Ethereum

Ethereum Markets Reeling After Security Fault Allows Massive Theft

The DAO, which uses Ethereum for decentralized venture capital investing, targeted in multi-million theft.

|

The community buying, selling, and caring about the blockchain technology/alt-coin Ethereum is reeling this morning after a security vulnerability allowed a currently unknown thief to steal millions of Ethereum tokens from the DAO, an Ethereum-using decentralized venture capital company. The details of DAO's structure and intentions were explained at Reason last month by Andrea Castillo. Prior to the price of Ethereum beginning to fall today in reaction to the news, it was nearly $80 million dollars worth of Ethereum.

@DAOhubORG/Twitter

Vitalik Buterin of the Ethereum Foundation reports on what happened and how:

An attack has been found and exploited in the DAO, and the attacker is currently in the process of draining the ether contained in the DAO into a child DAO. The attack is a recursive calling vulnerability,where an attacker called the "split" function, and then calls the split function recursively inside of the split, thereby collecting ether many times over in a single transaction.

The leaked ether is in a child DAO….even if no action is taken, the attacker will not be able to withdraw any ether at least for another ~27 days (the creation window for the child DAO). This is an issue that affects the DAO specifically; Ethereum itself is perfectly safe.

Business Insider has a thorough account, including a discussion of the idea (an idea that I'm told by Jon Holmquist, the marketing director of bitcoin payment company GoCoin, in a phone interview this morning is probably already a non-starter in the community) of making a "hard fork" in the Ethereum blockchain that would essentially take it all back in time to before the theft happened, an idea that is quite controversial:

"You can't rollback and drag the whole of Ethereum into this mess," one community member said in Slack. "The fault is entirely with The DAO and not Ethereum, let the DAO sink and have done with it. Ethereum will recover, there's nothing wrong with Ethereum."

Quartz has more including why these sort of problems are not unique to cryptocurrencies:

there's a pretty good fiat-currency analogy to the DAO hack. The Bangladesh central bank had $81 million stolen from it in an online heist in February, after the SWIFT messaging network, which connects the world's major financial institutions, was exploited by attackers.

While the Bangladesh heist only came to light in March, as government officials began pointing fingers, the DAO theft can be watched in real-time. Here's the DAO's address on an ethereum blockchain explorer called Etherscan, and here's the address to which the apparent hacker is transferring funds. You can see the inflow of DAO funds into the attacker's wallet on this list. The last transfer, for 258 ether, took place about 90 minutes ago.

…..While the code governing the ethereum blockchain doesn't appear to have been compromised, the fact remains that the defenses of one of its largest pool of funds was breached…

The "rollback" scheme is also not unprecedented in the cryptocurrency world:

This isn't as crazy as it sounds. Bitcoin miners have performed at least one rollback, in 2010, to fix a technical glitch. But bitcoin was trading for pennies then, a far cry from the $11.5 billion-worth of bitcoin in circulation today. Ether at current prices is already worth serious money. All the ether in circulation today is valued at $1.3 billion.

Another question is whether a rollback dangerously undermines a cryptocurrency designed to be decentralized and beyond the control of any single party or group. [Stephan] Tual [from the company behind DAO] has an argument against that too. "You need to compare this to a central server of a bank, where they can just change numbers without anyone being aware," he says. "In this case, it's completely different. If all the miners come together and [do a rollback], it's a community action. And it's transparent, completely transparent."

A Reddit thread hooked off of Buterin's suggested fix is a good place to see interested parties debating the matter in its comment thread. The tech details of Buterin's suggestion, which are merely a means of making sure that the tokens sent to the "child DAO" can't be spent, not a full "rollback" of the blockchain:

A software fork has been proposed, (with NO ROLLBACK; no transactions or blocks will be "reversed") which will make any transactions that make any calls/callcodes/delegatecalls that execute code with code hash 0x7278d050619a624f84f51987149ddb439cdaadfba5966f7cfaea7ad44340a4ba (ie. the DAO and children) lead to the transaction (not just the call, the transaction) being invalid, starting from block 1760000 (precise block number subject to change up until the point the code is released), preventing the ether from being withdrawn by the attacker past the 27-day window. This will provide plenty of time for discussion of potential further steps including to give token holders the ability to recover their ether.

Miners and mining pools should resume allowing transactions as normal, wait for the soft fork code and stand ready to download and run it if they agree with this path forward for the Ethereum ecosystem. DAO token holders and ethereum users should sit tight and remain calm. Exchanges should feel safe in resuming trading ETH.

Some more good technical details on what happened to the DAO at Hacking Distributed.

Here is where it seems the vulnerability may have been first publicly discussed.

