The system-wide upgrade for Ethereum, Constantinople, has been in the world for a while now. However, in an annoucement on Tuesday, it appears that the upgrade has been delayed, but that did not stop major Ethereum clients from releasing software updates.
The decision to delay was made during a developer call, which came after a security vulnerability was discovered in the Ethereum Improvement Proposal (EIP) 1283, which is a change that has already planned that included Constantinople. The vulnerability was discovered by Chain Security, a blockchain audit firm.
If this vulnerability had the chance to be exploited, then this bug would have made “reentrance attacks” possible, as malicious actors work to pull funds out of these sources, time and time again.
There is another call scheduled for this week, which will determine a new activation block that is meant to go with the Constantinople upgrade. However, to keep the fork at bay, the developers have already suggested the publishing of new versions.
The Ethereum software clients acted quickly. Geth, for example, released an emergency hotfix (version 1.8.21). This implementation is meant to delay the upgrade, though the consumers that do not want to downgrade can continue with the current version, according to developer Péter Szilágyi. Parity clients have the option to upgrade to the stable release or the beta release. Otherwise, they will need to downgrade to the 2.2.4 beta release.
The head of security for Parity technologies, Kirill Pimenov, recommended that users take the path of the newly released upgrade, rather than moving down to an older version. Elaborating, Pimenov said,
“I want to restate – downgrading Parity to pre-Constantinople versions is a bad idea, we don’t recommend that to anyone. Theoretically, it should even work, but we do not want to deal with that mess.”
Afri Schoedon, the release manager with Parity, recommends the 2.2.7 upgrade, though the others should still be effective.
Core developer Hudson Jameson wrote a blog post that suggested that those who do not participate in the network in some way, such as running nodes, omit from the updating all together. Smart contract owners can remain as they are as well, though
“you may choose to examine the analysis of the potential vulnerability and check your contracts.”
Presently, the Chain Security researchers that found the bug are taking the time to analyze the entire blockchain, in collaboration with TrailOfBits. Right now, the change that could cause all of the above problems will not be enabled.
As far as live contracts go, there have been no vulnerabilities found. However, “there is still a non-zero risk that some contracts could be affected, according to Jameson. To protect transfers from the risk of being attacked upon reentry, gas is paid to prevent the repurposing of a transfer, which would allow for theft.
As Hubert Ritzdorf explained, an unfortunate “side effect” is that the EIP 1283 will allow attackers to leverage the gas for their own malicious intent. He added,
“The difference is before you couldn’t do something malicious with this little bit of gas, you could do something useful, but not something malicious and now because some of the operations became cheaper, now you can do something malicious with this little bit of gas.”
Smart contract developers will still be concerned about the risk of reentrancy on Solidity.
That is why the COO of Chain Security, Matthias Egli, said that the core developers that solely focused on the virtual machine’s mechanics still would not have seen the vulnerability obviously.
Speaking to CoinDesk, Egli added, “It’s a Solidity thing, it’s not an [Ethereum virtual machine] core thing that in practice allowed this attack. That was part of this disconnect that in practice small changes to gas cost will allow new kind of attacks which wasn’t considered before.”
Fixing this issue is not just a simple change in gas costs, according to Ritzdorf. Elaborating, he noted,
“If we change this amount to a small number now then we would fix the vulnerability, but we would also break many existing [smart] contracts.”
For now, delaying Constantinople is the best decision that can be made by developers, based on the opinion and experience of Egli. He argued,
“It was the right decision because it at least buys some time for researchers to evaluate the real-world impact. With high likelihood, this [EIP] will be taken back and not included in the upcoming hard fork which is now delayed by perhaps a month.”
Right now, developers are working to get in touch with any group or platform that uses the Ethereum network to some capacity. In the next call, which is only days away, the core developers will work on a long-term plan for Constantinople’s watch.
To protect the blockchain from future bugs attacking, there have been many developers in support of a bug bounty program that focuses on the analyzation of the code.