Via ARS Technica : Crypto anarchists’ dream of decentralized currency faces nightmare scenarios.
Imagine a $50 million diamond heist that isn’t investigated by any police body, and more than four days later, the broken vault that made the whole thing possible remains unfixed and suffers follow-on attacks by a group of marauding copycats. In essence, that’s what’s happening to an elite group of investors holding Bitcoin rival Ethereum, and the events threaten the very survival of the fledgling cryptocurrency.
The ransacked jeweler in this parable is The DAO, a crowdfunded investment fund that relies on highly specialized computer code and Ethereum to automatically execute investment decisions made by its members. On Friday, thieves exploited a software bug that allowed them to transfer more than 3.6 million “ether”—the base unit of the Ethereum currency—out of The DAO’s coffers. The digital loot made up more than a third of The DAO’s 11.5 million ether endowment. The seized booty is valued at anywhere from $45 million (based on the plummeting value of ether following the attack) to as high as $77 million (based on pre-attack exchange rates).
In the days following the theft, there have been at least a half-dozen copycat attacks (for instance, as documented here and here) that combined have purloined more than 785 ether. While the smaller attacks don’t pose the same devastating blow, they underscore a problem that’s vexingly hard to fix. As long as the flaw remains active, The DAO and the Ethereum currency are at risk of additional attacks that could further sink its viability. (Note: as this story was close to going live, there were indications that at least some of the follow-on attacks were being carried out by whitehat hackers who in essence are attempting to save Ethereum from itself.)
The bug resides in software functions individual investors use when cashing out of the fund. The attackers on Friday figured out that when a function called splitDAO() was called, it could be invoked again and again before setting an existing user’s balance to zero. Exploiting the flaw allowed attackers to repeat the process 30 times, effectively allowing an account with 50 shares to balloon to 1,500 shares. The attackers exploited a second bug that let them to repeat the attack over and over. As Martin Koeppelmann, an entrepreneur and developer of an Ethereum-based startup called Consensus Systems, explained here:
The attacker managed to combine 2 exploits. The first exploit was to call the split DAO function recursively. That means the first regular call would trigger a second (irregular) call of the function and the second call would trigger another call and so on. The following calls are done in a state before the balance of the attacker is set back to 0. This allowed the attacker to split 20 times (have to look up the exact number) per transaction. He could not do more—otherwise the transactions would have gotten too big and eventually would have reached the block limit. This attack would already have been painful. However—what made it really painful is that the attacked managed to replicate this attack from the same two addresses with the same tokens over and over again (roughly 250 times from 2 addresses each). So the attacker found a second exploit that allowed to split without destroying the tokens in the main DAO. They managed to transfer the tokens away before they get sent to address 0x0 and only after this they are sent back) The combination of both attacks multiplied the effect. Attack one on its [own] would have been very capital intensive (you need to bring up 1/20 of the stolen amount upfront)—the attack two would have taken a long time.
The hacks pose an existential threat not only to The DAO but to the entire Ethereum currency. To avert the crisis, Ethereum officials have proposed rolling back the blockchain in a way that would invalidate the stolen ether. Such a “soft fork” of the Ethereum protocol would have to be approved by 51 percent of Ethereum miners in the form of a software update they would install on their servers. Ethereum founder Vitalik Buterin has said he supports such a plan, but in the same statement, he also recognized it would have to be supported by a majority of the miners, meaning it’s out of his hands.
The proposal has set off howls of dissent among some Ethereum proponents. They point out that Ethereum was designed to work with its own dedicated programming languages that allow it to work seamlessly with “smart contracts.” Such software-driven contracts allow for the automatic payment of funds when a set of detailed conditions are met. Fork opponents say the entire appeal of Ethereum is its decentralized nature that by design is supposed to be immune to control by banks, governments, or other powerful groups.
“If you have a mechanism for generic blacklists, you will see ‘blacklist subpoenas’ very soon,” Bitcoin observer Andreas Antonoopolous wrote on Twitter. “It’s a power that will be abused.”
Security researcher Rob Graham put it this way in a blog post published over the weekend: “I’m a crypto-anarchist. The entire point of cryptocurrencies [is] to get around corrupt humans. And that’s what trying to repair this problem is—corruption.” He went on to compare a rescue of The DAO to the taxpayer bailouts in 2008 of Wall Street financial institutions on the basis that they were considered too big to fail.
Koeppelmann, the Ethereum-based developer, said the attacker had the ability to deplete The DAO’s entire fund but stopped around the same time Ethereum officials went public with the theft. The attacker appears to have stopped by choice and not because of any technical consideration in the hack.
“We can assume that the hacker stopped for strategic reasons to make a community decision for a fork less likely,” Koeppelmann wrote. “However—the attacke[r] voted in other fork proposals as well—for more details have a look here.”
So far, there’s no indication of how many miners support the proposal to soft fork the Ethereum protocol. Whichever path they choose, it seems likely that the crypto currency has suffered a critical blow. If the rollback goes through, it will be hard for Ethereum proponents to argue that the currency is as decentralized or inviolable to self-interested meddling as was once claimed. And if the fork doesn’t happen, it’s anyone’s guess how well a currency still in its infancy will fare when one of its biggest hoards was amassed in such an unethical and unseemly way.