Holmquist, marketing director at GoCoin, was not panicked about what this might mean for alt-coin or blockchain tech. He analogized it in some respects to the blow bitcoin took when its major exchange Mt. Gox had all its customer's coin stolen in 2014.

He meant this as a calming analogy, as something that the tech and market rolled past and continued to thrive.

But libertarians might note with alarm that Mt. Gox theft lead to some unneeded and harmful regulatory moves to "protect" the Btc market such as New York's BitLicense.

While this may turn potentially regulatory eyes toward the Ethereum market, it's hard to see now what regulatory solution could even potentially help in situations like this.

Getting involved in DAO was obviously and clearly a risky move to begin with. Anyone paying attention to DAO was well aware it was untested and unregulated and that buyers or investors should beware.

Right here at Reason last month Andrea Castillo, reporting on the DAO experiment, wrote: "This kind of corporate arrangement is untried and potentially quite vulnerable to unknown attack or programming errors. It is almost certainly illegal in many places throughout the world. And who in their right mind would entrust their personal capital in a loosely-defined autonomous system with no known creator?" (The article went on to explain why certain people would want to participate in such an experiment despite the risks.

This Reason TV video from Jim Epstein has more on the essentially unregulatable nature of the Ethereum experiment:

Track today's market woes for Ethereum if you wish.

Reason on Ethereum.

NEXT: What Did 'Climate Hero' James Hansen Actually Predict Back in 1986?: New at Reason

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. But libertarians might note with alarm that Mt. Gox theft lead to some unneeded and harmful regulatory moves to “protect” the Btc market such as New York’s BitLicense.

    So you’re saying that Chuck Schumer is behind this attack.

  2. You can’t fool me. Non of this is real.

    1. “Draining the ether contained in the dao into a child dao” –I’m pretty sure this was a plot point in the final season of Avatar: The Last Airbender.

  3. Whatever happened to dogecoin? Did that ever become a thing?

    1. Here is a list of a number of cryptocurrencies and their trading history.

      1. That’s pretty cool, thanks for the linky.

        1. Actually, all I did was go to the Etheruem market link in the article and strip off the “ethereum” part 🙂

    2. dogecoin is still real, but I think it was always designed to be very nearly value-less. The fact that it has some value is in spite of the intent behind it. It was and is still a larf.

  4. I’m not going to read the article and just find some petty thing to complain about.
    (arches eyebrows at sugarfree)

    ah, but the whole thing is sort of a mess.

    You could pretty much skip 90% of the Professor-Frink-blather and just say, “another Mt Gox-happened”,

    and that its a type of setback which will probably continue to plague crypto-currency forever… which is why it will probably remain a niche. I’m not sure comparisons to Bangladesh help.

    1. I’m trying to visualize the perfect libertarian future what’re crypto currency reigns, and wondering how many competing currencies there would be, and whether it would matter. I don’t have any answers.

      1. I can see a future where cryptocurrency technology is widely used.

        I’m just skeptical that it will ever be in concert with any truly ‘free’, decentralized market. if it ever becomes significant enough to be more than a plaything, it will be coopted, and the law will follow.

  5. I’ve proposed my own block chain currency, called ‘Pimpcoin’. Backed by gold.

    1. I assumed it would be backed by pussy

      1. Pussy is perishable, but I suppose also renewable. Hmm.

      2. Of course I effed up my own joke: Backed by gold chains.

        If it drives, flies, floats or fucks, lease it.

  6. If it doesn’t affect the protocol, why the fuck are they bailing out this poorly-written experiment? Bitcoin has gone through substantial protocol-level changes since it as released but NEVER to “correct” an error of a third-party’s negligent utilization of the protocol.

    Next time, the engineers need to audit the code better and the investors need to do actual due diligence of the party they’re entrusting their hard-earned cash to.

    It’s not like this effective bail-out hasn’t destroyed the Ethereum market.

  7. My cryptocurrency is backed by nothing more than somebody’s willingness to accept it.

  8. The leaked ether is in a child DAO

    “Far out, man!” (Takes long bong hit.)

  9. Anyone wanna buy some electrons. I have some in the back of my van. Like new.

    1. Already got ’em, but thanks.

  10. As long as these “currencies” can be exchanged for goods and services they will have real value. I’m unaware of eth being used for commerce on a scale that justified the value and this hurts plenty. On the other hand my home has a computer, a bed, and a futon that were all exchanged for btc.

  11. So, here’s my idea: a cryptocurrency called BitStamp that can be used for low-spam email. Like, you spend it to send emails, you get it for receiving them, so it dicks over spammers and crazy aunts and keeps things balanced. It would need a way to whitelist or zero-out prices for preferred senders or services.

    It would be sort of like Bill Gates’ idea of a 1cent email tax, except without some asshole like Gates or Comcast getting rich, since most people would break even more or less.

Please to post comments

Comments are closed.