ChainSecurity Reveals Ethereum Constantinople Upgrade Activates Reentrancy Attack

Ethereum’s (ETH) approaching Constantinople upgrade activates vectors for reentrancy attacks, as per ChainSecurity – a smart contract auditing platform, according to a Medium report on January 15, 2019. A reentrancy attack engages a particular function in a smart contract to be called several times before the smart contract is completely performed.

As per ETH’s wiki page, this event may have led the various conjurations of the function to act together in destructive and malicious ways. One example of reentrancy attack includes that of 2016 DAO hack.   

As per ChainSecurity, post-Constantinople upgrade, the functions “address.transfer(….)” & “address.send(….) are susceptible to attack in Solidity smart contracts. Employing these functions, a malicious attacker can call an attack function on his individual smart contract and slip other user’s ETHs out of the contract.   

ChainSecurity reveals that this is only viable when particular preconditions are fulfilled that would make a contract susceptible to attacks. The company also states that it has yet to disclose smart contracts susceptible to attack.   

Below is a clear example of the attack being conducted on the ETH Ropsten testnet.   

   

The release manager for Parity Technologies, Afri Schoedon, reveals that his company is verifying the report, looking into the severity, and planning next steps, according to a reddit post.   

ETH’s Constantinople Upgrade Delayed   

Therefore, ETH’s long-awaited Constantinople upgrade has been suspended after a vital vulnerability was ascertained in one of planned changes.   

   

ChainSecurity flagged on January 15 that ETH Improvement Proposal (EIP) 1283, if carried out, could offer attackers an ambiguity that makes it possible to evade a difficulty or obligation in the code to steal people’s money. ETH developers and other developers of users plus other projects operating the network reached the consensus to suspend the hard fork temporarily as they ascertained the issue.   

   

People who took part include ETH developer Vitalik Buterin, developers Evan Van Ness, Hudson Jameson, and Nick Johnson, plus Afri Schoedon and many others. A fresh hard fork date and time will be set during the ETH dev call on January 18.   

Known as a reentrancy attack, the vulnerability basically enables an attacker to ‘reenter’ the same function many times without updating the client about the situation.   

The CTO of blockchain analytics company Amberdata, Joanes Espanol, revealed that an attacker could basically be “withdrawing money forever.” He elaborated:   

“Imagine that my contract has a function which makes a call to another contract… If I’m a hacker and I’m able to trigger function a while the previous function was still executing, I might be able to withdraw funds.”    

  • 4
Block
Add Reply
Feedback |
expand

Constantinople 

Add Reply
expand

Thanks for sharing

Add Reply
expand

come he just for mine

Add Reply
expand

i can't understand the contant.

Add Reply
expand
You should login to reply
You will reward to {{ username }}

Available Balance: {{balance}}

≈ $ {{usdtAmount.toFixed(2)}} (The reward commission rate is 10.0%)

New Favorite Bag

Add To Favorite You can create multiple favorites and classify the topics. Please select the favorites you want to add.
{{ favoriteBag.title }} {{ favoriteBag.favorites_count }}Topics

{{ text }} OK
fa-bars fa-arrow-up