cryptopotato.com
TL;DR
- Ethereum Constantinople upgrade delayed due to ‘reentrancy’ attack vulnerability discovered by ChainSecuity
- This is the second time the Constantinople upgrade is delayed
Another hacking scandal has plagued the Ethereum community, this time on the eve of the highly anticipated Constantinople upgrade.
A smart contract auditing firm named ‘Chain Security’ discovered an “unwanted side effect” to the new Constantinople upgrade; mainly that it opens the door for ‘reentrancy attacks’ when using Solidity smart contracts.
Hackers could exploit the systems ‘secured treasury sharing service’ to continuously send funds to themselves unnoticed. The vulnerability is made possible because the code simulates a secured treasury sharing service, meaning that two parties can jointly receive funds, decide on how to split them, and receive a payout if they agree.
The attacker exploits the treasury sharing code by making one address their contract, and the second address their account. The attacker then deposits some money and calls the attack function on their contract. Next, they use the split function in a way that allows their contract address (the first address) to receive all of the funds.
There are a few other more complicated steps in between, but what ultimately happens, in the end, is that the attacker can steal other people’s ETH by reentering the same split function multiple times without others ever being updated about the unauthorized transfers.
As a result of this discovery, Ethereum co-founder Vitalik Buterin, as well as other core developers decided that they would not execute the hard fork on its scheduled date of January 17th at 4 AM UTC.
Similarities with 2016 DAO Hack
It should also be noted that this vulnerability resembles the one discovered in the DOA hack of 2016, which lead to the Ethereum blockchain hard forking to create Ethereum Classic and Ethereum.
This is not the first time the Constantinople upgrade was delayed. Last year the upgrade was postponed due to issues on the Ropsten Testnet. So far, no new date for the upgrade has been announced.