{"id":6486,"date":"2019-02-12T19:34:54","date_gmt":"2019-02-12T17:34:54","guid":{"rendered":"https:\/\/forklog.media\/?p=6486"},"modified":"2019-02-15T15:08:13","modified_gmt":"2019-02-15T13:08:13","slug":"ethereums-constantinople-upgrade-is-likely-to-go-ahead-despite-another-bug","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/ethereums-constantinople-upgrade-is-likely-to-go-ahead-despite-another-bug\/","title":{"rendered":"Ethereum\u2019s Constantinople Upgrade is Likely to Go Ahead Despite Another Bug"},"content":{"rendered":"<p>A new bug in Constantinople, the planned upgrade of the Ethereum platform, has been discovered, potentially affecting a limited number of smart contracts that utilize self-destruct.<!--more--><\/p>\n<p>According to Jason Carver, a developer at the Ethereum Foundation, the bug dubbed Create2 can allow a developer to replace the self-destructed contract and thus change the rules. Describing the latest hurdle, <a href=\"https:\/\/ethereum-magicians.org\/t\/potential-security-implications-of-create2-eip-1014\/2614\/17\" target=\"_blank\" rel=\"noopener\">he wrote<\/a>:<\/p>\n<blockquote><p><strong>\u201cYou can construct a pretty innocuous contract pre-Constantinople, one that has two possible outcomes from a transaction: {\u2018contract exists\u2019: \u2018swap tokens\u2019, \u2018contract self-destructs\u2019: \u2018waste some gas\u2019}. Post-Constantinople, the options could now become {\u2018contract exists\u2019: \u2018swap tokens\u2019, \u2018contract self-destructs\u2019: \u2018waste some gas\u2019, \u2018contract replaced\u2019: \u2018all ERC20 tokens that were pre-approved to the contract are stolen\u2019}\u2026\u201d<\/strong><\/p><\/blockquote>\n<p>The discovered vulnerability doesn\u2019t affect the current state of the Ethereum; however, it can be possibly exploited after the upgrade, allowing for stealing all the approved coins within a smart contract.<\/p>\n<blockquote><p><strong>\u201cThere are ways around each of these \u2018social attacks\u2019, but most of them require education. That will surely lag behind the Constantinople upgrade itself,\u201d<\/strong> added Carver.<\/p><\/blockquote>\n<p>Martin Holst Swende, another developer at Ethereum Foundation, said:<\/p>\n<blockquote><p><strong>\u201cThe corollary being, as previously, that if someone verified the source, he should have noticed the SELFDESTRUCT (without a due inactivity period) and avoid interacting with it.\u201d<\/strong><\/p><\/blockquote>\n<p>Swende also conducted a Twitter-poll, asking his followers whether they agree that contracts that people interact suddenly change code after Constantinople. 76 percent responded \u2018No\u2019, which forced Swende to come with the following comment:<\/p>\n<blockquote class=\"twitter-tweet\" data-lang=\"en\">\n<p dir=\"ltr\" lang=\"en\">Fact: after Constantinople, a contract can selfdestruct and potentially be restored with different code. (rules and conditions apply)<\/p>\n<p>So YES, it can change code in-place (but no if you don&#8217;t consider 2 txs timespan suddenly) <a href=\"https:\/\/t.co\/NWAXOl0vbT\">https:\/\/t.co\/NWAXOl0vbT<\/a><\/p>\n<p>\u2014 M H (((Swende))) (@mhswende) <a href=\"https:\/\/twitter.com\/mhswende\/status\/1093995835518537728?ref_src=twsrc%5Etfw\">February 8, 2019<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Cited by <a href=\"https:\/\/www.trustnodes.com\/2019\/02\/12\/augur-bets-on-ethereum-constantinople-delay-after-another-bug-found\" target=\"_blank\" rel=\"noopener\">Trustnodes<\/a>, Alexey Akhunov, who is working on the Ethereum 1x upgrade, said:<\/p>\n<blockquote><p><strong>\u201cIf we implement State fee proposal 2 as it is, it will allow resurrection of Parity multisig library, I suspect [\u2026] I am now thinking of the temporal replay protection EIP suggested in State fees proposal 2. I have just concluded that eviction of EOA account [normal eth addresses] combined with temporal replay protection (which resets the nonce of EOA to 0), will expand what CREATE2 further, to the EOA accounts\u2026&#8221;<\/strong><\/p><\/blockquote>\n<p>Meanwhile, Afri Schoedon of Parity insists that Constantinople will not be delayed due to the above. However, when asked whether smart contracts with self-destruct function will be able to steal people\u2019s funds after the upgrade, Schoedon said: \u201cI\u2019d like to know that answer, too.\u201d<\/p>\n<h3>Petersberg<\/h3>\n<p>The network upgrade dubbed Constantinople would have introduced a series of backward-incompatible changes to the (again) world\u2019s second largest cryptocurrency by market capitalization. Yet the bug discovered\u00a0by ChainSecurity mid-January <a href=\"https:\/\/forklog.com\/en\/ethereum-constantinople-upgrade-delayed-over-security-vulnerability\/\" target=\"_blank\" rel=\"noopener\">led to a delay<\/a>, followed by a plan to try once again in late February.