New Ethereum version postponed after discovery of serious security flaw
A major upgrade of the Ethereum blockchain has been postponed today by the Ethereum team after a security company found a vulnerability that could have allowed hackers to steal users’ funds.
The Ethereum network update –codenamed the Constantinople Upgrade– was scheduled to launch tomorrow, January 16. A new launch date for the Constatinople rollout will be decided on Friday, January 18.
According to the company, the attack would have allowed a malicious threat actor to steal funds from users with whom the attacker engaged in an Ethereum smart contract.
A smart contract is a script that runs on the Ethereum blockchain that allows users to input Ether funds, pool funds together with other users, and receive currency back based on a series of predetermined conditions.
ChainSecurity experts discovered that the way the Ethereum Constantinople Upgrade was processing smart contracts allowed malicious actors to extract users’ funds without meeting the contract’s requirements or without the user’s approval or knowledge.
The vulnerability is called a “reentrancy attack” because it allows the attacker to re-run the same function over and over again until he exhausts all the user’s shared funds.
The company said that a quick (and incomplete) scan of the current version of the Ethereum platform did not identify smart contracts that are vulnerable to the vulnerability it discovered.
Ethereum devs said that “ChainSecurity and TrailOfBits ran (and are still running) analysis across the entire blockchain” for vulnerable contracts that may be exploited even on top of the current Ethereum platform. They said the two security companies didn’t find any evidence of the flaw being used in the wild.
The Ethereum dev team and its security group (ethsecurity.org) are working on a patch, but also on identifying similar flaws.
Owners of Ether (ETH) cryptocurrency have nothing to worry about at this moment.