Read time: < 1 Minute
Originally posted 18th June 16
Just imagine a diamond heist of $50 million that is not investigated by law enforcement agencies and 4 days after the heist, the broken safe due to which this whole thing was possible continues to remain unfixed and it further suffers more attacks by some marauding copycats. Well, this is exactly what is happening to a high profile investor group that holds Ethereum, a rival digital currency of Bitcoin. And these events are threatening the survival of this immature crypto currency.
In the parable above, The DAO is the unlucky jeweler. It is a crowd funded investment fund which relies on Ethereum and very specialized code in order to automatically execute the investment decisions that are made by the members. It was on Friday that the thieves exploited different software bugs allowing them to transfer about 3.6 millions “ether.” Ether is the base unit of this crypto currency called Ethereum. This digital loot accounted for more than one thirds of the 11.5 million endowment of The Dao. According to estimates the valuation of this seized booty is anywhere between $45 million and $77 million.
In the days after this theft, there have been more than six copycat attacks that combined were able to steal 785 ether. Although these smaller attacks do not posse same devastating effect, they do underscore the problem that is frustratingly hard to fix. Ethereum currency and The DAO will continue to remain at the risk of more attacks as long as the flaw is not removed. And the viability of the currency can sink further.
Here it is worth mentioning that as this article was about to go live, there were some indications that some of these follow-on attacks were being made by whitehat hackers trying to save the Ethereum currency from itself.
The bug is in the software functions that are used by individual investors for cashing out fund. On the Friday attack, the attackers were able to figure out that when the function known as splitDAO() is called, one can invoke it again & again before setting the balance of an existing user to zero. By exploiting this flaw the attackers were able to repeat this process thirty times, that effectively allowed an account having 50 shares to get 1,500 shares. Another second bug was exploited by the attackers. This bug allowed the attackers to repeat this attack over & over again.
Martin Koeppelmann who is an entrepreneur and a developer of Consensus Systems (a startup based on Ethereum) said that: The attacker was able to combine the two exploits. The 1st exploit was for calling splitDAO function exclusively. What this means is that 1st regular call will trigger a 2nd call of function and then this 2nd call will trigger a 3rd call and so on. Then the following calls are made in the state before the balance of attacker sets back to 0, allowing the attacker to split twenty times per transaction. The attacker couldn’t do more. If he did try to do more, the transactions would have become too big. Eventually they would have reached block limit. This attack would already have been quite painful. But what made this attack extremely painful is the fact that the attacker succeeded in replicating the attack from same 2 addresses with same tokens again and again (about 250 times from the two addresses each). The attacker managed to find 2nd exploit allowing him to split without destroying tokens in main DAO. The combination of the two attacks multiplied the effects.
<h2>Existential Threat</h2> These hacks have posed an existential threat to THE DAO as well as Ethereum currency. In order to avert this crisis, it has been proposed by the Ethereum officials to roll back blockchain in such a way that it would invalidate ether that has been stolen. Such “soft fork” of Ethereum protocol must be approved by 51% of the Ethereum miners as a software update that they will have to install on the servers. Vitalik Buterin, the founder of Ethereum said that he supports this plan, but in same statement, he recognized that the majority of miners would have to support such a plan, meaning it is out of hand.
Some of the Ethereum proponents have not agreed to this proposal. They say that the digital currency was designed for working with its own dedicated programing languages. And these languages allow Ethereum to work seamlessly with the “smart contracts.” The contracts driven by software allow for automatic funds payment when different detailed conditions are met. The opponents of fork say that Ethereum’s entire appeal is the decentralized nature of the digital currency and this decentralized nature is supposed to be immune to control by governments, banks or other various powerful groups.
Andreas Antonoopolous who is a Bitcoin observer recently said that in case we have mechanism for the generic blacklists, we will see the “blacklist subpoenas” pretty soon. It is the power that’ll be abused.
Rob Graham, a security researcher said in a recent blog post that he is a crypto-anarchist. The whole point of the crypto currencies is to get around the corrupt humans. And trying to repair this problem is simply corruption. Rob compared The Dao’s rescue to taxpayer bailout of the financial institutions of Wall Street in 2008. According to Koeppelmann, an Ethereum based developer, the attacker was capable of depleting the entire fund of The DAO but he stopped at about same time when the Ethereum officials took the theft public. It seems that the attackers stopped by his choice instead of some technical consideration.
Koeppelmann says that we can think that hacker stopped because of some strategic reasons in order to make the decision of community for fork less likely.
So far, there is no clear information about how many of the miners support this proposal to fork Ethereum protocol. It doesn’t matter which party they choose, it’s likely that Ethereum has just suffered a huge blow. In case rollback goes ahead, it’ll be difficult for the proponents of Ehtereum to make the argument that it is as decentralized and inviolable to meddling as it was claimed earlier. And in case the fork does not happen, it is hard to guess that how well Ethereum, still in infancy will do when one of biggest stockpiles of the currency was collected in such an unseemly and unethical way
You must login to comment