Critical fund-stealing flaw delays major Ethereum upgrade

The Constantinople Upgrade has been delayed after developers became aware of the issue one day before it was scheduled

Ethereum cryptocurrency logo engraved on broken glass to show a security failure

A highly-anticipated upgrade to the Ethereum blockchain network has been delayed after a security auditing firm identified a critical vulnerability that could allow an attacker to steal users' funds.

One key aspect of the 'Ethereum Constantinople' update was a reduction in the computational effort needed to execute operations, such as transactions, on the platform. It's denoted by 'Ethereum Gas' and serves as a form of a fee that users must pay.

But a massive reduction in the Gas required for 'dirty storage' operations, from 5,000 to 200, created a loophole attackers could exploit to steal funds from users that attackers have entered into a smart contract with, according to crypto auditors ChainSecurity.

An attacker could exploit this vulnerability when splitting funds with a user they're paired with by executing the 'split funds' function repeatedly, and stealing other users' cryptocurrency from a PaymentSharer contract.

The vulnerability is known as 'reentrancy attack', and could have been exploited on a massive scale should the update been released today as initially scheduled.

"Out of an abundance of caution regarding the invariant broken by EIP1283 discovered by ChainSecurity, the Constantinople fork will be postponed," an Ethereum developer Evan Van Ness said. "New fork date chosen on Friday [18 January]."

Ethereum developers were made aware of the issue yesterday, just a day before their Constantinople Upgrade was due to be released, and published a blog outlining their reasons, and how it affects users.

They confirmed researchers at ChainSecurity and another firm, TrailOfBits, ran analysis across the entire Ethereum blockchain, and had not yet found examples of this vulnerability in the wild, meaning it is in all likelihood an update-specific issue.

The issue highlights the importance of cyber security in the cryptocurrency industry, with a Trend Micro report published late last year finding security expertise is failing to keep up with demand for cryptocurrency skills.

"Cryptocurrency has exploded as a popular way to support digital transactions, and these figures show that organisations are seeking more skills to take advantage of lower fees and instant payments," said Trend Micro's principal security strategist Bharat Mistry.

"We all know that where the money goes cybercriminals will follow. They will target business' crypto exchanges by whatever means possible to pilfer their funds or steal their personal information. Any individuals involved in running or using these systems need to be highly alert to the growing cyber risks."

ChainSecurity has posted its full findings on GitHub, including tests for reentrancy attacks, while developers have advised users to update their desktop software, either Geth or Parity, once these fixes are made available.

Featured Resources

Modern governance: The how-to guide

Equipping organisations with the right tools for business resilience

Free Download

Cloud operational excellence

Everything you need to know about optimising your cloud operations

Watch now

A buyer’s guide to board management software

Improve your board’s performance

The real world business value of Oracle autonomous data warehouse

Lead with a 417% five-year ROI

Download now


Cyber attacks on manufacturing up 300% in a year

Cyber attacks on manufacturing up 300% in a year

11 May 2021

Most Popular

Dell XPS 15 (2021) review: The best just got better

Dell XPS 15 (2021) review: The best just got better

14 Jan 2022
Sony pulls out of MWC 2022
Business operations

Sony pulls out of MWC 2022

14 Jan 2022
Synology DiskStation DS2422+ review: A cube of great capacity
network attached storage (NAS)

Synology DiskStation DS2422+ review: A cube of great capacity

10 Jan 2022