Jason Carver, a developer at the Ethereum Foundation, has called for the removal of a proposed new capability called Create2 as he says it would make code auditing far more difficult.
“The second-order effects were not appreciated in the wider community,” he says with a lengthy description laid out in a new statement.
As you may know, in ethereum a contract can itself create new contracts with some dapps, like Augur, containing one hundred contracts that interconnect with each other in a complicated system. Carver says:
“At audit time, the parent contract is destroyed, implying that its omnipotent powers have been revoked. That would have been true pre-Constantinople.
Post-Constantinople, a black-hat could revive the parent contract and can modify the child at will. Simply redeploying the same parent code with the same state, adjacent to the contract under audit, is enough to take advantage of someone.”
There are ways to prevent the fooling of someone who is reading the code to make sure it won’t steal their funds by undertaking extensive verification which could be a far too laborious process.
“I am not a security professional. These examples are somewhat contrived and simple. Cleverer people would bury the nasty bits under some innocuous facade,” Carver says.
Malleable Smart Contracts
The new proposal, which some call a feature, allows a developer to change what the contract does through a self destruct parameter that can revive the contract and make it do something else from what it used to do.
The solution in a way is simple, don’t trust contracts that have self-destruct, but if that self-destruct is hidden in a now disappeared master contract, you might need a lot of care to find it.
“My instinct is to remove CREATE2 from Constantinople, modify the EIP to keep the contract nonce during self-destruct, and launch CREATE2 at the next upgrade,” Carver says.
Jeff Coleman, who is working on what is called counterfactual state channels, disagrees. This malleability “feature” may allow for contracts to be deployed in second layer like set-ups only if you need to settle due to some dispute, saving gas costs otherwise.
You can thus have a system where contracts are deployed onchain only if the parties do not co-operate, otherwise there can be many transactions and contracts that don’t hit the chain at all.
Whether you can do this with just Create, rather than needing Create2, isn’t very clear. The latter does make it easier, but it’s not clear whether it has to be in its current form.
Educating the ecosystem might be one potential answer, but reading the code might become difficult if disappeared smart contracts can affect live contracts.
This proposal was made by Vitalik Buterin, Chief Scientist at the Ethereum Foundation, at Ethereum Improvement Proposal (EIP) 1014 in or around April last year.
It’s not clear whether Buterin has appreciated the extent of potential complications from Create2. He has made no recent statement about it as far as we’re aware.
As there’s some dissent, there might need to be some clarity on this proposal and on what trade-off is being made.
Understandably due to previous Metropolis delays they might want to just rush it through, but the ice age has kicked-in now so eth holders would probably be fine with more delays. Miners might not, but the upgrade was meant to go through months ago and its failure to do so benefited miners.
In addition, it’s not clear how much this would complicate the rent fee proposal which may start deployment in October. Alexey Akhunov, who is leading those efforts, said “CREATE2 does not directly affect us just yet,” but previously had stated that Parity’s multisig could potentially be reinstated under the current state fees design, so that might need to be changed.