The so-called “reentrancy bug” that last month delayed the launch of the Ethereum hard fork, Constantinople, “turned out not to be an issue,” Ethereum’s top research scientist said today in an interview.
Even as the mists of FUD swirl around the upcoming release, due in late February, Virgil Griffith, who handles Ethereum’s research and business partnerships, says that last month’s delay turned out to have been a bit of a nothingburger. Griffin said that even the term “bug” itself overstated the issue.
“There were no existing bugs,” Griffith told Decrypt. Rather, the “bug” would have only affected smart contracts designed in a specific way—“but it turned out nobody had actually done that,” he said. “Even if it had gone through, there wouldn't have been any existing contracts that were newly vulnerable.”
Plans for the long-awaited upgrade to the Ethereum platform had been delayed at the 11th hour in January, after security firm ChainSecurity discovered what was then described as a bug. The purportedly bad code would have supposedly let hackers steal funds from smart contracts. Cautious devs postponed the upgrade to February, and are now reportedly getting ready to re-implement it.
That bug-that-wasn’t-a-bug had caused deja vu for Ethereum’s core team. In 2015, an actual “reentrancy” bug had cost users some $70 million when Ethereum’s experimental venture fund, the Decentralized Autonomous Organization, or DAO, was hacked. Ethereum devs forked the network to return the lost funds, creating a physical, as well as philosophical rift in the community.
The Ethereum Foundation, which helps govern the Ethereum network, has been sure to take precautions for the “redo,” which is due in February. Griffith said there would be more rigorous “regression tests,” which essentially test backwards compatibility, to filter out potential vulnerabilities.
The Constantinople upgrade seeks to increase “scalability,” reduce the price of “gas,” used to run Ethereum-powered applications and reduce the issuance of ether, Ethereum’s native currency, making it less inflationary. And whether it was a bug or not, EIP1283, the component of the upgrade that had been identified as problematic, will be removed by the forthcoming quasi-upgrade, known as “St. Petersburg.”
But again today, another component of the coming fork, “CREATE2,” came under suspicion. A report by Ethereum site TrustNodes suggested that a feature of the software, which would allow users to “self-destruct” and re-deploy a smart contract, was once more a “bug.” ChainSecurity COO Matthias Egli, however, told Coindesk that it was “not a security bug” but a “corner case” to be wary of.