As reported earlier, Constantinople, the ethereum’s hard fork, has been delayed due to a security vulnerability. The decision was made after security researchers found a potential risk stemmed from Ethereum Improvement Proposal (EIP) 1283. Researchers believe that if exploited, the bug would have allowed for “reentrancy attacks“, explained briefly by Chainsecurity as: “the attacker just stole other people’s ether out of the PaymentSharer contract and can continue to do so.”
Following this decision, many major clients of ethereum including Go-Ethereum (Geth) and Parity, have released software updates. Since some of the software clients on the network had already been updated ahead of the fork, developers of the major ethereum implementations moved to publish new versions with an aim to preventing the fork from happening.
Geth has released an emergency hotfix designed to delay the upgrade. Clients from Geth and Parity can either upgrade their existing version to a higher one or downgrade to previous version. However, Parity Technologies head of security Kirill Pimenov, speaking in an ethereum core developers chat on Gitter, preferred upgrading to the new release, rather than downgrading to an older version, explaining: “I want to restate — downgrading Parity to pre-Constantinople versions is a bad idea, we don’t recommend that to anyone. Theoretically it should even work, but we don’t want to deal with that mess.”
Until now, no vulnerability in live contracts have been recorded. Nonetheless, Jame Hudson, core developer, noted that: “There is still a non-zero risk that some contracts could be affected.”
For the next steps, core developers plan to discuss longer-term steps – including when to execute Constantinople and how to fix the bug in EIP 1283 – during another call on Jan. 18. Many developers also suggested that there should be a bug bounty program focused on analyzing code to discover future bugs well in advance instead of right-before day like the case of Constantinople.