ChainSecurity: Ethereum's Constantinople upgrade "enables new Reentrancy Attack"

Ethereum's upcoming Constantinople upgrade introduces vectors for reentrancy attacks, according to smart contract auditing platform, ChainSecurity. A reentrancy attack involves a specific function in a smart contract to be called repeatedly before the smart contract is fully executed. According to Ethereum's wiki page, "this may cause the different invocations of the function to interact in destructive ways." One of the more infamous examples of a reentrancy attack was the 2016 DAO hack.

According to ChainSecurity, post-Constantinople upgrade, the functions "address.transfer(...)" and "address.send(...)" can be vulnerable in Solidity smart contracts. Using these functions, an attacker can call an attack function on his/her own smart contract and steal other people's ethers out of the contract. ChainSecurity states that this is only possible when specific preconditions are met that would make a contract vulnerable. The firm also notes that it has yet to uncover smart contracts vulnerable to this attack. An example of the attack being carried out on the Ethereum Ropsten testnet can be seen here.

In a subreddit post, Afri Schoedon, the release manager for Parity Technologies, states that his firm is "confirming the report, investigating the severity, and considering next steps."


Update: CoinDesk is reporting that Ethereum's core developers have agreed to delay the Constantinople upgrade