Published in


Constantinople enables new Reentrancy Attack

Image: Hagia Sophia. From Guillaume-Joseph Grelot, Relation nouvelle d’un voyage de Constantinople (Paris: Pierre Rocolet, 1680).

What’s wrong with this code?

An example for newly vulnerable code.
Attacker Contract listed as first address.
  1. The attacker sets the current split using updateSplit in order to make sure that the update later will be cheap. This is the effect of the Constatinople upgrade. The attacker sets the split in such a way that his first address (the contract) is supposed to receive all of the funds.
  2. The attacker contract calls the splitFunds function, which will perform the checks*, and send the full deposit of this pair to the contract using a transfer.
  3. From to the fallback function, the attacker updates the split again, this time assigning all funds to his second account.
  4. The execution of splitFunds continues and the full desposit is also transferred to the second attacker account.

Why is this attackable now?

Is my smart contract vulnerable?

Are there vulnerable smart contracts out there?




Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store

ChainSecurity provides security audits and conducts research and development for blockchain platforms.