The Constantinople fork has been delayed again after ChainSecuity responsibly disclosed that one of the proposed updates EIP 1283 introduced a security issue in smart contacts ie a reentrancy attack.
Before driving into details lets first understand what is a reentrancy and what problems it causes. Reentrancy in a programming pattern where a function (which is a block of instructions) can be interrupted and called again before its previous execution is complete. We are able to re -enter into the function allowing you to do something, and while you are still doing it and it again.
Depending on the platform/functionality reentrancy can generate unexpected results. Consider the following this pseudocode were I am transferring funds from one account to the other.
1.void transferfunds (string address, int amount) {
2. if ( account[address].funds > amount)
3. transfermoney(address, amount)
4. account[address] = account[address] – amount
5. }
…
…
6. void transfermoney(address, amount) {
7. transferfunds(address, amount)
8.}
If you look at the pseudocode above we are transferring funds to an address. On line 2 we are checking that the address has enough funds. One line 3 we are calling an external function transfermoney. The call transfermoney calls again (re-enters) the original function (line 7). Now given that funds from the account are deducted after the call to transfermoney is completed the funds are transferred again.
EIP 1283 is one of the five updates that was included in the Constantinople It changes the way how smart contracts are stored on Ethereum and more important costs related to changes to smart contracts. This change allows for an update of a contract to be broken down with changes written in the “short term” storage of the engine and changes on the blockchain.Changes on the short term storage will not be charged. This will mean that the overall cost of changing a contract will be reduced.
In Ethereum contracts required gas to execute. The longer the contract the more gas is required to execute the contract. The amount of gas limits the amount of execution that a smart contract can perform. Some solidy statements are guarded from reentrancy by having a limited constant amount of gas provided to the callee.
Limiting the amount of execution that can be formed. Given that this restriction was changed in EIP 1283. A hacker could write a smart contract that calls another legitimate contract and be able to transfer funds from one account to the other until all the funds are all exhausted.
The Constantinople fork has been postponed to the end of February. The hard fork, which is set to be released on block 7, 280,000. It is estimated that it will go live on February 27, 2019. The release will exclude EIP 1283.
Hope you liked this article. Feel free to add me on Linkedin here or contact me on email on [email protected].(Feature image is from istockphoto.com)