Vitalik Buterin refutes rumors: Constantinople upgrade Create2 new smart contract creation function does not have a vulnerability

In a conference call with Ethereum core developers on February 15, Ethereum founder Vitalik Buterin and other core developers denied rumors that the new smart contract creation function to be released in the Constantinople upgrade will have a negative impact on security.

(Image source: unsplash)

The controversial feature, called “Create2” — included in ethereum improvement proposal (EIP) EIP-1014 — is designed to allow interaction with contracts that don’t yet exist on the blockchain, specifically, “not yet on the chain, but only at addresses that may eventually contain code.”

Some ETH developers are concerned that Create2 could introduce a potentially serious attack vector to the network, as the feature could reportedly allow smart contracts to be coded and change their addresses after deployment. One has questioned whether the feature "means that all contracts that have a self-destruct capability (a function in their code) are now more suspect than before in the post-Constantinople era?"

In discussing this, Ethereum developer Jeff Coleman stressed that “one thing that’s counterintuitive about Create2 is that in theory a redeploy could change the contract bytecode, since the address is just a commitment to the init code. People need to be aware that init code is part of an audit, […] non-deterministic init code can be a problem.”

Coleman stressed that those who want to audit other people’s code need to be aware of potential “weirdities. Especially when you combine Create2 with Create1, because the latter makes weak assumptions about address identity, no matter what the nonce is.” He added:

“What we’re looking at is… it will have all the addresses […] compressed by the initialization code. We need content-based contract addressing, not just order-based addressing, which is what Create1 is. So if we implement Create2 as the standard and get rid of the contract self-destruct function completely… we can probably get rid of the concept of contract random numbers.”

Like Coleman, Vitalik Buterin discussed the long-term roadmap for Create2, saying:

“It’s important to remember that this is more for the future, such as when considering rent and deletion; this method can cause the contract to be in a state or not without a self-destruct operation. This is not something we need to solve in the next few weeks, but it is still useful to keep in mind as we get ETH 2.0 sharding into the VM spec.”

In addition to Create2, the developers also noted that they have found a potential independent company to benchmark an ASIC-resistant proof-of-work (PoW) algorithm called “ProgPoW.”

As Ethereum continues to move towards its ultimate PoS goal, developers voted to implement the algorithm to resist specialized ASIC mining machines, but recently they decided to postpone the rollout of the algorithm until a third-party audit is completed. Notably, the ongoing informal online vote shows that the majority is in favor of implementing ProgPoW.