Ethereum’s much anticipated platform update, the Constantinople fork, has been delayed as a security precaution following the discovery of a security vulnerability.
Ethereum core developers say they found a loophole in the code that might enable attackers to steal user funds. These vulnerabilities are being investigated by the team of core developers and ETH security researchers. In the meantime, the Constantinople upgrade will be placed on hold out of an abundance of caution.
Following a call, Ethereum developers and those working on Constantinople, as well as developers of clients and other projects running the network, agreed to delay the hard fork—at least temporarily—while they assess the issue.
According to Ben Edgington, a developer working on Ethereum 2.0 R&D at PegaSys Protocol Engineering, the security bug was discovered by an audit specialist. The vulnerability is known as “reentrancy bug,” he says, the same kind of big that caused the DAO hack in June 2016. Edgington says the vulnerability could cause contracts to become insecure and that the “cautious and pragmatic approach” is to delay the hard fork. “Ethereum has to remain secure.”
Edgington adds that new clients will be released which will need to be implemented by those working on the upgrade before the hard fork’s hard deadline in the next 36 hours.
This isn’t the first delay Constantinople has faced. Constantinople was previously expected to activate last year, but was delayed after issues were found.
More details will be coming soon from the Ethereum Foundation and various stakeholders.
Update: The Ethereum Foundation has issued a statement confirming the security issues discovered by ChainSecurity and providing instructions for miners, exchanges, and node operators.