The Ethereum Core Developers alongside the Ethereum Security Community were notified about the possible Constantinople-related concerns highlighted by ChainSecurity on January 15, 2019. We are examining any possible weaknesses and will provide updates through this blog post and on various social media platforms.
In light of significant caution, principal participants in the Ethereum community have concluded that the most prudent action is to postpone the anticipated Constantinople fork initially scheduled for block 7,080,000 on January 16, 2019.
This will necessitate that all individuals operating a node (including node operators, exchanges, miners, wallet services, etc…) upgrade to a new version of Geth or Parity prior to block 7,080,000. Block 7,080,000 is set to occur approximately 32 hours from the time of this publication, specifically around January 16, 8:00 PM PT / January 16, 11:00 PM ET / January 17, 4:00 AM GMT.
What You Should Do
For individuals who merely engage with Ethereum (i.e., you do not operate a node), there is no action required on your part.
Miners, Exchanges, Node Operators:
-
Upgrade your Geth and/or Parity installations once they are released.
-
These updates are not available yet. We will refresh this post once they are accessible.
-
Links, version identifiers, and guidance will be included here when they become available.
-
We anticipate having updated versions available within 3-4 hours from the time this article is published.
Geth
-
Upgrade to 1.8.21, OR
-
Downgrade to Geth 1.8.19, OR
-
Stay on 1.8.20, but apply the switch ‘–override.constantinople=9999999’ to indefinitely postpone the Constantinople fork.
Parity
Everyone Else:
Ledger, Trezor, Safe-T, Parity Signer, WallEth, Paper Wallets, MyCrypto, MyEtherWallet, and other users or token holders that are not engaged in the network through syncing and running a node.
- No action is required from your side.
Contract Owners
-
No steps are necessary for you to take.
-
You may opt to review the analysis of the potential vulnerability and inspect your contracts.
-
Nonetheless, you are not obliged to act since the modification that could present this potential weakness will not be activated.
Context
The article by ChainSecurity delves deeply into the potential vulnerability and the methods for auditing smart contracts for this issue. In brief:
-
EIP-1283 offers a reduced gas expense for SSTORE operations
-
Certain smart contracts (currently present on-chain) might employ coding patterns that could render them susceptible to a re-entrancy attack following the Constantinople upgrade.
-
These smart contracts would not have posed a vulnerability prior to the Constantinople upgrade.
Contracts that elevate their risk of vulnerability include those making use of a transfer() or send() function followed by a state-altering operation. An instance of such a contract involves two parties who collectively receive funds, agree on a distribution method, and trigger a distribution of those funds.
How the Decision to Delay the Constantinople Fork Was Made
Security analysts like ChainSecurity and TrailOfBits conducted (and continue to conduct) evaluations throughout the entire blockchain. They did not encounter any instances of this vulnerability in practice. However, a non-zero risk remains that some contracts might be impacted.
Due to the non-zero risk and the duration needed to assess the risk confidently being greater than the time available before the intended Constantinople upgrade, it was decided to delay the fork out of an abundance of caution.
Those involved in the discussions included, but were not limited to:
Response Timeline
3:09 AM PT
- ChainSecurity responsibly discloses a potential weakness via the Ethereum Foundation’s bug bounty initiative
8:09 AM PT
- Ethereum Foundation requests ChainSecurity to make a public disclosure
8:11 AM PT
- ChainSecurity’s initial article is published
8:52 AM PT
8:52 AM PT – 10:15 AM PT
- Conversations occur across various platforms concerning potential threats, on-chain assessments, and necessary actions to take
10:15 AM PT – 12:40 PM PT
- Discussion through Zoom audio call with key participants. Dialogue continues on Gitter and additional channels as well
12:08 PM PT
- Decision taken to postpone the Constantinople upgrade
1:30 PM PT
- Official blog post disseminated across multiple channels and social media platforms
This article was collaboratively produced by EvanVanNess, Infura, MyCrypto, Parity, Status, The Ethereum Foundation, and the Ethereum Cat Herders.
