Citing “potential vulnerabilities” to smart contracts on the Ethereum chain, the Constantinople hard fork for the network is postponed indefinitely.
According to the official Ethereum blog, the decision was made by “key stakeholders around the Ethereum community,” after being made aware of specific issues related to the planned upgrade, as enumerated by ChainSecurity.
About a day before the scheduled fork, the blockchain security and smart contract auditing firm published a Medium post stating, “The upcoming Constantinople Upgrade for the ethereum network introduces cheaper gas cost for certain SSTORE operations. As an unwanted side effect, this enables reentrancy attacks when using address.transfer(…) or address.send(…) in Solidity smart contracts. Previously these functions were considered reentrancy-safe, which they aren’t any longer.”
The article demonstrated how Ethereum smart contracts could be rendered more vulnerable after the planned fork, with an attacker modifying a PaymentSharer contract so as to take funds of another party.
Such increased vulnerability comes from the nature of Constantinople, which is intended to make transactions require less gas, that is, make them cheaper. High transaction costs for ETH and other cryptocurrencies is one reason Bitcoin SV is considered a better alternative.
A similar vulnerability led to the 2016 attack on the Ethereum-powered DAO fund, where about $50 million worth of the cryptocurrency at the time was stolen. This eventually brought about a hard fork where Ethereum Classic (ETC) emerged among those who refused the consensus of undoing the DAO heist.
ChainSecurity noted that a scan of the blockchain “did not uncover vulnerable smart contracts,” and added, “[A] warning of an reentrancy attack is in many cases not exploitable, but needs careful analysis.”
The Ethereum developers said, “Because the risk is non-zero and the amount of time required to determine the risk with confidence is longer the amount of time available before the planned Constantinople upgrade, a decision was reached to postpone the fork out of an abundance of caution.” They also recommended certain actions for miners, exchanges, and node operators to undertake.
Within nine hours of ChainSecurity’s disclosure of the security risk, and about four hours after publication of the Medium post, the decision to delay the fork was made, with a public announcement on this released about an hour later.
The fork was supposed to happen at the generation of ETH’s block number 7,080,000, or sometime on January 16.