CRITICAL UPDATE Re: DAO Vulnerability
A Critical Update on the DAO Vulnerability: What You Need to Know
As the decentralized world of blockchain and cryptocurrency continues to evolve, a critical update has been issued regarding a vulnerability in the DAO (Decentralized Autonomous Organization). The attack, which has been exploited by an attacker, has resulted in the draining of ether from the DAO into a child DAO. In this article, we will delve into the details of the attack, the proposed solution, and the implications for the Ethereum ecosystem.
The Attack: A Recursive Calling Vulnerability
The attack on the DAO is a result of a recursive calling vulnerability, where an attacker called the "split" function and then called the split function recursively inside of the split. This allowed the attacker to collect ether many times over in a single transaction. The leaked ether is currently residing in a child DAO at https://etherchain.org/account/0x304a554a310c7e546dfe434669c62820b7d83490.
The Proposed Solution: A Software Fork
A software fork has been proposed to address the issue, which will make any transactions that make any calls/callcodes/delegatecalls that reduce the balance of an account with code hash 0x7278d050619a624f84f51987149ddb439cdaadfba5966f7cfaea7ad44340a4ba (ie. the DAO and children) lead to the transaction (not just the call, the transaction) being invalid, starting from block 1760000 (precise block number subject to change up until the point the code is released). This will prevent the ether from being withdrawn by the attacker past the 27-day window.
Miners and Mining Pools: Resume Normal Operations
Miners and mining pools should resume allowing transactions as normal, wait for the soft fork code, and stand ready to download and run it if they agree with this path forward for the Ethereum ecosystem.
DAO Token Holders and Ethereum Users: Remain Calm
DAO token holders and Ethereum users should sit tight and remain calm. Exchanges should feel safe in resuming trading ETH.
Contract Authors: Be Cautious
Contract authors should take care to be very careful about recursive call bugs and listen to advice from the Ethereum contract programming community that will likely be forthcoming in the next week on mitigating such bugs. Additionally, contract authors should avoid creating contracts that contain more than ~$10m worth of value, with the exception of sub-token contracts and other systems whose value is itself defined by social consensus outside of the Ethereum platform, and which can be easily "hard forked" via community consensus if a bug emerges (eg. MKR).
Developers, Cryptographers, and Computer Scientists: Note the Opportunity
Developers, cryptographers, and computer scientists should note that any high-level tools (including IDEs, formal verification, debuggers, symbolic execution) that make it easy to write safe smart contracts on Ethereum are prime candidates for DevGrants, Blockchain Labs grants, and String's autonomous finance grants.
Forward-Looking Thoughts
The DAO vulnerability highlights the importance of security and robustness in smart contract development. As the Ethereum ecosystem continues to evolve, it is essential that developers, cryptographers, and computer scientists prioritize the development of high-level tools and best practices for ensuring the security and integrity of smart contracts. The proposed software fork is a critical step in addressing the issue, but it also serves as a reminder of the need for ongoing vigilance and cooperation within the Ethereum community.
Implications for the Future
The DAO vulnerability has significant implications for the future of smart contract development and the Ethereum ecosystem as a whole. It highlights the need for:
- Improved security protocols: The Ethereum community must prioritize the development of robust security protocols and best practices for smart contract development.
- High-level tools: The development of high-level tools (including IDEs, formal verification, debuggers, symbolic execution) that make it easy to write safe smart contracts on Ethereum is essential.
- Community cooperation: The Ethereum community must continue to cooperate and work together to address security issues and ensure the integrity of the ecosystem.
- Ongoing education and training: Developers, cryptographers, and computer scientists must prioritize ongoing education and training to stay up-to-date with the latest security protocols and best practices.
By prioritizing these areas, the Ethereum community can ensure a secure and robust ecosystem that supports the growth and development of decentralized applications and services.
Source: https://blog.ethereum.org/en/2016/06/17/critical-update-re-dao-vulnerability
