Ethereum (ETH) co-founder Vitalik Buterin has proposed a new smart contract creation function dubbed “Create2.” This function reportedly introduces a new attack vector to the platform, according to a post on the Ethereum developers forum Ethereum Magicians published on Feb. 8.
According to a Medium post by software developer Tim Cotten, the original create function creates a new contract at an address that is calculated (through a hash function) with the creator’s address and a random number (nonce) associated with it. Create2, on the other hand, reportedly does the same, but with the difference that the contract is created at an address that can be determined beforehand by different parties.
In the GitHub page dedicated to this Ethereum Improvement Proposal (EIP), EIP-1014, the motivation for the new function is described as the ability to permit an interaction with a contract that does not exist on the blockchain yet.
More specifically, this EIP would allow for interactions “with addresses that do not exist on-chain yet but can be relied on to only possibly eventually contain code.” This EIP has been approved and is scheduled for mainnet deployment in the upcoming Constantinople hard fork, according to a ConsenSys blog post.
However, chief scientist at blockchain startup Indorse Rajeev Gopalakrishna has suggested that the Create2 implementation in Ethereum could have negative security implications for the platform. According to him, Create2 implies that smart contracts will be able to change their address after being deployed.
Gopalakrishna said that in some circumstances using this function, it is possible to replace a previously benign smart contract with a potentially malicious one. Jason Carver, senior staff engineer at the Ethereum Foundation, explained that he thinks that it will be possible to use Create2 to replace a self-destructed contract with a new one.
Gopalakrishna also pointed out:
“Doesn’t this change a major invariant assumed by users today and introduce a potentially serious attack vector with CREATE2 ? Doesn’t this mean that any contract post-Constantinople with a selfdestruct [function in its code] is now more suspect than before?”
Still, software developer Noel Maersk specified that the self-destruction function in and of itself isn’t suspect. According to him, what should be seen as suspect in contracts on a Create2-enabled blockchain is non-deterministic init code, since it renders foreseeing what code the newly generated contract would contain.
This way, a malicious contract could get hold of the pre-approved interactions with the address which could let the attacker, for instance, steal some tokens. Furthermore, Carver also points out that “it looks like a lot of contract devs aren’t aware that (new) contracts will be able to change in-place after” the implementation of this update.
As Cointelegraph recently reported, Ethereum (ETH) core developers have delayed the decision to implement application-specific integrated circuit (ASIC)-resistant proof-of-work (PoW) algorithm ProgPoW until a third party will have audited the algorithm.
Other than implementing Create2, the upcoming Constantinople hard fork is also meant to delay the so-called “difficulty bomb” and feature the so-called “thirdening”: a reduction of the reward for every miner block from 3 to 2 ETH.
Ethereum Daily Mining Rewards Аre at Lowest Level Ever Reported
According to Etherscan, on Feb. 10, 13,370 new ETH have been created, down from over 20 thousand in December 2018 and an all-time-high of over 39 thousand reported on July 30, 2015. The recent sharp decrease in the quantity of newly mined ETH was evidently caused by a sudden increase in Ethereum mining difficulty, which Etherscan data revealed on Feb. 10.
As Cointelegraph reported in September last year, Ethereum’s core developers decided on their regular meeting on August 31, 2018 to delay the so-called “difficulty bomb,” by agreeing to include the code for such a change into the upcoming Constantinople hard fork.
The difficulty bomb, also known as Ethereum’s “ice age,” is a mechanism implemented on the Ethereum chain which makes Proof of Work (PoW) mining ETH progressively harder (increasing the difficulty).
The reason for the implementation of this feature is to prevent miners from continuing their activity on the chain after Ethereum’s switch to a Proof of Stake (PoS) consensus algorithm. Still, PoS implementation has been delayed multiple times, which is why Ethereum developers have delayed the difficulty bomb though updates as they plan to do with the Constantinople hard fork.
Moreover, delaying the ice age also lowers mining difficulty. To compensate for the easier mining process, Constantinople will also feature the so-called “thirdening”: a reduction of the reward for every miner block from 3 to 2 ETH.
Such an update would raise the quantity of daily minted ETH again, by making the creation of new blocks easier. This upgrade is currently scheduled to happen at block 7,080,000, which forecasted to be mined on Feb. 27, according to a Consensys blog post.
Last week, the Ethereum Foundation refuted alleged plans to spend a prospective $15 million on the development of Verifiable Delay Functions (VDFs) for use in its transition to a Proof-of-Stake (PoS) network.