This was announced today on Ethereum’s official blog by one of their leading developers Hudson Jameson.
ChainSecurity, smart contracts auditing platform, found a Constantinople related security risk which prompted the Ethereum developers to postpone the upgrade.
“Out of an abundance of caution, key stakeholders around the Ethereum community have determined that the best course of action will be to delay the planned Constantinople fork that would have occurred at block 7,080,000 on January 16, 2019.
This will require anyone running a node (node operators, exchanges, miners, wallet services, etc…) to update to a new version of Geth or Parity before block 7,080,000. Block 7,080,000 will occur in approximately 32 hours from the time of this publishing or at approximately January 16, 8:00pm PT / January 16, 11:00pm ET / January 17, 4:00am GMT.”
Holders that keep their ETH in cold wallets do not need to do anything, nor do smart contract developers. The only network participants that need to take action are miners, exchanges and other node operators.
What security risk did ChainSecurity find?
The issue was publicized on their blog earlier today:
“The upcoming ConstantinopleUpgrade for the ethereum network introducescheaper gas cost for certain SSTORE
operations. As an unwanted side effect, this enables reentrancy attacks when using address.transfer(...)
oraddress.send(...)
in Solidity smart contracts. Previously these functions were considered reentrancy-safe, which they aren’t any longer. “
After Constantinople, storage operations which are changing “dirty” storage slots cost only 200 gas instead of the current 5000 gas.. To cause a storage slot to be dirty, it has to be changed during the ongoing transaction and this can often be achieved by an attacker contract through calling some public function which changes the required variable.