Attack
INCOMPLETE
Potential attacks
Recursive call
Recursive calling vulnerability or race to empty is is the kind of attack seen on Friday 2016-06-17. Here is what happens:
The attacker exploits the fact that when a contract sends ether to another contract it also executes the code in the destination contract. If the destination contract is malicious, it could try to ask the first contract to send the money again. If the first contract does not update the balances before sending, the attacker is allowed to withdraw several times a single amount
The process is draining the ether contained in the DAO into a child DAO.
The dao exploit followed this pattern: propose a split. Execute the split. When the DAO goes to withdraw your reward, call the function to execute a split before that withdrawal finishes. The source code, TokenCreation.sol, transfers tokens from the parent DAO to the child DAO. Basically the attacker is using this to transfer more tokens than they should be able to into their child DAO.
In essence, a call that looks like a regular call can easily be turned into a recursive call, and unless the application is coded very carefully, it can be used to make multiple withdrawals when only one should be allowed.
Callstack depth limit
Send with throw
Race to empty
Unchecked send
Re-entrancy
Loss of state
Copycat
Solutions
Soft fork
A Softfork is a minor, temporary alteration to the protocol wherein only previously valid blocks/transactions are made invalid. Since old nodes will recognize the new blocks as valid, a softfork is backward-compatible
Basically, it requires only the acquiescence of implementors and miners and need have no long-term repercussions, neither in terms of the code-bases nor in terms of the protocol spec.
In case of the 06-17 attack, this would freeze all ether in The DAO. Basically, because the attackers were continuing draining ethers from the DAO community, an independent group of the ‘good guys,’ so-called Robin Hoods, made a counter-attack and hold over 7 million Ether on DAO's own child DAO, waiting to be rescued. The attacker, as well as anybody else, would not be able to withdraw any funds from any DAO.
Hard fork
The hard fork would mean rolling all the transactions back to a point before the theft.
Move all funds from contracts with the code hash 7278d050619a624f84f51987149ddb439cdaadfba5966f7cfaea7ad44340a4ba to a new contract “RefundDAO”, replace the contract at the main DAO with a simple refund contract with only one function. But, as Patrick Murck, a lawyer and researcher at Harvard University’s Berkman Center says:
“The contract is the code, it's unstoppable code, it's unbreakable, it's self-executing and autonomous — right up until everything goes wrong. And then, 'No no no no, that's theft!' Which is some social norm that we've attached to it that's not based in the code, and then we're going to stop the whole system and basically bail it out. Is this something we're going to do every time a smart contract fails? Or is this just because there are a lot of [Ethereum] insiders in The DAO?"
Study case: the 2016-06-17 attack
The attack
An attacker (the hacker) has stolen more than 3.5mm ether (around $45mm) from the DAO on June 17. In short, the attacker found a loophole in the regular splitDAO function so that they could reuse the same DAO tokens over and over again. The attacker managed to combine 2 exploits. The first exploit was to call the split DAO function recursively. That means the first regular call would trigger a second (irregular) call of the function and the second call would trigger another call and so on. This allowed the attacker to split 20 times (have to look up the exact number) per transaction. He could not do more - otherwise the transactions would have gotten too big and eventually would have reached the block limite. Then, the attacker managed to replicate this attack from the same two addresses with the same tokens over and over again (roughly 250 times from 2 addresses each). So the attacker found a second exploit that allowed to split without destroying the tokens in the main DAO.The vulnerability was the Race To Empty or Recursive Call attack. In case you want to read more in the details, the attack is very well described here.
The soft-fork
The evening of the attack, the Ethereum Foundation has asked the community, essentially the miners, to decide on whether they want to soft-fork, or freeze, the funds of the hacker. A soft-fork to freeze the hacker’s child DAO would buy the community more time to decide on a more permanent course of action, whether it is to hard-fork to return the funds, to freeze the funds indefinitely, to “negotiate” or extort the hacker to return most of the funds, or to let the hacker keep the funds. If the majority of miners decides to do so it would be impossible for everyone to move ETH from every "theDAO" version. So it would affect the main "theDAO" and all the splits - including the regular and the malicious one.
An upgrade of both widely used Ethereum clients geth and parity will give the miners the power to support or not the soft-fork. Specifically, the upgrade would make it so that miners running the new software won’t be able to accept transactions from blacklisted addresses affiliated with the troubled fund.
The proposed patch works by giving miners the opportunity to flag that they support the soft fork, and then use their clients to lower a metric called the 'block gas limit', which puts a cap on the amount of gas (an element of ethereum transactions) that can be included in a block.
Miners, which compete to add new transaction blocks to the network, can already change their own block gas limits, but in this specific case, the mechanism allows for a form of miner-based voting to be held on ethereum. Once the network reaches block 1,800,000, if the overall network is below a threshold of 4m gas per block, the soft fork will activate.
A few days before the soft-fork was supposed to happen, it became obvious that there was a potential DoS attack vector which could have proved a significant issue for the ethereum network as a whole. The mining community reacted quickly and we saw an almost immediate swing in the gas limit to above the 4 million limit (equal to or below which would have triggered the soft fork); so June 30th has been and gone with no soft fork activation.
The hard-fork
The proposed hard fork solution will replace the code of The DAO and any child DAOs with a simple withdraw only contract; allowing DAO token holders to withdraw their relative portion of the ether held by The DAO into their ethereum address.
Drawbacks
But such an action undermines the stated premise of Ethereum. As stated in its status, “Ethereum is a decentralized platform for applications that run exactly as programmed without any chance of fraud, censorship, or third-party influence” - ethereum.org. Obviously going for a fork, even a soft one, is a difficult decision.
Robin Hood group
See also
- frozeman blog: confusion on the dao attack
- Analyse of the dao exploit
- Peter Borah: strategies for fault-tolerant smart contracts
- Contract security and design patterns
- medium.com: the attack story