Buterin-Proposed Constantinople Ethereum Feature Allegedly Introduces Attack Vector

Published at: Feb. 13, 2019

Ethereum (ETH) co-founder Vitalik Buterin has proposed a new smart contract creation function dubbed “Create2.” This function reportedly introduces a new attack vector to the platform, according to a post on the Ethereum developers forum Ethereum Magicians published on Feb. 8.

According to a Medium post by software developer Tim Cotten, the original create function creates a new contract at an address that is calculated (through a hash function) with the creator’s address and a random number (nonce) associated with it. Create2, on the other hand, reportedly does the same, but with the difference that the contract is created at an address that can be determined beforehand by different parties.

In the GitHub page dedicated to this Ethereum Improvement Proposal (EIP), EIP-1014, the motivation for the new function is described as the ability to permit an interaction with a contract that does not exist on the blockchain yet.

More specifically, this EIP would allow for interactions “with addresses that do not exist on-chain yet but can be relied on to only possibly eventually contain code.” This EIP has been approved and is scheduled for mainnet deployment in the upcoming Constantinople hard fork, according to a ConsenSys blog post.

However, chief scientist at blockchain startup Indorse Rajeev Gopalakrishna has suggested that the Create2 implementation in Ethereum could have negative security implications for the platform. According to him, Create2 implies that smart contracts will be able to change their address after being deployed.

Gopalakrishna said that in some circumstances using this function, it is possible to replace a previously benign smart contract with a potentially malicious one. Jason Carver, senior staff engineer at the Ethereum Foundation, explained that he thinks that it will be possible to use Create2 to replace a self-destructed contract with a new one.

Gopalakrishna also pointed out:

“Doesn’t this change a major invariant assumed by users today and introduce a potentially serious attack vector with CREATE2 ? Doesn’t this mean that any contract post-Constantinople with a selfdestruct [function in its code] is now more suspect than before?”

Still, software developer Noel Maersk specified that the self-destruction function in and of itself isn’t suspect. According to him, what should be seen as suspect in contracts on a Create2-enabled blockchain is non-deterministic init code, since it renders foreseeing what code the newly generated contract would contain.

This way, a malicious contract could get hold of the pre-approved interactions with the address which could let the attacker, for instance, steal some tokens. Furthermore, Carver also points out that “it looks like a lot of contract devs aren’t aware that (new) contracts will be able to change in-place after” the implementation of this update.

As Cointelegraph recently reported, Ethereum (ETH) core developers have delayed the decision to implement application-specific integrated circuit (ASIC)-resistant proof-of-work (PoW) algorithm ProgPoW until a third party will have audited the algorithm.

Other than implementing Create2, the upcoming Constantinople hard fork is also meant to delay the so-called “difficulty bomb” and feature the so-called “thirdening”: a reduction of the reward for every miner block from 3 to 2 ETH.

Tags
Related Posts
Speed vs quality? Ethereum 2.0 optimism is high, but the road is long
Ethereum has consistently followed a roadmap for its continual evolution to a proof-of-stake consensus protocol, and 2020 saw the groundwork for Ethereum 2.0 soundly laid. The smart contract blockchain has firmly established itself as a platform backed by the second-most valuable cryptocurrency in the world, Ether (ETH), and has become a primary resource for developers to build blockchain-based applications and tools. The emergence of the decentralized finance sector has been largely built on top of the Ethereum blockchain, adding credence to the platform’s decentralized functionality. The surge in the use of the blockchain has come at a steep price though, …
Blockchain / Jan. 11, 2021
Vitalik Buterin, Joseph Lubin Each Donate 1,000 Ether to Moloch DAO
Ethereum founders Joseph Lubin and Vitalik Buterin and their respective organizations ConsenSys and the Ethereum Foundation are each donating 1,000 ether (ETH) to the Moloch decentralized autonomous organization (DAO). This donation brings the organization's total funds up to $1 million, a Cointelegraph correspondent learned at the Ethereal Summit on May 10. The stated objective of Moloch DAO, created by Ameen Soleimani — the CEO of the Ethereum-based adult token platform Spankchain — aims to crowdsource funding for shared, open-source Ethereum infrastructure. Moloch DAO states: “Our objective is to accelerate the development of public Ethereum infrastructure that many teams need but …
Blockchain / May 10, 2019
Ethereum 2.0 Validators to Earn up to 10% Annually for Staking: Report
Ethereum 2.0 validators can expect to earn from 4.6% to 10.3% as rewards for staking on an annual basis, a senior ConsenSys exec says. 32 ETH required to become a validator Collin Myers, head of global product strategy at blockchain firm ConsenSys, reportedly claimed that in order to become a validator on the Ethereum 2.0, one is required to maintain a minimum amount of 32 Ether (ETH), which is worth $5,760 at press time. Myers revealed the news at a recent blockchain event Devcon 5, Coindesk reports Oct. 25. Ethereum 2.0 is a major network upgrade on the Ethereum blockchain …
Blockchain / Oct. 25, 2019
Ethereum Developers Reveal Holdup With Serenity in Reddit AMA
The development team behind Ethereum 2.0 held an Ask Me Anything (AMA) session on Feb. 5. The team answered some of the most pressing questions on Serenity, in addition to general themes such as Proof of Stake (PoS). There have been two other such sessions, six months and one year ago, respectively. While no groundbreaking changes occurred since the last AMA, the team is making concrete steps toward Ethereum (ETH) scalability. Phase 0 to come in 2020 Answering questions on what has changed in Ethereum 2.0 since the last AMA in June, the team generally agreed that most features remained …
Technology / Feb. 6, 2020
Ethereum white paper predicted DeFi but missed NFTs: Vitalik Buterin
Rounding up the last decade, Ethereum co-founder Vitalik Buterin revisited his predictions made over the years, showcasing a knack for being right about abstract ideas than on-production software development issues. Buterin started the Twitter thread by addressing his article dated Jul. 23, 2013 in which he highlighted Bitcoin's (BTC) key benefits — internationality and censorship resistance. Buterin foresaw Bitcoin’s potential in protecting the citizens’ buying power in countries such as Iran, Argentina, China and Africa. However, Buterin also noticed a rise in stablecoin adoption as he saw Argentinian businesses operating in Tether (USDT). He backed up his decade-old ideas around …
Adoption / Jan. 2, 2022