Vitalik Buterin Submits New “Create2” Smart Contract Function, Bringing New Attack Vector With It
Vitalik Buterin Proposed Create2 As Smart Contract Function, Bringing New Attack Vector With It
The Ethereum platform is working through its original roadmap that dictated multiple upgrades to improve their scalability and overall function. Vitalik Buterin, the co-founder of ETH, suggested a function called Create2 that would be applied to smart contract creation. According to a post in Ethereum Magicians, the developer’s forum states that the new feature comes with a new attack vector for the platform.
Tim Cotten, a software developer, says that the existing create function will open a new contract. The address for the contract is generated with the use of the creator’s address and a random number. With Create2, the only difference is that the smart contract’s address can be pre-determined by different parties.
The Ethereum Improvement Proposal (EIP), EIP-1014, can be found on the corresponding GitHub page. This page revealed that the ability to allow interaction with a non-existent contract is the concept that stirred the new function. With the EIP, interactions could be performed “with addresses that do not exist on-chain yet but can be relied on to only possibly eventually contain code.” The EIP has already been approved and will come with the Constantinople hard fork.
Rajeev Gopalakrishna, a chief scientist at the Indorse blockchain startup, says that the Create2 function would post a security risk. Based on the information he has seen, the feature would make it possible to change the smart contract address at any point, even after it has been deployed. With that issue in mind, he added that the new address could essentially be replaced with a malicious address, or that the smart contract could be switched out for a malicious contract.
Gopalakrishna added, “Doesn’t this change a major invariant assumed by users today and introduce a potentially serious attack vector with CREATE2 ? Doesn’t this mean that any contract post-Constantinople with a self-destruct [function in its code] is now more suspect than before?”
Noel Maersk, another software developer, believes that the capability to self-destruct is not inherently concerning. Instead, he says that the suspicious issue would be non-deterministic init code. This type of coding would allow someone to view the code that a smart contract will have. With this information, any hacker could easily get ahold of the pre-approved interactions associated with the address, thus allowing theft. Carver adds, “It looks like a lot of contract devs aren’t aware that (new) contracts will be able to change in-place after the update.”
Core developers for Ethereum have postponed the implementation of an ASIC-resistant proof-of-work (PoW) algorithm called ProgPoW for now. The developers are awaiting an audit of the algorithm to ensure its efficiency and security.
Along with the implementation of Create2, Constantinople will also delay the “difficulty bomb,” which refers to how much harder it will be to mine. It will also have a “thirdening,” which will reduce the rewards of miners as they validate transactions, bringing the reward down from 3 ETH to 2 ETH.