Security Alert: Ethereum Constantinople Delayed
Ethereum core developers and the Ethereum security community have become aware of a potential Constantinople-related issue identified by: chain security January 15, 2019. We are investigating potential vulnerabilities and will provide updates through this blog post and social media channels.
Out of an abundance of caution, key stakeholders in the Ethereum community decided that the best course of action would be to postpone the Constantinople Fork, scheduled to occur at block 7,080,000 on January 16, 2019.
This requires everyone running a node (node operators, exchanges, miners, wallet services, etc.) to update to a new version of Geth or Parity before block 7,080,000. Block 7,080,000 will occur approximately 32 hours from the time of this posting, or approximately January 16th at 8:00 PM PT/January 16th at 11:00 PM ET/January 17th at 4:00 AM GMT.
what you need to do
If you are simply interacting with Ethereum (not running a node), you don’t need to do anything.
Miners, exchanges, node operators:
Please update when Geth and/or Parity instances become available.
This release has not yet been released. We will update this post when it becomes available.
Links, version numbers, and instructions will be provided here when available.
An updated release is expected within 3-4 hours after this blog is published.
Guess
upgrade 1.8.21 or
Downgrade to Geth 1.8.19or
Keep 1.8.20, but use the ‘–override.constantinople=9999999’ switch to postpone the Constantinople fork indefinitely.
equal
Everyone else:
Ledger, Trezor, Safe-T, Parity Signer, WallEth, Paper Wallets, MyCrypto, MyEtherWallet and other users or token holders who do not participate in the network by syncing and running nodes.
- You don’t need to do anything.
contract owner
You don’t need to do anything.
You can choose to review the analysis for potential vulnerabilities and confirm your agreements.
However, changes that introduce this potential vulnerability will not be activated, so you do not need to take any action.
background
Article author: chain security Learn more about potential vulnerabilities and how you can check for them in your smart contracts. Very briefly:
EIP-1283 Introducing lower gas costs for SSTORE operations.
Some smart contracts (already on chain) may utilize code patterns that make them vulnerable to re-entrancy attacks after the Constantinople upgrade occurs.
Before the Constantinople upgrade, these smart contracts would not have been vulnerable.
Contracts that increase the likelihood of being vulnerable are contracts that perform state change operations after utilizing the transfer() or send() functions. An example of such a contract is one where two parties jointly receive funds, decide how to split those funds, and initiate payment of those funds.
How was the decision to postpone the Constantinople Fork made?
Security researchers like ChainSecurity and TrailOfBits have run (and are still running) analyzes across entire blockchains. They found no examples of this vulnerability in the wild. However, the risk that some contracts may be affected is still non-zero.
Because the risk is non-zero and the time required to confidently determine the risk is longer than the time available before the planned Constantinople upgrade, we have decided to postpone the fork out of an abundance of caution.
Parties participating in the discussion include, but are not limited to:
response time
3:09 AM Pacific Time
- ChainSecurity responsibly discloses potential vulnerabilities through the Ethereum Foundation’s bug bounty program.
8:09 AM Pacific Time
- Ethereum Foundation Requests Disclosure from ChainSecurity
8:11 AM Pacific Time
- The original article on ChainSecurity was published here.
8:52 AM Pacific Time
8:52 AM PT – 10:15 AM PT
- Discussions take place across various channels regarding potential risks, on-chain analysis, and actions to be taken.
10:15 AM Pacific Time – 12:40 PM Pacific Time
- Discuss via Zoom audio call with key stakeholders. The discussion continues on Gitter and other channels.
12:08 PM Pacific Time
- Decided to postpone Constantinople upgrade
1:30 PM Pacific Time
- Public blog posts published through various channels and social media
This article is a joint effort of EvanVanNess, Infura, MyCrypto, Parity, Status, The Ethereum Foundation, and Ethereum Cat Herders.