Ethereum vulnerability discovered, DAO put to the test

Rage Review : The DAO project raised $160 million in Ethereum to invest in blockchain projects. Recently, community users discovered that the way developers used smart contracts caused a vulnerability in Ethereum, affecting the security of the DAO. Stephen Tual, founder of Slock.it, the open source software supplier of the DAO system, and other users released a repair link the day after the vulnerability was discovered. However, this repair does not require Ethereum to change its code base, nor will it threaten the security of DAO funds. In the end, no matter what repair plan is used, it needs to be agreed by DAO token holders, who can also participate in the review and repair process.

Translation: Annie_Xu

A vulnerability encountered by developers using ethereum has delayed a fix for The DAO, a distributed autonomous organization with $150 million to invest in blockchain-based projects.

Because there is no administrator or dedicated security team to review potential security threats, it is up to the open source community, whose members are all people who have purchased voting rights in the DAO using ether, to fix vulnerabilities.

Although the identities of many of these individuals remain unclear, the method of detecting and fixing system vulnerabilities became the first real test of DAO structure and problem-solving techniques.

Gossip

According to Peter Vessenes, founder of the Blockchain Foundation, the vulnerability was discovered last week when a GitHub user casually pointed out that the way some developers were implementing smart contracts written in ethereum’s Solidity language could lead to a horrific attack on wallet contracts.

Peter Vessenes

Vessenes' blog post on the issue subsequently attracted the attention of Reddit users associated with Maker DAO, which is built on the ethereum blockchain.

The blog post states that the vulnerability allowed attackers to empty certain types of accounts before being detected by Maker DAO and then discovered by a user on the DAO member forum named Eththrowa.

Eththrowa confirmed that the vulnerability also exists in the system of The DAO, which is built with open source software from Slock.it and is the largest distributed autonomous organization with $160 million in ether.

This blog post also attracted the attention of Slock.it founder Stephen Tual, who responded quickly with other forum members and released a link to fix the vulnerability a day later.

Stephen Tual

Tual later announced an upgrade to the project's software to fix this vulnerability and theoretical attack vectors unrelated to the "recursive call" vulnerability.

The content of the blog post is as follows:

"We are grateful to the community for once again demonstrating that an open development process leads to rapid identification, isolation, and resolution of potential vulnerabilities, and that the vulnerability fix process leads to overall improvement in programming language design patterns."

Another blog post stated that the vulnerability would not threaten the security of DAO funds.

The Bigger Problem

Earlier this year, an unidentified person or organization launched the DAO, which was built with open source code and allows users to vote together to decide what projects to invest in and how to distribute the proceeds.

The bug nearly allowed the recipient to “exhaust his stake multiple times by recursively calling the contract.”

But Vessenes’ blog post on Friday clarified that this recursive call not only reflects a flaw in the DAO, but also shows that some developers are using the Solidity programming language to write smart contracts in the wrong way, and detailed the technical characteristics of the vulnerability.

“An offensive recipient could potentially recursively call all public Solidity functions that are used to transfer funds or ‘call’ other contracts. This is not how Bitcoin works, so it may come as a surprise to unskilled Ethereum developers. The practical implication of this vulnerability is that each of your functions should be reentrant, meaning that if parts of them are called multiple times before completing, they will work fine.”

repair

Taylor Gerring, a member of the Ethereum Foundation, said that Vessenes’ original description of the problem was accurate, and that the fix for the vulnerability did not require changes to the ethereum codebase.

Fixing this vulnerability requires developers to use a different implementation.

Taylor Gerring

The vulnerability “requires special attention as long as human programmers create problems,” but “it is not an inherent problem with Solidity or the Ethereum Virtual Machine (EVM), which are the scripting language and code parser that underpin the network.”

Vessenes offers two possible solutions.

Slock.it also proposed fixes to The DAO’s code to address concerns raised about the organization’s potential governance model.

In particular, fixes for game-theoretic attacks, including "yes bias," which results from the disadvantage of choosing no. GitHub fixed this with pull requests.

Now we just have to wait for the DAO’s 23,000 members to approve the system changes or promote other solutions.

Tual wrote in a blog post on Slock.it:

"This is a completely open source project that can be started immediately. The observation period lasts for two weeks, and we encourage everyone, including managers, to review and participate."