Tuesday , June 22 2021

Vulnerability in Ethereum will affect smarter contracts after Constantinople CriptoNoticias

The developer of Ethereum has found it possible vulnerability that may affect intelligent contracts developed after the update of Constantinople, whose activation was postponed to February 28. The members of the Ethereum Foundation rejected such vulnerability as appropriate.

Possible vulnerabilities are identified in the protocol Create2 by developer Jason Carver and initially discussed by Gitter's AllCoreDevs Channel. Subsequently, the user took him to a debate in the Ethereum Magicians Forum on February 8th.

According to Carver's discovery, it can happen that the intelligent contract that has already been completed is replaced by another contract in the same direction with different functionality that can cause theft of funds.

Create2 includes hash for a source code to generate addresses that could deliberately produce any contract code. According to the forum there are cases where this behavior is useful. However, it is possible to manipulate a contract with a non-deterministic source code so that users do not realize that they are interacting with a completely new contract at the same address.

Carver mentions how some intelligent contracts that have been harmless before the upgrade can be affected after the Contantinols go live. The developer has described a modified self-destruction treaty to illustrate it:

I think that means that any post-Constantinopolitan malicious contract seems grim before. But you can build a pretty harmless contract before the upgrade, which has two possible outcomes of one transaction: {"contract exists": "exchange of symbols", "self-destruction of a contract": "you lose gas"}. After Constantinople, the possibilities can now become "the contract exists": "exchange symbols", "self-destruction of a contract": "lose a little gas", "replace the contract": "all characters of the ERC20 that have been previously approved for the contract are stolen" }.

Jason Carver

The developer, who discovered the possible failure, pointed out that it is necessary to train auditors and programmers as soon as possible to mitigate the possible consequences of Create2However, he thinks that "surprising" is that he has remained unnoticed so far.

For his part, the head of Ethereum Security Foundation Martin Holst Svende also participated in this discussion confident that most users of AllCoreDevs are fully aware of the effects of Create2"In the same way, he said that most of Ethereum developers and auditors "unfortunately" are not aware of this.

None of the developers talked about the third postponement of Constantinople, which, after its first postponement, had to be completed between January 15 and 16. However, on Augur's forecast markets, some users expect that the update will not arrive on February 28th. Developer Hudson Jameson he reiterated, from the Twitter social network, that there is no reason to postpone the update.

Carver also pointed out that the problem was Create2 this is not necessarily a failure in the virtual machine Ethereum (EVM for the acronym in English) but a possible "social attack" that would make the task of the auditors much more difficult.

In this connection, Martin Holst Svende pointed out that vulnerability stemmed from contracts with a self-destructive function, which were dangerous even before Constantinople began functioning. However, the user who brought the post to the forum said that this is typical of Create2 will directly affect trust in intelligent contracts:

… At some level, this further reduces the confidence that end-users expect contracts to be "unchanged." Not only can they be updated, but they can now be rearranged. There is a risk of perception and we can not blame consumers (or auditors).


For the head of the Security Service at the ET Foundation this is not a problemsince it is necessary to audit the contract and its history before registering to verify that it is behaving in the manner prescribed in its execution. In addition, in order to protect the funds, he determined that under no circumstances should a contract with the self-destruction function be executed.

Thus, it would not be necessary to modify the code, but an educational campaign for auditors and programmers who "need" to keep up with the changes that the updated state information states in the record CREATION and intelligent contracts.

Despite the advice of Martin Holt Swende, the debate remains open. Some users believe that there are other consequences stemming from Create2 which have not yet been discovered.

Selected image from zoommachine / stock.adobe.com

Source link