We’re seeing a lot of misinformation related to the Constantinople delay. e.g. “Why wasn’t this detected sooner?” and/or “blah blah blah everyone sucks dump ETH”. Let’s dive into the nature of the bug. 🐛

EIP1283 (eips.ethereum.org/EIPS/eip-1283) makes some changes to how you interact with smart contracts. Namely, it attempts to make some contract interactions cheaper and/or more efficient.

The implementation of EIP1283 was sound. The code is fine. The idea behind it is fine. There is not a “bug” in the code of this EIP. It does what is intended.

The potential vulnerability lies at the contract level—not the EVM/opcode/EIP level.

For example...
- A developer wrote, audited, tested and deployed a smart contract in the past
- It is not possible to exploit the smart contract
- The Constantinople update goes live
- It is now possible to exploit the smart contract, due to the changes made in EIP1283

Now, you see the words “potentially vulnerability” and “abundance of caution” being used. That is because, as of right now, there has *not* been a contract found on Ethereum mainnet or testnets that is vulnerable (besides proof of concept ones)

And people have been looking hard.

So why wasn’t this detected sooner? It isn’t found by auditing the EIP or Geth or Parity. It is found by auditing every existing contract while that contract is on an already-updated chain. Or by researchers imagining what devs could write that could be inadvertently exploitable.

What this incident has shown is
- the entire stack needs to be analyzed when reviewing EIPs
- existing conditions & contract patterns being used have to be explored
- needs imagination / research across all levels, not just technical reviews and audits

So, that's the story of ConstantiNOPEle 🙄 and why FUD doesn't need to spread. Yes, it would be nice to catch it earlier, but the process for dealing with these bugs will improve as a result. And nobody lost funds.

Thank you to @chain_security and everyone else who researches.