Critical fund-stealing flaw delays major Ethereum upgrade

The Constantinople Upgrade has been delayed after developers became aware of the issue one day before it was scheduled

Ethereum cryptocurrency logo engraved on broken glass to show a security failure

A highly-anticipated upgrade to the Ethereum blockchain network has been delayed after a security auditing firm identified a critical vulnerability that could allow an attacker to steal users' funds.

One key aspect of the 'Ethereum Constantinople' update was a reduction in the computational effort needed to execute operations, such as transactions, on the platform. It's denoted by 'Ethereum Gas' and serves as a form of a fee that users must pay.

But a massive reduction in the Gas required for 'dirty storage' operations, from 5,000 to 200, created a loophole attackers could exploit to steal funds from users that attackers have entered into a smart contract with, according to crypto auditors ChainSecurity.

An attacker could exploit this vulnerability when splitting funds with a user they're paired with by executing the 'split funds' function repeatedly, and stealing other users' cryptocurrency from a PaymentSharer contract.

The vulnerability is known as 'reentrancy attack', and could have been exploited on a massive scale should the update been released today as initially scheduled.

"Out of an abundance of caution regarding the invariant broken by EIP1283 discovered by ChainSecurity, the Constantinople fork will be postponed," an Ethereum developer Evan Van Ness said. "New fork date chosen on Friday [18 January]."

Ethereum developers were made aware of the issue yesterday, just a day before their Constantinople Upgrade was due to be released, and published a blog outlining their reasons, and how it affects users.

They confirmed researchers at ChainSecurity and another firm, TrailOfBits, ran analysis across the entire Ethereum blockchain, and had not yet found examples of this vulnerability in the wild, meaning it is in all likelihood an update-specific issue.

The issue highlights the importance of cyber security in the cryptocurrency industry, with a Trend Micro report published late last year finding security expertise is failing to keep up with demand for cryptocurrency skills.

"Cryptocurrency has exploded as a popular way to support digital transactions, and these figures show that organisations are seeking more skills to take advantage of lower fees and instant payments," said Trend Micro's principal security strategist Bharat Mistry.

"We all know that where the money goes cybercriminals will follow. They will target business' crypto exchanges by whatever means possible to pilfer their funds or steal their personal information. Any individuals involved in running or using these systems need to be highly alert to the growing cyber risks."

ChainSecurity has posted its full findings on GitHub, including tests for reentrancy attacks, while developers have advised users to update their desktop software, either Geth or Parity, once these fixes are made available.

Featured Resources

Digital document processes in 2020: A spotlight on Western Europe

The shift from best practice to business necessity

Download now

Four security considerations for cloud migration

The good, the bad, and the ugly of cloud computing

Download now

VR leads the way in manufacturing

How VR is digitally transforming our world

Download now

Deeper than digital

Top-performing modern enterprises show why more perfect software is fundamental to success

Download now

Recommended

Lookout reveals mobile-first endpoint detection and response solution
Security

Lookout reveals mobile-first endpoint detection and response solution

21 Oct 2020
Cisco finds an increase in security concerns due to remote working
Security

Cisco finds an increase in security concerns due to remote working

21 Oct 2020
Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

21 Oct 2020
'Robin Hood' hackers donate stolen Bitcoin to charity
ransomware

'Robin Hood' hackers donate stolen Bitcoin to charity

21 Oct 2020

Most Popular

The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

5 Oct 2020
Google blocked record-breaking 2.5Tbps DDoS attack in 2017
Security

Google blocked record-breaking 2.5Tbps DDoS attack in 2017

19 Oct 2020
What is a 502 bad gateway and how do you fix it?
web hosting

What is a 502 bad gateway and how do you fix it?

5 Oct 2020