11 December 2017
visit http://response.ncr.com

DAO hack sparks crypto-currency panic

17 June 2016  |  14409 views  |  8 Numbers

The DAO, a virtual currency fund that relies on the ethereum blockchain, has suffered a sustained attack that has seen $50 million of Ether siphoned off, causing the price of the crypto-currency to plummet.

The DAO was created as a utopian decentralised venture capital-style smart contract, enabling participants to gain voting shares in exchange for ether. Those who buy into the fund are able to vote on project proposals submitted to the DAO by third party contractors and share in the profits from the investment.

The fund had attracted huge interest in the crypto-currency community, swelling its coffers as enthusiasts jumped onboard and growing the value of the fund to about $134 million. News of the attack has sent shockwaves through the market, causing mass-panic among holders of ether as exchanges ceased withdrawals sending the value of the virtual currency plunging from $21 to $15 within hours of the attack.

A critical update from Ethereum explains the modus operandi of the unidentified hacker: "The attacker is currently in the process of draining the ether contained in the DAO into a child DAO," states Ethereum in a blog post that caused its Website to crash as worried participants piled in. "The attack is a recursive calling vulnerability, where an attacker called the “split” function, and then calls the split function recursively inside of the split, thereby collecting ether many times over in a single transaction."

To prevent further damage, Ethereum is proposing the introduction of a hard fork that would effectively set the clock back to a date before the assault took place.

In the meantime, a soft fork is being introduced to prevent the attacker from spending the stolen loot.

"Miners and mining pools should resume allowing transactions as normal, wait for the soft fork code and stand ready to download and run it if they agree with this path forward for the Ethereum ecosystem," states the post. "DAO token holders and ethereum users should sit tight and remain calm. Exchanges should feel safe in resuming trading ETH."

Comments: (8)

A Finextra member
A Finextra member | 17 June, 2016, 19:20

I don't even pretend to understand half of the technology in this article but I nonetheless find it very alarming. The fact that you can reset or turn back time within a blockchain seems to undermine the fundamental concept of an immutable record. This attack and similar hacks to come will raise doubts about the validity of crypto-currencies and the blockchain in general, not just this particular incident.

2 thumb ups! 2 thumb ups! (Log in to thumb up)
Ajit Tripathi
Ajit Tripathi - PwC - London | 18 June, 2016, 19:46 This is the sort of alarmist ignorance that we need to guard against. The DAO was a premature distributed application released without proper testing or audit or regulatory compliance being incorporated. The technology needs work but neither ethereum nor ether was hacked.. only the application was. We need to make sure it does not set back the efforts of the community to evolve a robust architecture.
Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 19 June, 2016, 11:45

@KenOverholt + 1. Who is to decide whether DAO was a premature application released without proper testing? Why does the common man need to know the difference between ethereum and ether, let alone the difference between which of the two, or neither, was hacked? One moment, DAO had money. A moment later, DAO lost that money. If that kind of thing happens repeatedly, that's all the knowledge that the common man needs to have to lose faith in cryptocurrencies.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Juergen Rahmel
Juergen Rahmel - IETC Information Engineering Ltd - Hong Kong | 20 June, 2016, 03:59

Should we be surprised? Here is what we knew so far:

Creating a universal infrastructure based on secret keys for all participants is hard - see the history of e.g. PKI.

Applying good cryptography is hard - the maths don't lie, but the issues always are with implementation, integration, endpoint security, the humans involved, etc.

Creating transaction systems with high availability, reliability, accessibility and security is hard – and it does not get easier when distributing part of that work to others.

Blockchain is a great and genius concept, but a highly non-trivial one and it is based on many foundations like the ones just mentioned. There is no solution to it, magically solving all problems that have plagued Banking IT and Security in the past decades.

Creating applications on top of any transaction system increases complexity even more and introduces new vulnerabilities outside the controllable area of the underlying transaction system (see the issue at hand here, or recent issues with SWIFT).

Widespread acceptance of such new FinTech by the 'common man' (as said by KS) will depend on the ability of the FinTech community to resolve such issues transparently as they appear. They will continue to appear.

Prevent, Detect, Respond. There is no 100% Prevention. Common wisdom, also valid for the Blockchain. 

 

3 thumb ups! 3 thumb ups! (Log in to thumb up)
Russell Bell
Russell Bell - Fastbase Ltd - Wellington | 20 June, 2016, 04:34

Ken is right to be concerned at the prospect of a blockchain turning back time.  Crypto-currency transactions are supposed to be final, immune to reversal regardless of community or political pressure.

The Ethereum developers are proposing a software change that they claim isn't a roll-back but observers (and the currency markets) aren't convinced; the value of an ether (Ethereum currency unit) has halved in the last few days to about 12USD.  However Ethereum isn't Bitcoin which remains solidly irreversible and is well-liked by the markets lately.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 20 June, 2016, 08:47

@JuergenRahmel + 1. I totally agree that "there is no 100% prevention". Problem with overzealous prevention strategies is that they tend to throw the baby out with the bathwater. Once the current VC-funded fintech exuberance fizzles out, fintech will realize that it is their responsibility to "resolve such issues transparently as they appear." and that trying to justify issues on the grounds of "trailblazing technology" is naive.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
A Finextra member
A Finextra member | 20 June, 2016, 12:29

"There is no 100% prevention" - yes, that's true. But this is no excuse for being relaxed or fatalistic on IT security. Another - unfortunately not so common - wisdom is that it is very hard to build secure systems based on vulnerable platforms. It would be much better to avoid PC/smartphone technology commonly affected by malware when building criticals systems where lives or lots of money are at stake. Looking at PCI DSS requirements 5.1.2 reveals that there are systems that are not commonly affected by malicious software.

Not every participating node in a blockchain-type system can be expected to be that robust versus malware, but it should be expected that a sufficient number of robust nodes holding the distributed ledger do protect its integrity versus malware attacks. 

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Russell Bell
Russell Bell - Fastbase Ltd - Wellington | 23 June, 2016, 22:50

For a robust analysis https://www.youtube.com/watch?v=_O5fdMFKEC0

1 thumb up! 1 thumb up! (Log in to thumb up)
Comment on this story (membership required)

Finextra news in your inbox

For Finextra's free daily newsletter, breaking news flashes and weekly jobs board: sign up now

Related blogs

Create a blog about this story (membership required)
visit www.atos.netvisit www.response.ncr.comvisit www.aciworldwide.com

Top topics

Most viewed Most shared
Revolut lets customers buy Bitcoin, Litecoin and EthereumRevolut lets customers buy Bitcoin, Liteco...
18099 views comments | 26 tweets | 22 linkedin
Saxo Bank's 'Outrageous Prediction': Bitcoin to peak at $60k next year before spectacular crashSaxo Bank's 'Outrageous Prediction': Bitco...
11027 views comments | 7 tweets | 6 linkedin
Deutsche Bank paper hails 'huge' blockchain potentialDeutsche Bank paper hails 'huge' blockchai...
6632 views comments | 13 tweets | 20 linkedin
Santander UK poaches Barclays innovation chief Michael HarteSantander UK poaches Barclays innovation c...
6412 views comments | 8 tweets | 17 linkedin
Barclays, First Direct and Nationwide join FCA sandbox cohortBarclays, First Direct and Nationwide join...
5820 views comments | 5 tweets | 12 linkedin

Featured job

Find your next job