Header Ads

Cryptocurrency raider takes $60 million in digital cash from DAO Vulnerability

An attack has been found and exploited in the DAO, and the attacker is currently in the process of draining the ether contained in the DAO into a child DAO. The attack is a recursive calling vulnerability, where an attacker called the “split” function, and then calls the split function recursively inside of the split, thereby collecting ether many times over in a single transaction.

A cryptocurrency is only as reliable as the technology that keeps it running, and Ethereum is learning this the hard way. An attacker has taken an estimated $60 million in Ethereum's digital money (Ether) by exploiting vulnerabilities in the Decentralized Autonomous Organization, an investment collective. The raider took advantage of a "recursive call" flaw in the DAO's code-based smart contracts, which administer the funds, to scoop up Ether many times in a single pass.

Ethereum's Vitalik Buterin (pictured above) has revealed a planned software fork that would prevent the intruder from using the ill-gotten goods, but there are still plenty of headaches in store for both contract creators and investors. Contract makers will have to take extra care to avoid the flaw and limit the value of their contracts so that a bad actor doesn't make off with a huge sum of cash. Buterin says that Ethereum itself is safe -- miners can carry on, and users should "sit tight and remain calm" while they wait to trade again. Still, it's easy to imagine everyone being nervous.

A leaderless organization comprised of a series of smart contracts written on the ethereum codebase, The DAO has lost 3.6m ether, which is currently sitting in a separate wallet after being split off into a separate grouping dubbed a "child DAO". 

The leaked ether is in a child DAO at https://etherchain.org/account/0x304a554a310c7e546dfe434669c62820b7d83490; even if no action is taken, the attacker will not be able to withdraw any ether at least for another ~27 days (the creation window for the child DAO). This is an issue that affects the DAO specifically; Ethereum itself is perfectly safe.

Ether markets plunged on the news, falling below $13 in trading on the cryptocurrency exchange Poloniex. With ether currently trading at roughly $17.50 per coin, that puts the value of the stolen cryptocurrency at more than $60m.

The kicker? People were convinced that the bug posed no risk to DAO funds just a few days prior. Clearly, that wasn't true. While the invader didn't get away scot-free, the breach has caused a lot of chaos. And while one person's claims that they legitimately took the funds is sketchy, Bloomberg notes that the code defining the smart contracts may have explicitly allowed this attack even if that's not what the DAO wanted. This may not be so much a hack as exploitation of poorly-defined terms, and there may not be a legal recourse. In short: basing an investment framework around code instead of human-made contracts may have been too optimistic.

Source: Coindesk, Etherscan, Ethereum,

No comments

blogmytuts. Powered by Blogger.