Ethereum has a security vulnerability again - solar storm "solar-storm" may affect the entire network of smart contracts

Another vulnerability has been discovered in Ethereum’s smart contract scripting language Solidity, which could have an impact not only on The DAO but also on the entire Ethereum ecosystem.

Contracts in Ethereum usually make calls to each other. The community encourages this behavior in the hope of eventually achieving "complementarity" between smart contracts.

When Ethereum contracts make calls to each other, their own program control and state functions are lost. The vulnerability was discovered by Augur core developer Joey Krug and Gnosis co-founder Martin Köppelmann, and later published by Cornell University doctoral student Philip Daian and researcher Emin Gun Sirer.

This vulnerability is different from the reentrancy vulnerability that the DAO attacker exploited. Let's call it solar-storm (because it can cut off communication between Ethereum smart contracts, just like solar storms can cut off communication equipment on Earth). Daian did not give an exact name when he released the vulnerability, but he liked "solar-storm".

Solar Storms vs. Reentrancy

Prerequisites for reentrancy vulnerabilities to occur:

1. 1. Contract A, function A calls contract B

2. 2. Contract B calls contract A, function A

Daian believes that even a simple call between contracts can expose vulnerabilities.

Prerequisites for the solar-storm vulnerability to occur :

1. 1. Contract A calls any external contract

2. 2. The state of contract A is modified by an external function (this often happens)

So examples of solar-storm vulnerabilities are:

1. 1. Contract A, function A calls contract B

2. 2. Another function C of contract A shares state with function A

3. 3. Contract B calls contract A, function C

To avoid exposing this vulnerability, we have two options:

(a) Prohibit contracts from making external calls (b) Prohibit using external call functions to share state with the function that initiates the external call

It is impossible to completely prohibit b in actual use cases, so we must no longer make external calls to the contract. If an external call must be made, it can be made after programming is completed. Once the external call starts executing, the contract state should not be changed.

The solar-storm vulnerability is more widespread than the reentrancy vulnerability.

What does this mean?

Summarize

The solar-storm vulnerability affects not only the DAO contract, but all Ethereum contracts. It is a vulnerability in the Ethereum programming language Solidity.

Already released Ethereum contracts may also have vulnerabilities. Developers need to test the performance of their contracts and take corresponding measures (transfer funds, release new contracts, etc.).

Developers should be very careful about external calls to contracts they are about to release. Try to avoid external calls until this vulnerability is completely fixed.

What to do next?

Recheck all published smart contracts. Use Solidity compiler to detect the vulnerability. This vulnerability is not yet publicized, so Solidity documentation should be written to inform others.