The long-awaited Constantinople hard fork of the Ethereum network will be held later. A potential vulnerability has been discovered in the update code that compromises the entire network.

False start

ChainSecurity, a smart contracts audit firm, informed in its Tuesday statement that one of the planned elements of the update, Ethereum Improvement Proposal (EIP) 1283, could, if deployed, create a security loophole through which attackers could steal user assets.

“The upcoming Constantinople Upgrade for the ethereum network introduces cheaper gas cost for certain SSTORE operations. As an unwanted side effect, this enables reentrancy attacks when using address.transfer(...) or address.send(...) in Solidity smart contracts. Previously these functions were considered reentrancy-safe, which they aren’t any longer.”

During the conference call, the Ethereum core developers, creators of Ethereum clients and other applications, agreed that it was necessary to postpone the activation of the hard fork until a solution to this problem was found.

Vitaly Buterin, developers Hudson Jameson, Nick Johnson and Evan Van Ness, as well as Afri Shoedon from Parity and others participated in the discussion. The new possible date of Constantinople activation will be discussed during the weekly call conference this Friday, on 18 January.

Previously it was expected that hardfork Constantinople would take place on 17 January.

Bug from the past

When discussing the discovered vulnerability, Ethereum developers suggested that fixing it might take too long. The bug called “reentrance attack” allows an attacker to repeat the same function many times without notifying other users. This vulnerability works in a similar way as the bug, which allowed fraudsters to steal funds from the decentralized organization DAO in 2016.

The attack on the decentralized autonomous organization The DAO occurred on 17 June 2016. It resulted in stealing 3.6 million ether tokens or more than $64 million at the rate on the day of the attack. The kidnappers took advantage of the vulnerability in The DAO code.

In mid-July, Ethereum community decided to activate a hard fork in order to return the stolen funds, but part of the community did not agree with this decision and continued supporting the original Ethereum blockchain, calling it Ethereum Classic.