Attack Bug Delays Ethereum Constantinople Update at the Last Minute!


It’s finally the big day – but wait a minute. They’re saying that Constantinople, the much-anticipated Ethereum update, is postponed!

Reports this morning show the Ethereum community has delayed this major change after a smart contract audit firm found a particular kind of vulnerability in the code.

Toju Ometoruwa at Cryptopotato covers hackers’ attempts to double dip, and triple dip, and essentially get illegitimate funds using what’s called a ‘re-entrancy attack.’

The good news for investors is that there’s no need to do anything in the wake of this discovery.

“If you’re simply an investor, just sit tight,” writes an anonymous poster going over the nuts and bolts of this situation on Reddit. “You do not have to do anything with your Trezor, Ledger, MyEthereumWallet (MEW). So, watch out for scammers who may try to confuse you … Unless you’re making your investing/trading decisions solely based on this event, you should be sort of relieved. … in a previous article, we warned about how unpredictable price movement can be closer to events … but overall this is a great thing for Ethereum – and for long term investors. Catching this security vulnerability right before the network upgrade is a gift. If Constantinople went live before (the discovery) and if the security vulnerability was discovered by malicious attackers, then things could (have gotten) far worse!”

Miners, the poster notes, will need to upgrade prior to January 17.

So what is a re-entrancy attack, and how does it work?

Essentially, hackers are getting into the smart contract code and injecting a recursive command into it, so that they enter at the same point each time, and keep withdrawing funds.

Gustavo Guimaraes has written a great article on Medium that really dissects the code of a ‘honeypot’ smart contract and goes into detail about the re-entrancy attack.

“To code smart contracts is certainly not a free picnic,” Guimaraes writes idiomatically. “A bug introduced in the code costs money, and most likely not only your money, but also other people’s as well.”

Sharing the honeypot code, Guimaraes shows how the hacker isolates code for sending ether, and then tricks the function into thinking that the ether should be withdrawn again and again.

In the post-mortem, many experts are pointing back to the DAO attack in 2016 where attackers used single function and cross function re-entrancy attacks to steal 3.6 million ether. That led to the hard fork between Ethereum and Ethereum Classic.

Opinions on whether this discovery is a good thing or a bad thing are under debate. Many, as in the Reddit post above, feel that if the vulnerability were found later after the rollout, the effects would be disastrous. Others are looking on the bright side, seeing that this vulnerability was uncovered in time and can be fixed.

As for ETH values, trading today shows Ethereum stumbling down to around $125 from over $130 yesterday.

However, if you look on a longer-term time horizon, Ethereum’s value right now is right about in the middle of its lows from December and its highs later early this year. We’ll have to see what happens when people do finally get ready to do Constantinople, and if ETH moves forward despite any possible bugs or glitches in the system. For now, let’s be glad that they’re closing the loop holes against an attack vector that could have had really big ramifications for ETH holders and the market!