Jan. 17, 2019 at 11:41 am

Constantinople Bug Stalls Rollout

The Ethereum Core Developers and The Ethereum Security Committee have taken the step of stalling their rollout of the anticipated Constantinople upgrade due to the discovery of a security risk.

The security risk was found by Chain security (an organisation dedicated to providing security assessments for blockchain projects) and is one which, if not properly addressed, could lead to the reentrancy attack, which saw DAO lose somewhere in the region of $150m, become a real possibility once more.

Re-enter Reentrancy

After the aforementioned hack was experienced by the Ethereum blockchain its development team set to work on making sure the vulnerability couldn’t be exploited once again. To do so they had to increase the gas price of their simple storage function known as SSTORE.

The reason simply increasing the gas cost of SSTORE actions was enough to solve the issue was that transfer & send events were limited to 2300 gas while storage operations required 5000 gas. This means that manipulating an SSTORE function while calling a function using the transfer or send events was simply impossible.

So, What’s Changed?

Simply put, one of the key upgrades mentioned in the Constantinople fork was the fact that gas prices were to drop significantly. Down to roughly 200 gas for each SSTORE function. As mentioned above, the simple fix to the previous reentrancy bug was to raise the gas price of SSTORE so that it could not be manipulated via a transfer or send event. As I probably don’t need to explain, lowering the gas cost of SSTORE down to 200 pretty much nullifies the current safeguard against reentrancy, hence the pause in rolling it out.

What Should you do?

Simply put, if you are just an average punter then you do not need to do anything. However, if you operate a node of any kind you need to update your Geth or Parity client with one of the solutions listed on the official announcement by Ethereum’s Developers below.

Happiness.