be a first step to start implementing masternodes and staking into the network.

Originally published at NEDEROB.