The past few days in the world of dApps and Altcoins has been quite eventful, to say the least. An attacker found a bug or a loophole within the settings of the DAO contract managing to split and siphon 3.6 million Ether into a “child DAO” account. This action has shaken both investors of the DAO project and the Ethereum community itself. Now with only 24 days left until the contract releases the funds to the attacker people are trying to come up with the best plan of resistance.
A Fork Within Two Communities
The severity of the DAO attack has still yet to come to fruition as the attacker has not been able to attain the funds yet until the contract releases the Ether. To some in the Ethereum camp, this has hurt the protocols reputation in a number of ways and also leaves a person or a group of people with 3.6 million Ether that can be dumped on the market. As reported by Live Bitcoin News the Ethereum developer’s and its community are contemplating three scenarios to remedy the situation. One is to do nothing and let the history of what happened remain and allow the attacker to do however he/she pleases. The next option is a soft fork which could blacklist the Ether and freeze the attackers assets. Then there is the hard fork which could “roll back” the Ethereum blockchain’s history and return everyone’s investment.
The “roll back” hard fork is very controversial as many are comparing it to a bank bailout of 2008 and in the crypto-community this act destroys the reputation of immutability within the Ethereum blockchain. The hard fork has a lot of support and also has a lot of people who disagree with it and Ethereum’s associations with the DAO dApp itself. Many believe this entire mess is the fault of the Slock.it developers and the security audit of the code. Within the security report which is roughly 100 words in length, there is no mention of vulnerabilities or exploits like the recursive vector. One Ethereum community member writes in the r/ethereum subreddit, “The code review should have been demanded, requested, and proven BEFORE the crowd sale.”
However, a sincere carefully audited code review hasn’t seen the light of day concerning this subject except for outsiders who have found significant vulnerabilities and bugs. For instance, in this security researchers opinion, Peter Vessenes finds some mistakes such as the “withdrawRewardFor is vulnerable, a significant typo error was made in the code allowing the attacker to dynamically receive a whole lot more than expected. Vessenes is not the only one dissecting the DAO attack, as many others are as well, which includes significant research by the Hacking Distributed team. Phil Daian of Hacking Distributed writes:
“This exploit in the DAO is clearly not trivial; the exact programming pattern that made the DAO vulnerable was not only known but fixed by the DAO creators themselves in an earlier intended update to the framework’s code. Ironically, as they were writing their blog posts and claiming victory, the hacker was preparing and deploying an exploit that targeted the same function they had just fixed to drain the DAO of all its funds.”
The Counter Attack
Now the Slock.it team has released a blog post called the “Counter Attack” written by the lead developer Lefteris Karapetsas. The counter attack has multiple steps to basically block the attackers funds and render the hackers abilities to move Ether around more difficult. It also needs the help of a soft fork, but Karapetsas says multiple times within the post that “In the end the hard fork is the simple solution that will be guaranteed to solve the problem.” This is due to the fact the counter attack depends on many variables, has multiple points of failure, requires help from a soft fork, and may not help the situation. Despite these weaknesses within the counter attack plan Karapetsas believes it is at least worth mentioning stating:
“The community can stop the attacker from ever withdrawing their ether, even after the 27-day period expires, by buying into the attacker’s DAO. This is not a complete solution and will probably never result in getting the stolen Ether back to the original DTHs but at least it will prevent the attacker from seeing windfall profits.— One thing is for certain. This move can ensure that the attacker does not ever get any money out of this. From that point on, negotiations can continue with the attacker or a hard fork can happen to reimburse all the DAO Token Holders.”
The Need for More Developers to Review Code
The entire DAO problem is a sophisticated and controversial one and it is still not over. There are decisions to be made and it seems the communities are contemplating every one. After this incident, many are bewildered to the fact that a $150 million crowdfund happened without careful auditing and testing before going live. Then when weaknesses were found the day the protocol did go live not much was done and the vulnerabilities were used to the attacker’s advantage.
The reviewing of the code is a severe disadvantage to the ordinary user as most of them can barely grasp the 2.0 technology. Many people now say that careful inspection must be done before these types of projects are made available to the public. Currently, Ethereum inventor, Vitalik Buterin says he is discussing solutions like this at this very moment, but many wonder if it’s a little too late. Buterin writes early this morning what he’s been up to during these recent events stating:
“Today I was in a meeting discussing possible university collaborations in order to get perhaps 5-20 more researchers and developers to work on Ethereum smart contract privacy and programming language safety in the next year; before that I was in online chats and in-person meetings with people from the Chinese community discussing DAO issues and getting feedback from them. Yesterday I was writing EIPs as well as discussing possible modifications to high-level programming languages to mitigate smart contract dangers in the future. I also checked up on the Go devs to see what the progress on the soft fork is. I also spent some time thinking about implementation details and writing a document describing a possible initial Ethereum 2.0 protocol combining a simple implementation of Casper plus sharding.”
With all of this said there is definitely a need for peer reviewed audits within the 2.0 space concerning smart contracts and dApps. With a shortage of programmers and developers on the global level, this may be a hard task and an even more of a hard sell after an incident such as the DAOs. It’s harder to do after the attack because now there is a whole lot of “blame game” happening. Some blame the Slock.it developers and some are pointing at possible problems with the Solidity language itself. Due to all of the recent happenings the DAO has dropped to the second position in regards to the largest internet crowdfunds according to Wikipedia.
The point being, if institutions are to use these new technologies on an enterprise level more developers are needed to review smart contracts, coding language, and implementations of apps in general.
Sources: r/ethereum, Slock.it Blog, Medium blog, Hacking Distributed
Images: ETHpool, Pixabay, and Ethereum blog