ChainSecurity Reveals Ethereum Constantinople Upgrade Activates Reentrancy Attack

Ethereum’s (ETH) approaching Constantinople upgrade activates vectors for reentrancy attacks, as per ChainSecurity – a smart contract auditing platform, according to a Medium report on January 15, 2019. A reentrancy attack engages a particular function in a smart contract to be called several times before the smart contract is completely performed.

As per ETH’s wiki page, this event may have led the various conjurations of the function to act together in destructive and malicious ways. One example of reentrancy attack includes that of 2016 DAO hack.   

As per ChainSecurity, post-Constantinople upgrade, the functions “address.transfer(….)” & “address.send(….) are susceptible to attack in Solidity smart contracts. Employing these functions, a malicious attacker can call an attack function on his individual smart contract and slip other user’s ETHs out of the contract.   

ChainSecurity reveals that this is only viable when particular preconditions are fulfilled that would make a contract susceptible to attacks. The company also states that it has yet to disclose smart contracts susceptible to attack.   

Below is a clear example of the attack being conducted on the ETH Ropsten testnet.   

   

The release manager for Parity Technologies, Afri Schoedon, reveals that his company is verifying the report, looking into the severity, and planning next steps, according to a reddit post.   

ETH’s Constantinople Upgrade Delayed   

Therefore, ETH’s long-awaited Constantinople upgrade has been suspended after a vital vulnerability was ascertained in one of planned changes.   

   

ChainSecurity flagged on January 15 that ETH Improvement Proposal (EIP) 1283, if carried out, could offer attackers an ambiguity that makes it possible to evade a difficulty or obligation in the code to steal people’s money. ETH developers and other developers of users plus other projects operating the network reached the consensus to suspend the hard fork temporarily as they ascertained the issue.   

   

People who took part include ETH developer Vitalik Buterin, developers Evan Van Ness, Hudson Jameson, and Nick Johnson, plus Afri Schoedon and many others. A fresh hard fork date and time will be set during the ETH dev call on January 18.   

Known as a reentrancy attack, the vulnerability basically enables an attacker to ‘reenter’ the same function many times without updating the client about the situation.   

The CTO of blockchain analytics company Amberdata, Joanes Espanol, revealed that an attacker could basically be “withdrawing money forever.” He elaborated:   

“Imagine that my contract has a function which makes a call to another contract… If I’m a hacker and I’m able to trigger function a while the previous function was still executing, I might be able to withdraw funds.”   

This is similar to one of the major vulnerabilities discovered in the now infamous DAO attack of 2016.   

The post by ChainSecurity elaborated that before Constantinople, storage executions on the ETH network would cost 5,000 gas, surpassing the 2,300 gas normally sent when calling a contract utilising ‘transfer’ or ‘send’ functions.
Constantinople was anticipated to activate way back in 2018 but was suspended after issues were discovered while establishing the upgrades on the Ropsten testnet.