A long time crypto security researcher has come out to say the Constantinople bug was revealed months ago. Sergio Demian Lerner says:
“At Coinspect we discussed a months ago the “vulnerability” that today blocked Ethereum hard-fork. We knew that some contracts would break on EIP1283. In fact we had created an example contract that was vulnerable. We thought this was evident and well-known.”
Lerner links to a tweet from September which says: “Stop assuming Solidity send() is safe from reentrancy. It’s not. A low level CALL without value transfer can call back passing a little less than 2300 gas. Always use a logic lock to protect from reentrancy.”
He did not, however, inform the Ethereum Foundation of it, stating: “I was sure the devs knew. And I’m still sure. Probably no useful contract will break in practice. But they decided to redo the risk assessment 36 hours before the fork.”
He does have some 15,000 Twitter followers, some of them eth protocol devs. Raising the question of why this bug wasn’t caught before the very last minute.
The answer may be because the piece of code responsible for the bug was included in the last minute. As you may recall, Constantinople was planned for mid-November, but a testnet bug put it back. Now Trail of Bits says:
“EIP-1283 was initially proposed on August 1, 2018. It was accepted on November 28, 2018.” Thus after the fork was postponed due to a previous bug which needed to be fixed, they included new code.
The Metropolis devs called all of December off because Christmas, making it unclear whether there was any testing during that period and/or any testing of this specific code.
Vitalik Buterin said the problem here was “interaction” between different new features which when “cross-communicating” sort of give rise to different behaviors than on their own.
In other words, there was a failure of testing presumably because this was included at the very last minute. That further means there was no audit of Metropolis. Not that one was needed for this bug as apparently it “was evident.”
“At Coinspect we discussed a months ago […]