Critical fund-stealing flaw delays major Ethereum upgrade

The Constantinople Upgrade has been delayed after developers became aware of the issue one day before it was scheduled

Ethereum cryptocurrency logo engraved on broken glass to show a security failure

A highly-anticipated upgrade to the Ethereum blockchain network has been delayed after a security auditing firm identified a critical vulnerability that could allow an attacker to steal users' funds.

One key aspect of the 'Ethereum Constantinople' update was a reduction in the computational effort needed to execute operations, such as transactions, on the platform. It's denoted by 'Ethereum Gas' and serves as a form of a fee that users must pay.

But a massive reduction in the Gas required for 'dirty storage' operations, from 5,000 to 200, created a loophole attackers could exploit to steal funds from users that attackers have entered into a smart contract with, according to crypto auditors ChainSecurity.

An attacker could exploit this vulnerability when splitting funds with a user they're paired with by executing the 'split funds' function repeatedly, and stealing other users' cryptocurrency from a PaymentSharer contract.

The vulnerability is known as 'reentrancy attack', and could have been exploited on a massive scale should the update been released today as initially scheduled.

"Out of an abundance of caution regarding the invariant broken by EIP1283 discovered by ChainSecurity, the Constantinople fork will be postponed," an Ethereum developer Evan Van Ness said. "New fork date chosen on Friday [18 January]."

Ethereum developers were made aware of the issue yesterday, just a day before their Constantinople Upgrade was due to be released, and published a blog outlining their reasons, and how it affects users.

They confirmed researchers at ChainSecurity and another firm, TrailOfBits, ran analysis across the entire Ethereum blockchain, and had not yet found examples of this vulnerability in the wild, meaning it is in all likelihood an update-specific issue.

The issue highlights the importance of cyber security in the cryptocurrency industry, with a Trend Micro report published late last year finding security expertise is failing to keep up with demand for cryptocurrency skills.

"Cryptocurrency has exploded as a popular way to support digital transactions, and these figures show that organisations are seeking more skills to take advantage of lower fees and instant payments," said Trend Micro's principal security strategist Bharat Mistry.

"We all know that where the money goes cybercriminals will follow. They will target business' crypto exchanges by whatever means possible to pilfer their funds or steal their personal information. Any individuals involved in running or using these systems need to be highly alert to the growing cyber risks."

ChainSecurity has posted its full findings on GitHub, including tests for reentrancy attacks, while developers have advised users to update their desktop software, either Geth or Parity, once these fixes are made available.

Featured Resources

Unlocking collaboration: Making software work better together

How to improve collaboration and agility with the right tech

Download now

Four steps to field service excellence

How to thrive in the experience economy

Download now

Six things a developer should know about Postgres

Why enterprises are choosing PostgreSQL

Download now

The path to CX excellence for B2B services

The four stages to thrive in the experience economy

Download now

Recommended

Mastering endpoint security implementation
Security

Mastering endpoint security implementation

16 Apr 2021
US, UK say Russia was behind SolarWinds hack
cyber attacks

US, UK say Russia was behind SolarWinds hack

16 Apr 2021
1Password targets enterprise customers with Secrets Automation
IT infrastructure

1Password targets enterprise customers with Secrets Automation

14 Apr 2021
PowerShell threats increased over 200% last year
cyber security

PowerShell threats increased over 200% last year

14 Apr 2021

Most Popular

University of Hertfordshire's entire IT system offline after cyber attack
cyber attacks

University of Hertfordshire's entire IT system offline after cyber attack

15 Apr 2021
Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

8 Apr 2021