Ethereum’s Constantinople Upgrade is Likely to Go Ahead Despite Another Bug

News and Analysis
12.02.2019

A new bug in Constantinople, the planned upgrade of the Ethereum platform, has been discovered, potentially affecting a limited number of smart contracts that utilize self-destruct.

According to Jason Carver, a developer at the Ethereum Foundation, the bug dubbed Create2 can allow a developer to replace the self-destructed contract and thus change the rules. Describing the latest hurdle, he wrote:

“You can construct a pretty innocuous contract pre-Constantinople, one that has two possible outcomes from a transaction: {‘contract exists’: ‘swap tokens’, ‘contract self-destructs’: ‘waste some gas’}. Post-Constantinople, the options could now become {‘contract exists’: ‘swap tokens’, ‘contract self-destructs’: ‘waste some gas’, ‘contract replaced’: ‘all ERC20 tokens that were pre-approved to the contract are stolen’}…”

The discovered vulnerability doesn’t affect the current state of the Ethereum; however, it can be possibly exploited after the upgrade, allowing for stealing all the approved coins within a smart contract.

“There are ways around each of these ‘social attacks’, but most of them require education. That will surely lag behind the Constantinople upgrade itself,” added Carver.

Martin Holst Swende, another developer at Ethereum Foundation, said:

“The corollary being, as previously, that if someone verified the source, he should have noticed the SELFDESTRUCT (without a due inactivity period) and avoid interacting with it.”

Swende also conducted a Twitter-poll, asking his followers whether they agree that contracts that people interact suddenly change code after Constantinople. 76 percent responded ‘No’, which forced Swende to come with the following comment:

Cited by Trustnodes, Alexey Akhunov, who is working on the Ethereum 1x upgrade, said:

“If we implement State fee proposal 2 as it is, it will allow resurrection of Parity multisig library, I suspect […] I am now thinking of the temporal replay protection EIP suggested in State fees proposal 2. I have just concluded that eviction of EOA account [normal eth addresses] combined with temporal replay protection (which resets the nonce of EOA to 0), will expand what CREATE2 further, to the EOA accounts…”

Meanwhile, Afri Schoedon of Parity insists that Constantinople will not be delayed due to the above. However, when asked whether smart contracts with self-destruct function will be able to steal people’s funds after the upgrade, Schoedon said: “I’d like to know that answer, too.”

Petersberg

The network upgrade dubbed Constantinople would have introduced a series of backward-incompatible changes to the (again) world’s second largest cryptocurrency by market capitalization. Yet the bug discovered by ChainSecurity mid-January led to a delay, followed by a plan to try once again in late February.

The bug was found in EIP-1283 and could potentially make some smart contracts on Ethereum vulnerable to a so-called “re-entrancy attack,” enabling an attacker to steal other people’s ETH.

During a meeting late January Ethereum developers proposed to temporarily table EIP-1283 and proceed with the rest of Constantinople as planned, determining that a fix would delay Constantinople’s activation for too long.

However, given that several test networks including Ropsten already activated Constantinople before the security vulnerability was found, Ethereum core developers also agreed that a second hard fork safely removing the EIP in question was needed. This new solution, implemented as hard fork along Constantinople, is dubbed “Petersberg” and already released on Ropsten.

The upgrade is now expected to be activated at block number 7,280,000, sometime during the last week of February.

“I suspect it will go as planned. The block number has been set and [the upgrade] is hard coded in the clients now so it’s going along fine,” Hudson Jameson, who handles developer relations for the Ethereum Foundation, told CoinDesk.

Ice Age

In another notable development, Ethereum’s new supply recently fell to about 13,000 ETH a day from 20,000 ETH as the so called “Ace Age”, a state of the chain related to the “difficulty bomb”, is kicking in to make mining more difficult.

Ethereum’s new supply is expected to remain at those levels until the Proof of Stake (PoS) Beacon chain fully launches by the end of the year, at which point it will more than halve again. In the near future, the supply might drop close to circa 10,000 ETH, but that is likely not to last for too long as the Constantinople fork will delay the difficulty bomb while setting new issuance at roughly 13,400 ETH a day.

*****

Users anticipating the launch of Constantinople can either go to forkmon.ethdevops.io or Ethernodes to watch the release in real time.

According Afri Schoedon, Constantinople and Petersberg are estimated to go live on Thursday, February 28.

Follow ForkLog on Twitter and Facebook!

Found a typo? Highlight text and press CTRL+ENTER

Subscribe to our Newsletter

<

Related posts

Tags: , ,