DAO hack sparks crypto-currency panic

DAO hack sparks crypto-currency panic

The DAO, a virtual currency fund that relies on the ethereum blockchain, has suffered a sustained attack that has seen $50 million of Ether siphoned off, causing the price of the crypto-currency to plummet.

The DAO was created as a utopian decentralised venture capital-style smart contract, enabling participants to gain voting shares in exchange for ether. Those who buy into the fund are able to vote on project proposals submitted to the DAO by third party contractors and share in the profits from the investment.

The fund had attracted huge interest in the crypto-currency community, swelling its coffers as enthusiasts jumped onboard and growing the value of the fund to about $134 million. News of the attack has sent shockwaves through the market, causing mass-panic among holders of ether as exchanges ceased withdrawals sending the value of the virtual currency plunging from $21 to $15 within hours of the attack.

A critical update from Ethereum explains the modus operandi of the unidentified hacker: "The attacker is currently in the process of draining the ether contained in the DAO into a child DAO," states Ethereum in a blog post that caused its Website to crash as worried participants piled in. "The attack is a recursive calling vulnerability, where an attacker called the “split” function, and then calls the split function recursively inside of the split, thereby collecting ether many times over in a single transaction."

To prevent further damage, Ethereum is proposing the introduction of a hard fork that would effectively set the clock back to a date before the assault took place.

In the meantime, a soft fork is being introduced to prevent the attacker from spending the stolen loot.

"Miners and mining pools should resume allowing transactions as normal, wait for the soft fork code and stand ready to download and run it if they agree with this path forward for the Ethereum ecosystem," states the post. "DAO token holders and ethereum users should sit tight and remain calm. Exchanges should feel safe in resuming trading ETH."

Comments: (8)

A Finextra member
A Finextra member 17 June, 2016, 19:202 likes 2 likes

I don't even pretend to understand half of the technology in this article but I nonetheless find it very alarming. The fact that you can reset or turn back time within a blockchain seems to undermine the fundamental concept of an immutable record. This attack and similar hacks to come will raise doubts about the validity of crypto-currencies and the blockchain in general, not just this particular incident.

A Finextra member
A Finextra member 18 June, 2016, 19:46Be the first to give this comment the thumbs up 0 likes This is the sort of alarmist ignorance that we need to guard against. The DAO was a premature distributed application released without proper testing or audit or regulatory compliance being incorporated. The technology needs work but neither ethereum nor ether was hacked.. only the application was. We need to make sure it does not set back the efforts of the community to evolve a robust architecture.
Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 19 June, 2016, 11:45Be the first to give this comment the thumbs up 0 likes

@KenOverholt + 1. Who is to decide whether DAO was a premature application released without proper testing? Why does the common man need to know the difference between ethereum and ether, let alone the difference between which of the two, or neither, was hacked? One moment, DAO had money. A moment later, DAO lost that money. If that kind of thing happens repeatedly, that's all the knowledge that the common man needs to have to lose faith in cryptocurrencies.

Juergen Rahmel
Juergen Rahmel - IETC Information Engineering Ltd - Hong Kong 20 June, 2016, 03:593 likes 3 likes

Should we be surprised? Here is what we knew so far:

Creating a universal infrastructure based on secret keys for all participants is hard - see the history of e.g. PKI.

Applying good cryptography is hard - the maths don't lie, but the issues always are with implementation, integration, endpoint security, the humans involved, etc.

Creating transaction systems with high availability, reliability, accessibility and security is hard – and it does not get easier when distributing part of that work to others.

Blockchain is a great and genius concept, but a highly non-trivial one and it is based on many foundations like the ones just mentioned. There is no solution to it, magically solving all problems that have plagued Banking IT and Security in the past decades.

Creating applications on top of any transaction system increases complexity even more and introduces new vulnerabilities outside the controllable area of the underlying transaction system (see the issue at hand here, or recent issues with SWIFT).

Widespread acceptance of such new FinTech by the 'common man' (as said by KS) will depend on the ability of the FinTech community to resolve such issues transparently as they appear. They will continue to appear.

Prevent, Detect, Respond. There is no 100% Prevention. Common wisdom, also valid for the Blockchain. 


Russell Bell
Russell Bell - Fastbase Ltd - Wellington 20 June, 2016, 04:34Be the first to give this comment the thumbs up 0 likes

Ken is right to be concerned at the prospect of a blockchain turning back time.  Crypto-currency transactions are supposed to be final, immune to reversal regardless of community or political pressure.

The Ethereum developers are proposing a software change that they claim isn't a roll-back but observers (and the currency markets) aren't convinced; the value of an ether (Ethereum currency unit) has halved in the last few days to about 12USD.  However Ethereum isn't Bitcoin which remains solidly irreversible and is well-liked by the markets lately.

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 20 June, 2016, 08:47Be the first to give this comment the thumbs up 0 likes

@JuergenRahmel + 1. I totally agree that "there is no 100% prevention". Problem with overzealous prevention strategies is that they tend to throw the baby out with the bathwater. Once the current VC-funded fintech exuberance fizzles out, fintech will realize that it is their responsibility to "resolve such issues transparently as they appear." and that trying to justify issues on the grounds of "trailblazing technology" is naive.

A Finextra member
A Finextra member 20 June, 2016, 12:29Be the first to give this comment the thumbs up 0 likes

"There is no 100% prevention" - yes, that's true. But this is no excuse for being relaxed or fatalistic on IT security. Another - unfortunately not so common - wisdom is that it is very hard to build secure systems based on vulnerable platforms. It would be much better to avoid PC/smartphone technology commonly affected by malware when building criticals systems where lives or lots of money are at stake. Looking at PCI DSS requirements 5.1.2 reveals that there are systems that are not commonly affected by malicious software.

Not every participating node in a blockchain-type system can be expected to be that robust versus malware, but it should be expected that a sufficient number of robust nodes holding the distributed ledger do protect its integrity versus malware attacks. 

Russell Bell
Russell Bell - Fastbase Ltd - Wellington 23 June, 2016, 22:501 like 1 like

For a robust analysis https://www.youtube.com/watch?v=_O5fdMFKEC0