Ethereum core developers have reached an accord to put on hold the much-awaited hard fork of protocol dubbed “Constantinople.” The upgrade which was slated to take place this month has been postponed to a later date after a smart contract audit firm ChainSecurity sounded an alarm bell. The firm unearthed a critical vulnerability that could be exploited to steal user funds. The news which was published today on a Medium Post reads in part:
“Out of an abundance of caution, key stakeholders around the Ethereum community have determined that the best course of action will be to delay the planned Constantinople fork that would have occurred at block 7,080,000 on January 16, 2019.
This will require anyone running a node (node operators, exchanges, miners, wallet services, etc…) to update to a new version of Geth or Parity before block 7,080,000. Block 7,080,000 will occur in approximately 32 hours from the time of this publishing or at approximately January 16, 8:00 pm PT / January 16, 11:00 pm ET / January 17, 4:00 am GMT.”
What security issues did ChainSecurity discover?
According to ChainSecurity, the issue stems from Ethereum Improvement Proposal (EIP) 1283, which is aimed at introducing lower gas fees for some operations on the network. However, the company said the upgrade could provide bad actors a loophole to steal funds without the knowledge of the victim. Following this discovery, Ethereum developers agreed to put on hold the planned hard fork for a while. This way, they will have ample time to assess the issue.
Following the news, Ethereum co-founder Vitalik Buterin said in a Reddit post that his team has been dealing with serious security issues such as the quadratic DoS attacks. He said that the planned hard fork should be suspended as he and other developers assess the issue.
While it is not possible to exploit smart contract at the moment, the proposed upgrade will make it possible to exploit smart contracts. Thus, it will give a hacker the ability to repeatedly request funds from the network while feeding it fake data regarding the attacker’s actual balance.
Image from Flickr.