With less than 8,000 blocks to go until the scheduled deployment of the Ethereum (ETH) Constantinople hard fork, the dev team has delayed the fork until further notice due to the discovery of a critical security bug in the fork’s code. The various Ethereum clients, such as Parity, Go, and Geth are rushing to release emergency updates that remove the Constantinople hard fork.
User action will be required to update to new versions. If nodes that had upgraded for Constantinople do not update they will be on the wrong blockchain, which could cause transaction issues and community-wide confusion.
The reason for the delay of the Constantinople hard fork is ChainSecurity has discovered that Ethereum Improvement Proposal (EIP) 1283 opens up the door for a reentrancy attack. Essentially, 2,300 gas is sent when calling a contract with transfer or send, and in the current version of Ethereum this is less than the 5,000 gas needed to perform a storage operation. If the Constantinople hard fork were to be implemented, it would only cost 200 gas to change storage slots, so the 2,300 gas sent when calling the contract could be used for changing storage slots. This can allow an attacker to steal Ethereum (ETH) out of a smart contract.
Apparently, this reentrancy attack was one of the attacks used during the Ethereum (ETH) Decentralized Autonomous Organization (DAO) hack in 2016. During that attack 3.6 million ETH was stolen from a wallet that was meant to fund community efforts to improve Ethereum. The dev team hard forked Ethereum (ETH) to recover the stolen ETH. This resulted in the formation of Ethereum Classic (ETC), whose community disagreed with recovering the stolen ETH since that violated immutability.
EIP 1283 was one of the most popular updates to be implemented via the Constantinople hard fork since it lowers gas costs, and there is now some speculation that it will be completely removed when the fork finally does happen.
The price of Ethereum (ETH) crashed from $130 to $120 (8 percent) as soon as the news of the critical Constantinople bug came out, and most other major cryptocurrencies declined simultaneously to a lesser degree.
A critical security bug like this being discovered about a day before fork deployment certainly raises questions about the integrity of the rest of the Constantinople code. The Ethereum (ETH) developers say the fork is delayed until further notice and to expect more details on Friday.
The Constantinople hard fork cannot be delayed for too much longer due to the difficulty bomb going off. Block times on the Ethereum (ETH) network have already increased from 14 seconds to just over 15 seconds, and this will continue to get worse at an exponential pace until the fork happens. This will result in less mining revenue and slower speeds across the entire Ethereum (ETH) network.