Critical fund-stealing flaw delays major Ethereum upgrade

The Constantinople Upgrade has been delayed after developers became aware of the issue one day before it was scheduled

Ethereum cryptocurrency logo engraved on broken glass to show a security failure

A highly-anticipated upgrade to the Ethereum blockchain network has been delayed after a security auditing firm identified a critical vulnerability that could allow an attacker to steal users' funds.

One key aspect of the 'Ethereum Constantinople' update was a reduction in the computational effort needed to execute operations, such as transactions, on the platform. It's denoted by 'Ethereum Gas' and serves as a form of a fee that users must pay.

But a massive reduction in the Gas required for 'dirty storage' operations, from 5,000 to 200, created a loophole attackers could exploit to steal funds from users that attackers have entered into a smart contract with, according to crypto auditors ChainSecurity.

An attacker could exploit this vulnerability when splitting funds with a user they're paired with by executing the 'split funds' function repeatedly, and stealing other users' cryptocurrency from a PaymentSharer contract.

The vulnerability is known as 'reentrancy attack', and could have been exploited on a massive scale should the update been released today as initially scheduled.

"Out of an abundance of caution regarding the invariant broken by EIP1283 discovered by ChainSecurity, the Constantinople fork will be postponed," an Ethereum developer Evan Van Ness said. "New fork date chosen on Friday [18 January]."

Ethereum developers were made aware of the issue yesterday, just a day before their Constantinople Upgrade was due to be released, and published a blog outlining their reasons, and how it affects users.

They confirmed researchers at ChainSecurity and another firm, TrailOfBits, ran analysis across the entire Ethereum blockchain, and had not yet found examples of this vulnerability in the wild, meaning it is in all likelihood an update-specific issue.

The issue highlights the importance of cyber security in the cryptocurrency industry, with a Trend Micro report published late last year finding security expertise is failing to keep up with demand for cryptocurrency skills.

"Cryptocurrency has exploded as a popular way to support digital transactions, and these figures show that organisations are seeking more skills to take advantage of lower fees and instant payments," said Trend Micro's principal security strategist Bharat Mistry.

"We all know that where the money goes cybercriminals will follow. They will target business' crypto exchanges by whatever means possible to pilfer their funds or steal their personal information. Any individuals involved in running or using these systems need to be highly alert to the growing cyber risks."

ChainSecurity has posted its full findings on GitHub, including tests for reentrancy attacks, while developers have advised users to update their desktop software, either Geth or Parity, once these fixes are made available.

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

SonicWall hacked via zero-day flaw in remote access tools
Security

SonicWall hacked via zero-day flaw in remote access tools

25 Jan 2021
Best ransomware removal tools
ransomware

Best ransomware removal tools

22 Jan 2021
Hackers publish over 4,000 files stolen from SEPA in ransomware attack
Security

Hackers publish over 4,000 files stolen from SEPA in ransomware attack

22 Jan 2021
Weekly threat roundup: SAP, Windows 10, Chrome
vulnerability

Weekly threat roundup: SAP, Windows 10, Chrome

21 Jan 2021

Most Popular

How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

21 Jan 2021
What is the Raspberry Pi Pico?
Hardware

What is the Raspberry Pi Pico?

21 Jan 2021
How to recover deleted emails in Gmail
email delivery

How to recover deleted emails in Gmail

6 Jan 2021