Two weeks ago, the Ethereum’s community was made aware of potential vulnerabilities in its new system-wide update, Constantinople. These risks were discovered by auditing and security monitoring firm ChainSecurity. The company explained as a consequence of the Constantinople update, certain smart contracts will be vulnerable to reentrancy attacks. The full source code, along with the attacker contract is available on ChainSecurity’s Github account.
The vulnerability in the code, manifested in an unexpected way according to Chain Security, by simulating a secure treasury sharing service. An attacker would take advantage of this by simulating both accounts that jointly receive funds, an attacker could siphon other users Ether out of their Payment Sharer contract.
As ChainSecurity explained in a blog post “Two parties can jointly receive funds, decide on how to split them, and receive a payout if they agree. An attacker will create such a pair with where the first address is the attacker contract listed below and the second address is any attacker account. For this pair the attacker will deposit some money”.
Ethereum is the world’s third-largest cryptocurrency by market capitalization,and is a decentralized, open-source blockchain network that provides a conducive environment for developers to build and launch decentralized software. Ethereum Blockchain differs from Bitcoin as it essentially focuses on being a platform for other entities to run their decentralized software, while Bitcoin’s network focuses on one single application of Blockchain, a peer-to-peer payments system.
According to InWara’s ICO+STO database. Over 4000 Blockchain startups are using Ethereum’s platform, an overwhelming amount when compared to the 308 startups that are using other competing platforms.
Ethereum’s key stakeholders decided, delaying the new system-wide update was the best course for action for now, while security researchers such as Chainsecurity and TrailOfBits analyse the entire blockchain. For now, the researchers have not found any vulnerability on the network.
Despite the chances that some contracts were affected being pretty low. The amount of time required to determine the risk with 100% confidence, is longer than the time available for the constantinople update. Ethereum hence decided to delay the update out of ‘an abundance of caution’.
Constantinople is Ethereum’s system-wide update that incorporates five different Ethereum improvement proposals (EIP). The new update is expected to be backwards-incompatible, meaning it cannot use data created with an older version of the same program.
Backward incompatibility inherently creates the need to start over completely, once the platform is updated. This means that nodes-the network of computers that run Ethereum software- can either update together with the whole system or continue running as a separate Blockchain entity. The latter is more commonly known as a ‘hardfork’, and they can lead to two different versions of the same Blockchain running simultaneously. Interestingly a previous hard fork has spawned the birth of a competing crypto named Ethereum classic.
Article sourced from Inwara.com