<\/p>\n<p>The bug was found in EIP-1283 and could potentially make some smart contracts on Ethereum vulnerable to a so-called \u201cre-entrancy attack,\u201d enabling an attacker to steal other people\u2019s ETH.<\/p>\n<p>During a meeting late January Ethereum developers proposed to temporarily table EIP-1283 and proceed with the rest of Constantinople as planned, determining that a fix would delay Constantinople\u2019s activation for too long.<\/p>\n<p>However, given that several test networks including Ropsten already activated Constantinople before the security vulnerability was found, Ethereum core developers also agreed that a second hard fork safely removing the EIP in question was needed. This new solution, implemented as hard fork along Constantinople, is dubbed \u201cPetersberg\u201d and already released on Ropsten.<\/p>\n<p>The upgrade is now expected to be activated at block number 7,280,000, sometime during the last week of February.<\/p>\n<blockquote><p><strong>\u201cI suspect it will go as planned. The block number has been set and [the upgrade] is hard coded in the clients now so it\u2019s going along fine,\u201d<\/strong> Hudson Jameson, who handles developer relations for the Ethereum Foundation, told <a href=\"https:\/\/www.coindesk.com\/take-two-ethereum-is-getting-ready-for-the-constantinople-hard-fork-redo\" target=\"_blank\" rel=\"noopener\">CoinDesk<\/a>.<\/p><\/blockquote>\n<h3>Ice Age<\/h3>\n<p>In another notable development, Ethereum\u2019s new supply recently fell to about 13,000 ETH a day from 20,000 ETH as the so called \u201cAce Age\u201d, a state of the chain related to the \u201cdifficulty bomb\u201d, is kicking in to make mining more difficult.<\/p>\n<p>Ethereum\u2019s new supply is expected to remain at those levels until the Proof of Stake (PoS) Beacon chain fully launches by the end of the year, at which point it will more than halve again. In the near future, the supply might drop close to circa 10,000 ETH, but that is likely not to last for too long as the Constantinople fork will delay the difficulty bomb while setting new issuance at roughly 13,400 ETH a day.<\/p>\n<p>*****<\/p>\n<p>Users anticipating the launch of Constantinople can either go to <a href=\"http:\/\/forkmon.ethdevops.io\/\" target=\"_blank\" rel=\"noopener\">forkmon.ethdevops.io<\/a> or <a href=\"https:\/\/ethernodes.org\/network\/1\/forkwatch\/overview\" target=\"_blank\" rel=\"noopener\">Ethernodes<\/a> to watch the release in real time.<\/p>\n<p>According Afri Schoedon, Constantinople and Petersberg <a href=\"http:\/\/didtheethereumblockchainreach1tbyet.5chdn.co\/\" target=\"_blank\" rel=\"noopener\">are estimated<\/a> to go live on Thursday, February 28.<\/p>\n<p>Follow ForkLog on <span style=\"text-decoration: underline;\"><a href=\" https:\/\/twitter.com\/forklog_en\/\" target=\"_blank\" rel=\"nofollow noopener\">Twitter<\/a><\/span> and <span style=\"text-decoration: underline;\"><a href=\"https:\/\/www.facebook.com\/forklogen\/\" target=\"_blank\" rel=\"nofollow noopener\"> Facebook<\/a><\/span>!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A new bug in Constantinople, the planned upgrade of the Ethereum platform, has been discovered, potentially affecting a limited number of smart contracts that utilize self-destruct.<\/p>\n","protected":false},"author":1,"featured_media":6492,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"","cryptorium_level":"","_short_excerpt_text":"","creation_source":"human_written","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[899,46,942],"class_list":["post-6486","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-constantinople","tag-ethereum","tag-vulnerabilities"],"aioseo_notices":[],"amp_enabled":true,"views":"378","promo_type":"1","layout_type":"","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/6486","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=6486"}],"version-history":[{"count":2,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/6486\/revisions"}],"predecessor-version":[{"id":6488,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/6486\/revisions\/6488"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/6492"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=6486"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=6486"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=6486"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}