Critical fund-stealing flaw delays major Ethereum upgrade

Ethereum cryptocurrency logo engraved on broken glass to show a security failure

A highly-anticipated upgrade to the Ethereum blockchain network has been delayed after a security auditing firm identified a critical vulnerability that could allow an attacker to steal users' funds.

One key aspect of the 'Ethereum Constantinople' update was a reduction in the computational effort needed to execute operations, such as transactions, on the platform. It's denoted by 'Ethereum Gas' and serves as a form of a fee that users must pay.

But a massive reduction in the Gas required for 'dirty storage' operations, from 5,000 to 200, created a loophole attackers could exploit to steal funds from users that attackers have entered into a smart contract with, according to crypto auditors ChainSecurity.

An attacker could exploit this vulnerability when splitting funds with a user they're paired with by executing the 'split funds' function repeatedly, and stealing other users' cryptocurrency from a PaymentSharer contract.

The vulnerability is known as 'reentrancy attack', and could have been exploited on a massive scale should the update been released today as initially scheduled.

"Out of an abundance of caution regarding the invariant broken by EIP1283 discovered by ChainSecurity, the Constantinople fork will be postponed," an Ethereum developer Evan Van Ness said. "New fork date chosen on Friday [18 January]."

Ethereum developers were made aware of the issue yesterday, just a day before their Constantinople Upgrade was due to be released, and published a blog outlining their reasons, and how it affects users.

They confirmed researchers at ChainSecurity and another firm, TrailOfBits, ran analysis across the entire Ethereum blockchain, and had not yet found examples of this vulnerability in the wild, meaning it is in all likelihood an update-specific issue.

The issue highlights the importance of cyber security in the cryptocurrency industry, with a Trend Micro report published late last year finding security expertise is failing to keep up with demand for cryptocurrency skills.

"Cryptocurrency has exploded as a popular way to support digital transactions, and these figures show that organisations are seeking more skills to take advantage of lower fees and instant payments," said Trend Micro's principal security strategist Bharat Mistry.

"We all know that where the money goes cybercriminals will follow. They will target business' crypto exchanges by whatever means possible to pilfer their funds or steal their personal information. Any individuals involved in running or using these systems need to be highly alert to the growing cyber risks."

ChainSecurity has posted its full findings on GitHub, including tests for reentrancy attacks, while developers have advised users to update their desktop software, either Geth or Parity, once these fixes are made available.

Keumars Afifi-Sabet
Features Editor

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.