News Sergio Demian Lerner Says the Constantinople Bug "Was Evident...

Sergio Demian Lerner Says the Constantinople Bug “Was Evident and Well-Known”


- Advertisment -

A long time crypto security researcher has come out to say the Constantinople bug was revealed months ago. Sergio Demian Lerner says:

“At Coinspect we discussed a months ago the “vulnerability” that today blocked Ethereum hard-fork. We knew that some contracts would break on EIP1283. In fact we had created an example contract that was vulnerable. We thought this was evident and well-known.”

Lerner links to a tweet from September which says: “Stop assuming Solidity send() is safe from reentrancy. It’s not. A low level CALL without value transfer can call back passing a little less than 2300 gas. Always use a logic lock to protect from reentrancy.”

He did not, however, inform the Ethereum Foundation of it, stating: “I was sure the devs knew. And I’m still sure. Probably no useful contract will break in practice. But they decided to redo the risk assessment 36 hours before the fork.”

He does have some 15,000 Twitter followers, some of them eth protocol devs. Raising the question of why this bug wasn’t caught before the very last minute.

The answer may be because the piece of code responsible for the bug was included in the last minute. As you may recall, Constantinople was planned for mid-November, but a testnet bug put it back. Now Trail of Bits says:

“EIP-1283 was initially proposed on August 1, 2018. It was accepted on November 28, 2018.”  Thus after the fork was postponed due to a previous bug which needed to be fixed, they included new code.

The Metropolis devs called all of December off because Christmas, making it unclear whether there was any testing during that period and/or any testing of this specific code.

Vitalik Buterin said the problem here was “interaction” between different new features which when “cross-communicating” sort of give rise to different behaviors than on their own.

In other words, there was a failure of testing presumably because this was included at the very last minute. That further means there was no audit of Metropolis. Not that one was needed for this bug as apparently it “was evident.”



Source link


Please enter your comment!
Please enter your name here

Latest news

Why could GLBrain become a great solution to receive support during the crisis?

To support smaller and medium-sized businesses during the ongoing crisis, GLBrain offers services cost-free for all Austrians....

Make Fast and Secure Trades Using is a Cryptocurrency trading platform that allows users to buy and sell their Cryptocurrency in a...

Network Security Using Cryptography: Everything you need to know

This article will describe what is Network Security Using Cryptography and everything you need to know before...

Mercuriex Cryptocurrency Exchange Launches New Utility Token, SURF

MercuriEx Cryptocurrency Exchange, originally developed in 2017, came under new ownership in December 2019. Since taking over the exchange,...
- Advertisement -Sergio Demian Lerner Says the Constantinople Bug "Was Evident and Well-Known"

Fungibility: Bitcoin Mixers Favorite Term That No One Understands

Fungibility, perhaps the most important concept when dealing with a decentralized and anonymous currency, but does bitcoin...

Crypto can’t thrive in the real world – but stablecoins can

We can safely say that the hype about cryptocurrencies is pretty much over. The claims of Bitcoin...

Must read

Make Fast and Secure Trades Using is a Cryptocurrency trading platform that...
- Advertisement -Sergio Demian Lerner Says the Constantinople Bug "Was Evident and Well-Known"Sergio Demian Lerner Says the Constantinople Bug "Was Evident and Well-Known"

You might also likeRELATED
Recommended to you