Big shock against Ethereum: The DAO was hacked.
Today began to hear rumors about a possible case of hacking against the DAO project, which is one of the most ambitious and popular smart contracts of the Ethereum network.
Rumors initially began to circulate on reddit, where a user commented: “I think that DAO is being drained at this time”. Other users quickly began to replicate and they commented about an attack called “recursive calling”, which consists in making a recursive call or infinite loops to a function. In this specific case, he or the attackers used the “split” function in the DAO recursively to collect as many ETH which originally it had.
How it is possible that this happen?
Everything seems to point that the DAO has design faults and important vulnerabilities that can be exploited. In this specific case the DAO “split” function was added to the project for the following reason:
In the case that a shareholder or group of shareholders is not agreeing with the decisions of the Commissioner of the project, they can choose the option of split from the original DAO to a new DAO.
The vulnerability is generated by the way in which runs the “split”:
- First, a user makes a request for split of the DAO.
- Check the token of the user account.
- Is created a new copy of the DAO with the original ETH users.
- Then reduces it the amount of ETH from the user, depending on the amount of the split.
If this request is performed recursively, the system has no time of deduct the ETH user, resulting in the accumulation of a greater number of ETH which the user had initially.
This attack could be carried out literally by anyone and does not require too much technical skills. Vitalik Buterin, wrote on the original blog from Ethereum, that vulnerability is only of DAO and Ethereum is completely safe and has no security flaws.
However, this does not calm investors, since the ETH price fell 30% in less than 3 hours, at this time the price of the ETH is $14. So far the amount of stolen ETH reach to almost 2.5 million (according to the current price), which is equivalent to approximately $35 million.
The address of the attacker, who has received the stolen ETH, can be monitored through the following website:
In the meantime, Vitalik Buterin, has made an appeal for calm, telling to the community that the attacker only may withdraw funds within 27 days, giving a window of time to make important decisions that allow to retrieve the stolen ETH.
One of the proposals to retrieve coins, is to create an update to the platform which avoid executing any function calls/callcodes/delegatecalls, in the DAO and the sub-projects avoiding that the attacker can withdraw funds after the 27-day window.
However, there are several voices alert warning that several projects of the Ethereum network possess major vulnerabilities. In a report of Zikai Alex Wen, Andrew Miller graduates of Cornell University and the University of Maryland have reported several vulnerabilities in some Ethereum projects including the same DAO.
Este es un golpe duro para Ethereum, esperemos la reacción de los organizadores y las medidas para solventar los problemas que se han presentado el día de hoy.
This is a hard shock to Ethereum; hopefully we’ll see the reaction of the organizers and the measures to solve the problems that have been presented today.
Disclaimer: This press release is for informational purposes information does not constitute investment advice or an offer to invest. The views expressed in this article are those of the author and do not necessarily represent the views of infocoin, and should not be attributed to, Infocoin.