ChainSecurity: Ethereum's Constantinople upgrade "enables new Reentrancy Attack"

Ethereum's upcoming Constantinople upgrade introduces vectors for reentrancy attacks, according to smart contract auditing platform, ChainSecurity. A reentrancy attack involves a specific function in a smart contract to be called repeatedly before the smart contract is fully executed. According to Ethereum's wiki page, "this may cause the different invocations of the function to interact in destructive ways." One of the more infamous examples of a reentrancy attack was the 2016 DAO hack.

According to ChainSecurity, post-Constantinople upgrade, the functions "address.transfer(...)" and "address.send(...)" can be vulnerable in Solidity smart contracts. Using these functions, an attacker can call an attack function on his/her own smart contract and steal other people's ethers out of the contract. ChainSecurity states that this is only possible when specific preconditions are met that would make a contract vulnerable. The firm also notes that it has yet to uncover smart contracts vulnerable to this attack. An example of the attack being carried out on the Ethereum Ropsten testnet can be seen here.


Keep up with the latest news, trends, charts and views on crypto and DeFi with a new biweekly newsletter from The Block's Frank Chaparro

By signing-up you agree to our Terms of Service and Privacy Policy
By signing-up you agree to our Terms of Service and Privacy Policy

In a subreddit post, Afri Schoedon, the release manager for Parity Technologies, states that his firm is "confirming the report, investigating the severity, and considering next steps."


Update: CoinDesk is reporting that Ethereum's core developers have agreed to delay the Constantinople upgrade

About Author

Steven Zheng is a researcher for The Block. He joined The Block in August 2018. Steven graduated from St. John’s University with a degree in economics. Previously, he covered blockchain and crypto at Radicle, a startup analytics firm. He also had brief stints at Cheddar, a media startup, and Bowery Capital, a venture capital firm. He owns bitcoin. Follow Steven on Twitter at: @Dogetoshi

More by Steven Zheng