Constantinople & Reentrancy Attack Explained

By Shawn Dexter / January 22, 2019

In this post Shawn Dexter explains why the Ethereum Constantinople Hard Fork was delayed. He states the reason for the delay and any actions you many need to take in response to the delay. Shawn also explains security vulnerability called a Reentrancy Attack and how it was also used in the DAO Attack of 2016.

Constantinople Hard Fork Delay

Unfortunately, the long-awaited Ethereum Constantinople Network Upgrade has been delayed. An auditing team discovered that the upgrade to Constantinople would introduce a security vulnerability.  Before we go over the security vulnerability, let’s quickly answer a couple of questions I’ve been getting.

What do You Need To do?

This depends on whether you’re simply an investor/trader or if you’re a miner or node operator.

  1. Do you need to do anything with your Ether?
    No – if you’re simply an investor, just sit tight. You do not have to do anything with your Trezor, Ledger, MyEthereumWallet (MEW).  So, watch out for scammers who may try to confuse you.

2.Do I need to upgrade my node?
    Yes – if you’re a miner or node operator you will have to upgrade to a new version of Geth or        Parity before approx. 4am Jan 17th GMT.

What was the Security Vulnerability in Constantinople?

Quick Answer: The security vulnerability arises from the update that introduces Cheaper Cost Of Storage [EIP1283] that we discussed in our Constantinople Simple Explanation post.

The cheaper gas costs allowed for an exploit in the Smart Contracts. This particular exploit is called a “Reentrancy Attack”.

What is being done about it?

It's already in the process of being fixed. The developers hoped that they could fix it before the network upgrade, but these things need time for proper analysis. They decided to err on the side of caution and postpone the hard fork until they fully investigate the extent of the vulnerability. 

What is a Reentrancy Attack?

I’ll give you guys a simplified explanation. A Smart Contract may communicate with an external Smart Contract by “calling it”. If the  external Smart Contract is malicious, it may be able to  take advantage of this and take over control flow of the first Smart Contract’s code.

This allows the attacker to make unexpected changes to the first Smart Contract’s code. For example, it may repeatedly withdraw Ether from the Smart Contract by “re-entering” at a particular spot in the code. (Essentially, it makes multiple invocations of the withdrawBalance() function)

ethereum reentrancy attack constantinople 2019

A Reentrancy Attack allows an attacker to take over control flow of the Smart Contract in concern.

Note: It’s important to note that this security vulnerability does not exist in the current Ethereum chain.  All Smart Contracts on the current chain are Reentrancy-Safe!

The introduction of cheaper gas costs allows for the reentrancy attacks to be viable. Since Ethereum has not made any software upgrades yet, the main Ethereum chain is not at risk in any manner. In fact, even if the upgrade to Constantinople occured, only a small number of Smart Contracts would have been vulnerable.

So – Is this a bad thing?

Yes, and no.  Yes – if you were making your investing/trading decisions solely based on this event. In a previous article we warned about how unpredictable price movement can be closer to events.

But overall this is a great thing for Ethereum – and for long term investors. Catching this security vulnerability right before the network upgrade is a gift. If Constantinople went live before  and if the security vulnerability was discovered by malicious attackers, then things could got far worse!

Let’s not forget the disaster of the 2016 DAO Attack – which was actually caused by attackers exploiting code that was vulnerable to a Reentrancy Attack!

Lest We Forget: The DAO Attack of 2016

Many of you may not be aware of the DAO Attack of 2016. Attackers used a combination of two types of Reentrancy Attacks: Single Function & Cross Function.

The attackers were able to siphon 3.6 Million Ether from the DAO Smart Contract to their own accounts. Fortunately, the Ethereum community decided to Hard Fork and restored all the funds to the original Smart Contract. However, this led to a lot of controversy and led to the infamous Ethereum and Ethereum Classic network split.

Up to today, Ethereum bears the stain of the DAO controversy – albeit fading with time. It would be a disaster if it were to happen all over again.

Overall – This Is A Good Thing

The fact that this vulnerability was detected by a third party team – ChainSecurity – speaks to the network strength that Ethereum has built over the years. Ethereum has a global development strength that made itself a powerhouse. Multiple teams across the world are working on finding improvements, flaws & vulnerabilities. These are flaws that could sink other projects if gone undetected. The Ethereum community, on the other hand, is showing its strength.

Sure, prices may take a hit for the short-term. But like I said, it could have been far worse. In the long run, this delay will be forgotten. A security breach (and possible contentious hardfork that would follow) would never be forgotten.

Follow-up Reads

Get my upcoming eBook for Free!

"The Mango Guide TO Understanding Blockchain"

Offer Valid For FIRST 500 registrations only

About the author

Shawn Dexter

Shawn is a blockchain & distributed ledger technology enthusiast with a strong background in Computer Science, Product Management and Entrepreneurship.


Join us on Telegram!
>