- The hard fork was expected to go live on January 16, 2019
- The discovered critical bug could have made the upgrade vulnerable to attack
- Developers have taken the “better safe than sorry” route
The eagerly awaited Ethereum’s Constantinople hard fork has been postponed, causing a 5 percent drop in ETH price. This follows the discovery of a critical security vulnerability that could allow re-entry attacks.
Ethereum’s core developers announced the delay of the activation of Constantinople a few hours before the long-awaited hard fork that was expected to go live on the world’s third-largest cryptocurrency network. The official statement from the Ethereum Core Developers and Ethereum Security Community said the discovery of a potential vulnerability informed the decision to postpone the hard fork in one of the software upgrades. The statement read:
“Security researchers like ChainSecurity and TrailOfBits ran (and are still running) analysis across the entire blockchain. They did not find any cases of this vulnerability in the wild. However, there is still a non-zero risk that some contracts could be affected.”
The development team argues in their statement that since the risk is non-zero and the time they have remaining to determine the actual risk is longer than the time remaining before the planned upgrade, they felt it was safer to postpone the hard fork to be on the safe side.
The discovery of the critical bug was made by the Zurich-based smart contract firm ChainSecurity and reported in an official blog post on Tuesday, January 15, 2019.
According to the statement, the code changes they discovered in the Constantinople hard fork could have potentially left some smart contracts open to attacks that could easily lead to the loss of user funds. The Constantinople Hard Fork that should have been activated at 20:00 PT on January 16th (i.e. 04:00 UTC on January 17th) at block number 7, 080, 000, will not be happening. The statement reads in part:
“The upcoming Constantinople Upgrade for the Ethereum network introduces cheaper gas cost for certain SSTORE operations. As an unwanted side effect, this enables reentrancy attacks when using address.transfer(…) or address.send(…) in Solidity smart contracts. Previously these functions were considered reentrancy-safe, which they aren’t any longer.”
The Ethereum Core Developers statement advised users who “simply interacts with Ethereum (you do not run a node), you do not need to do anything.” This group includes smart contract owners because “the change that would introduce this potential vulnerability will not be enabled.”
Before the abrupt postponement, the Ethereum community was upbeat about the impending Constantinople activation that should have implemented several upgrades into the network. The information has caused the price of ETH to plunge by about 5 percent to trade at $122.38 at the time of writing. No new fork date has yet been announced.