Constantinople & Reentrancy Attack Explained

In this post Shawn Dexter explains why the Ethereum Constantinople Hard Fork was delayed. He states the reason for the delay and any actions you many need to take in response to the delay. Shawn also explains security vulnerability called a Reentrancy Attack and how it was also used in the DAO Attack of 2016.

This depends on whether you’re simply an investor/trader or if you’re a miner or node operator.

1. Do you need to do anything with your Ether?
   No – if you’re simply an investor, just sit tight. You do not have to do anything with your Trezor, Ledger, MyEthereumWallet (MEW).  So, watch out for scammers who may try to confuse you.

2.Do I need to upgrade my node?
    Yes – if you’re a miner or node operator you will have to upgrade to a new version of Geth or        Parity before approx. 4am Jan 17th GMT.

Quick Answer: The security vulnerability arises from the update that introduces Cheaper Cost Of Storage [EIP1283] that we discussed in our Constantinople Simple Explanation post.

The cheaper gas costs allowed for an exploit in the Smart Contracts. This particular exploit is called a “Reentrancy Attack”.

It's already in the process of being fixed. The developers hoped that they could fix it before the network upgrade, but these things need time for proper analysis. They decided to err on the side of caution and postpone the hard fork until they fully investigate the extent of the vulnerability. 

I’ll give you guys a simplified explanation. A Smart Contract may communicate with an external Smart Contract by “calling it”. If the  external Smart Contract is malicious, it may be able to  take advantage of this and take over control flow of the first Smart Contract’s code.

This allows the attacker to make unexpected changes to the first Smart Contract’s code. For example, it may repeatedly withdraw Ether from the Smart Contract by “re-entering” at a particular spot in the code. (Essentially, it makes multiple invocations of the withdrawBalance() function)

Note: It’s important to note that this security vulnerability does not exist in the current Ethereum chain.  All Smart Contracts on the current chain are Reentrancy-Safe!

The introduction of cheaper gas costs allows for the reentrancy attacks to be viable. Since Ethereum has not made any software upgrades yet, the main Ethereum chain is not at risk in any manner. In fact, even if the upgrade to Constantinople occured, only a small number of Smart Contracts would have been vulnerable.

Yes, and no.  Yes – if you were making your investing/trading decisions solely based on this event. In a previous article we warned about how unpredictable price movement can be closer to events.

But overall this is a great thing for Ethereum – and for long term investors. Catching this security vulnerability right before the network upgrade is a gift. If Constantinople went live before  and if the security vulnerability was discovered by malicious attackers, then things could got far worse!

Let’s not forget the disaster of the 2016 DAO Attack – which was actually caused by attackers exploiting code that was vulnerable to a Reentrancy Attack!

Many of you may not be aware of the DAO Attack of 2016. Attackers used a combination of two types of Reentrancy Attacks: Single Function & Cross Function.

The attackers were able to siphon 3.6 Million Ether from the DAO Smart Contract to their own accounts. Fortunately, the Ethereum community decided to Hard Fork and restored all the funds to the original Smart Contract. However, this led to a lot of controversy and led to the infamous Ethereum and Ethereum Classic network split.

Up to today, Ethereum bears the stain of the DAO controversy – albeit fading with time. It would be a disaster if it were to happen all over again.

The fact that this vulnerability was detected by a third party team – ChainSecurity – speaks to the network strength that Ethereum has built over the years. Ethereum has a global development strength that made itself a powerhouse. Multiple teams across the world are working on finding improvements, flaws & vulnerabilities. These are flaws that could sink other projects if gone undetected. The Ethereum community, on the other hand, is showing its strength.

Sure, prices may take a hit for the short-term. But like I said, it could have been far worse. In the long run, this delay will be forgotten. A security breach (and possible contentious hardfork that would follow) would never be forgotten.