Ethereum’s highly anticipated Constantinople hard fork upgrade has been delayed due to a “reentrancy attack” vulnerability discovered by blockchain security company ChainSecurity.
The implementation delay, as reported by Coindesk, is the result of Ethereum developers, developers of clients, and other projects running the network agreeing to delay the hard fork for now while they assessed the situation.
ChainSecurity had found an “unwanted side effect” where certain smart contracts could provide a loophole after the new Constantinople upgrade for attackers to steal user funds – over and over again.
The loophole is made possible because the code simulates a secured treasury sharing service, meaning that two parties can jointly receive funds, decide on how to split them, and receive a payout if they agree.
However, the vulnerability allows hackers to “reenter” a function multiple times to siphon off funds without its original user knowing about such unauthorized transfers.
This would effectively enable hackers to be “withdrawing funds forever,” described Joanes Espanol, CTO of blockchain analytics firm Amberdata.
A new fork date will be decided during an Ethereum developers’ call this Friday (Jan 18).