The long-awaited update of the Ethereum, Constantinople, was postponed after the developers discovered the critical code vulnerability of one of the planned changes.
On January 15, ChainSecurity reported that the EIP-1283 protocol, which was proposed to improve ways to monetize changes to stored data, could provide a loophole for intruders and lead to theft of user funds. Given this, the developers of Ethereum and related projects decided to temporarily put off hardfork in order to properly evaluate the problem and solve it.
Among the participants of the meeting were the creator of Ethereum Vitalik Buterin, developers Hudson Jameson, Nick Johnson and Evan Van Ness, as well as product manager for Parity, Afri Shedon. The new date of the hardfork will be determined during the next developer meeting on Friday.
So far, the project developers have concluded that the correction of the error will take too much time, while hardfork, as expected, should have happened around 04:00 UT on January 17th.
Reportedly, the vulnerability would allow an attacker to “re-enter” the same function several times without revealing himself to the user in any way. According to Jonas Espanol, technical director of the Amberdata research company, an attacker could, in fact, “withdraw money forever.”
Imagine that in my smart contract there is a function that allows you to call another smart contract. If I am a hacker, then I could activate other functions on it for a while until the previous ones were completed and withdraw funds.
It seems to be very similar to one of the vulnerabilities that was used in the attack on the DAO in 2016.
Previously it was assumed that Constantinople will be activated in 2018, but it was postponed due to problems identified during testing on the Ropsten network.