A long time crypto security researcher has come out to say the Constantinople bug was revealed months ago. Sergio Demian Lerner says:
“At Coinspect we discussed a months ago the “vulnerability” that today blocked Ethereum hard-fork. We knew that some contracts would break on EIP1283. In fact we had created an example contract that was vulnerable. We thought this was evident and well-known.”
Lerner links to a tweet from September which says: “Stop assuming Solidity send() is safe from reentrancy. It’s not. A low level CALL without value transfer can call back passing a little less than 2300 gas. Always use a logic lock to protect from reentrancy.”
He did not, however, inform the Ethereum Foundation of it, stating: “I was sure the devs knew. And I’m still sure. Probably no useful contract will break in practice. But they decided to redo the risk assessment 36 hours before the fork.”
He does have some 15,000 Twitter followers, some of them eth protocol devs. Raising the question of why this bug wasn’t caught before the very last minute.
The answer may be because the piece of code responsible for the bug was included in the last minute. As you may recall, Constantinople was planned for mid-November, but a testnet bug put it back. Now Trail of Bits says:
“EIP-1283 was initially proposed on August 1, 2018. It was accepted on November 28, 2018.” Thus after the fork was postponed due to a previous bug which needed to be fixed, they included new code.
The Metropolis devs called all of December off because Christmas, making it unclear whether there was any testing during that period and/or any testing of this specific code.
Vitalik Buterin said the problem here was “interaction” between different new features which when “cross-communicating” sort of give rise to different behaviors than on their own.
In other words, there was a failure of testing presumably because this was included at the very last minute. That further means there was no audit of Metropolis. Not that one was needed for this bug as apparently it “was evident.”
“At Coinspect we discussed a months ago […]
Ripple Labs, the company behind XRP, has given for free some 1 billion XRP, worth $270 million, to a company… Read More
The vast majority of the world’s cryptocurrency trading volume is in the hands of “lower quality exchanges”, while the world’s… Read More
In many countries, including Palestine and the entire world at large, Bitcoin is used more by civilians than some bankers… Read More
Very rich person Investor Tim Draper Claims Bitcoin Prices Will Hike up to $250,000 by 2022Bitcoin (BTC) may proceed to… Read More
Risk Disclaimer - By using this web site you agree to its terms and conditions. All materials, including but not… Read More
Apple stock is brushing off a decline in iPhone sales while continuing to make gains in 2019. | Source: REUTERS/Joshua… Read More