Announcement | Security Warning! Postponement of Constantinople Fork

Ethereum core developers and the Ethereum security community are aware of potential issues related to Constantinople that were discovered by ChainSecurity on January 15, 2019. We are investigating all potential vulnerabilities and will update relevant information in blog posts and social media.

Out of an abundance of caution, key stakeholders in the Ethereum community have determined that the best course of action is to postpone the Constantinople fork, which was originally scheduled to occur at block 7,080,000 on January 16, 2019.

Because we want everyone running a node (node ​​operators, exchanges, miners, wallet services, etc.) to update to the new version of Geth or Parity before block 7,080,000, which will be mined approximately 32 hours after the publication of this article, or at 8pm PT on January 16th / 11pm ET on January 16th / 4am GMT on January 17th.

What You Need to Do

If you are someone who only interacts with Ethereum (you do not run a node), you do not need to do anything.

Miners, Exchanges, Node Operators:

• Update your versions promptly after new versions of Geth and/or Parity are released.

• These new versions have not yet been released. We will update this article when new versions become available.

• The link and version number along with the description will be provided here.

• We expect to release an updated version within 3-4 hours of this blog post.

Geth

• Upgrade to 1.8.21 , or

• Downgrade to Geth 1.8.19 , or

• Stay on 1.8.20, but use switch '-override.constantinople=9999999' to postpone the Constantinople fork indefinitely.

Parity

• Upgrade to Parity Ethereum 2.2.7-stable (recommended)

• Upgrade to Parity Ethereum 2.3.0-beta

• Downgrade to Parity Ethereum 2.2.4-beta (not recommended)

Everyone else:

Ledger, Trezor, Safe-T, Parity Signer, WallEth, Paper Wallets, MyCrypto, MyEtherWallet and other users or token holders who do not participate in the network by syncing and running a node,

You don't need to do anything.

Contract Owner

• You don't need to do anything.

• You can choose to investigate potential vulnerabilities and review your contracts.

• However, you are not required to do anything, as the change that introduced this potential vulnerability will not be enabled.

background

ChainSecurity ’s article takes a deep dive into potential vulnerabilities and how to check smart contracts for them. Very briefly:

• EIP-1283 brings cheaper gas costs for SSTORE operations

• Some (already on-chain) smart contracts have code patterns that could make them vulnerable to a re-entrancy attack after the Constantinople upgrade occurs.

• These smart contracts will not be affected until the Constantinople upgrade

Contracts that use transfer() or send() function and then change state are more vulnerable. An example of such a contract is two parties that jointly receive funds, decide how to split the funds, and then initiate a payment of those funds.

How the decision to postpone Constantinople was made

Security researchers like ChainSecurity and TrailOfBits have conducted (and are still conducting) analyses of the entire blockchain. They have not found any actual cases of such vulnerabilities. However, the possibility that contracts are affected is not zero.

Because the risk is not zero and the time required to eliminate it is longer than the time remaining before the planned Constantinople upgrade, the decision was made to postpone the fork out of an abundance of caution.

Participants in the discussion include but are not limited to:

• Security Researcher

• Ethereum Stakeholders

• Ethereum Client Developer

• Smart Contract Owner/Developer

• Wallet Providers

• Node Operators

• Dapp Developers

• media

Timeline

• 3:09 AM PT

• ChainSecurity responsibly disclosed the potential vulnerability through the Ethereum Foundation’s Bug Bounty Program

• 8:09 AM PT

• The Ethereum Foundation asked ChainSecurity to make their findings public

• 8:11 AM PT

• ChainSecurity's original article is published

• 8:52 AM PT

• Martin Holst Swende said in the ethsecurity and AllCoreDevs Gitter channel: “Please everyone take a look at this: https://medium.com/chainsecurity/constantinople-enables-new-reentrancy-attack-ace4088297d9 . And, @everyone, we need to quickly determine the potential consequences and decide how to proceed. We only have 37 hours left before the fork.”

• 8:52am - 10:15am PT

• We discussed the potential risks, on-chain analysis, and what measures we need to take through various channels.

• 10:15am - 12:40pm Pacific Time

• Key stakeholders are also discussing via Zoom audio calls. Discussions are also ongoing on Gitter and other channels.

• 12:08 AM PT

• Decision to postpone Constantinople upgrade

• 1:30 PM PT

• This blog post was made public through various channels and social media

This post was written in collaboration with EvanVanNess, Infura, MyCrypto, Parity, Status, the Ethereum Foundation, and the Ethereum Cat Herders.

Original link:

https://blog.ethereum.org/2019/01/15/security-alert-ethereum-constantinople-postponement/

Author: Hudson Jameson

Translation & Proofreading: Toya & Ajian