What We Know About the Vulnerability Behind Ethereum’s Rollback of Constantinople

Like the Byzantine capital for which it was named, Ethereum’s Constantinople upgrade has fallen, brought down by an unforeseen weakness.

For historical Constantinople, it was the Ottoman’s use of gunpowder and cannons that destroyed the city’s once impregnable walls. For Ethereum’s own Constantinople, the attack vector was a little more subtle, though with a similar potential for damage. In a Medium post on Tuesday 15, smart contract auditing firm ChainSecurity flagged the critical vulnerability, known as a “reentrancy attack.”

Later that day, a blog post by the Ethereum Foundation announced that stakeholders in the Ethereum community had decided that the best course of action was to delay the fork. For the time being, Constantinople was no more.

Related: What You Need to Know about Constantinople (and the Miners’ Pay Cut)

As a result, rapid updates were rolled out to both the Geth and Parity clients with emergency fixes to postpone the upgrade. The release notes for the Geth hotfix also suggested that users could downgrade to a previous version of Geth to avoid the problem, if they did not feel comfortable installing such a quickly assembled upgrade.

Understanding reentrancy

According to ChainSecurity’s blog post, a scan of the main Ethereum blockchain did not uncover any vulnerable contracts in the wild. But members of the community will have been inclined to proceed with caution due to the catastrophic impact the same kind of vulnerability has had in the past.

The reentrancy vulnerability affects a certain class of smart contracts, and is similar in type to that which let an attacker drain $50 million in ether from the DAO in 2016.

To exploit the vulnerability, an attacker first deposits some of their own funds to a multi-party smart contract. They then call a function to withdraw the funds they have deposited—which is legitimate—but before the balance of funds deposited and withdrawn has been settled, call a new function that triggers funds to be withdrawn beyond the value of their deposit, essentially stealing the money of other parties in the contract.

In theory, the Constantinople upgrade would have made some previously secure smart contracts vulnerable to this attack by reducing the gas costs necessary to perform a certain class of programmatic operations.

Ultimately the discovery of the vulnerability and postponement of the upgrade show a community that is able to mobilize quickly to preserve the security of Ethereum users. 

Thanks to EIP 1283, one of five Ethereum improvement proposals bundled into Constantinople, gas costs for certain SSTORE operations (which control saving and re-writing data within a smart contract) were reduced from 5000 to 200. As ChainSecurity discovered, this reduction in price made it possible for an attacker to trick a smart contract into changing a variable that should have remained fixed, such as the proportions of a payout between different parties in a smart contract.

Although the prospect of another DAO hack is concerning, ultimately the discovery of the vulnerability and postponement of the upgrade show a community that is able to mobilize quickly to preserve the security of Ethereum users. The timeline provided in the Ethereum Foundation’s blog post describes a period of just nine hours between the bug having been disclosed through an internal bug bounty program, published on the internet, discussed among multiple parties, and the eventual postponement decision being made.

However, others in the blockchain world have leveled criticisms at how the rollback of the fork was handled.

“The Ethereum Constantinople hard fork and its delay highlight the degree to which Ethereum relies on its lead developers to make good decisions on behalf of users and the problems with adapting something that is already very complex to scale,” said Richard Red, research and strategy lead at Decred, a cryptocurrency platform specializing in decentralized governance.

“The Ethereum developers make an effort to hear from stakeholders and discuss issues publicly … but ultimately the decisions are made in private conversations between key people. Anyone who is not an insider has a ‘take or leave it’ choice about whether to go with what the Ethereum Foundation decides,” he added. 

Where money is at stake, most ETH holders would likely rather be safe than sorry. Still, in the long term there may be unforeseen consequences of such an abrupt change of course. Thankfully, unlike the city for which it was named, the Constantinople upgrade will have a chance to rise again.