Constantinople Upgrade Delayed on Report of Security Issues

About a day before the block height intended for the Constantinople upgrade, a delay was proposed to prevent a security breach during the hard fork.

The long-awaited, pre-scheduled Constantinople hard fork on the Ethereum (ETH) network has been postponed, with the developer team pointing to recently observed potential security flaws. The team is still investigating the exact nature of the threat, as described in a recent blog post.

Chainsecurity has explained the process of attacking the network following the Constantinople upgrade. One of the improvements for on-chain computation, which lowers the gas fees for certain operations, makes it cheaper for attackers to exploit a certain type of smart contract, using the vulnerability to send funds to two of their own addresses.

“We are working together with members of the working group to expand this scan to the complex smart contracts which haven’t been decompiled yet. Especially decentralized exchanges which frequently call ether transfer functions to untrusted accounts followed by state changes afterwards might be vulnerable,” Chainsecurity explained.

The most urgent task set by Ethereum developers is for all node operators to upgrade to the latest Geth and Parity versions. Before block 7,800,000, users must either upgrade to Geth 1.8.21 or switch back to version 1.8.19. For Parity client users, the versions approved are Parity Ethereum 2.2.7-stable (recommended) and version 2.3.0 Beta, their alternative being a downgrade to 2.2.4 Beta.

With only a few hours before the predetermined block is mined, the Ethereum team had to rush to release the latest versions, which were not completed and uploaded at the time the message was released. The scenario resembles somewhat the Byzantium hard fork, when the team was ready with the latest client versions only shortly before the hard fork.

Users of wallets that do not run full nodes do not have to do anything except wait for the events to unfold. At the time of the fork, transactions near block 7,800,000 may also be delayed until stability is achieved.

The current vulnerability shows that the ecosystem of smart contracts is still rather risky.

Following news of the failed upgrade, the price of ETH sank to $122.20, losing around 5% in the past 24 hours.

Reading now