Article

The hack that changed the blockchain perspective

So what happened?

An attack on “The DAO” took place on 17th June 2016. However, believe it or not, the developers did know of the vulnerability before that date (12th of June). One of the DAO’s creators, Stephan Tual, released a blog post where he explained that even though a recursive call bug exists in a similar smart contract framework (MakerDAO), the DAO is not at risk.

Whilst the developers were postponing the fix, the network was compromised and 3.6 million ETH (approximate $53 million at the time) were drained from the DAO. To put it into perspective, this was a third of its resources.

The whole hack took just a few hours and managed to put the developers into panic mode. To prevent the adversary from withdrawing his funds into real currency, Ethereum’s CEO, Vitalik Buterin proposed a soft fork (and later a hard fork), preventing The DAO from responding to anyone attempting to withdraw from it. While this action managed to contain the situation and keep the Ethereum’s ecosystem at peace, at the same time it also managed to agitate the community by making an exception for a contract even though it is supposed to be unbiased (i.e. breaking the fundamental platform rule).

This is the first in a series of posts explaining how new generation blockchains work and their impact on the industry.

What is Ethereum?

Ethereum is a decentralized platform that runs smart contracts and has been around for more than a year. It was co-founded by Vitalik Buterin (22 year old, Russian) and since then has been open sourced. The project has been strongly influenced by Bitcoin and for better or for worse it provides a lot more functionality. While the developers of Bitcoin started with N number of commands and then slowly decreased them, Ethereum, on the other hand, started with N2 and has been increasing them ever since.

While for Bitcoin it took 4 years to start growing exponentially (the first 3 years there were only 2 users), Ethereum had a much steadier growth. At this point in time it has more than 25 000 users and is the second most popular cryptocurrency behind bitcoin.

Ethereum excels at trusted computing in the truest sense that it is cryptographically verified and can be independently verified. The tools and services built on this technology could result in massive savings in compliance costs. It has also been working for over a year on replacing the slow and wasteful proof of work consensus formation algorithm with a proof of stake system with many better features. There is a wide choice of CLI/GUI tools and APIs available for joining the fun. Please feel free to check them out here.

What is a smart contract?

Wikipedia gives a pretty accurate description of it - "Smart contracts are computer protocols that facilitate, verify, or enforce the negotiation or performance of a contract, or that make a contractual clause unnecessary. Smart contracts usually also have a user interface and often emulate the logic of contractual clauses. Proponents of smart contracts claim that many kinds of contractual clauses may thus be made partially or fully self-executing, self-enforcing, or both. Smart contracts aim to provide security superior to traditional contract law and to reduce other transaction costs associated with contracting."

Solidity is roughly speaking, an object-oriented language designed for writing contracts in Ethereum. Contracts are (typically) small programs which govern the behaviour of accounts within the Ethereum state. These programs operate within the context of the Ethereum environment. Such accounts are able to pass messages between themselves as well as doing practically Turing complete computation. A contract in the sense of Solidity is a collection of code (its functions) and data (its state) that resides at a specific address on the Ethereum blockchain. 

What is an Ether?

Ethereum uses a digital currency called Ether (ETH), a variation of Bitcoin, to pay for transaction fees and computational services. Currently it is traded on cryptocurrency exchange desks just like any other virtual currency. At the time of this writing the price of 1 ETH is $11, which is considerably lower than it was before the attack. It was peaking at $20.64, which indicates 47% drop.

What is The DAO?

The Decentralised Autonomous Organisation (DAO) is essentially a large crowdfunded investment fund where no decision can be taken without everybody agreeing to it. Users buy as many DAO tokens (votes) as they want using their Ether and if someone else wants to invest money into a certain project or pay for something, they will need to submit proposals, and then depending on the vote of the people with DAO tokens it would be decided whether the investment is approved or not.

Please note that, “The DAO” is the name of a particular DAO (many other exist in the blockchain). It is created by the team behind German startup Slock.it and it successfully raised over $100 million by 15th May, and by the end of the funding period, The DAO was the largest crowdfunding in history, having raised over $150 million from more than 11 000 members.

Base use case of The DAO

  1. A group of people writes the smart contracts that will run the organization
  2. There is an initial funding period, in which people add funds to the DAO by purchasing tokens that represent ownership – this is called a crowdsale, or an initial coin offering (ICO) – to give it the resources it needs
  3. When the funding period is over, the DAO begins to operate
  4. People then can make proposals to the DAO on how to spend the money, and the members who have brought DAO tokens can vote to approve these proposals

It’s important to understand that great care has been taken not to make these tokens into equity shares – they are more like contributions that give people voting rights but not ownership. In most cases, a DAO is not owned by anyone – it’s just software running on the Ethereum network.

How did attack work?

Whenever a member of the DAO decides they want to exit the investment scheme (sell their DAO tokens) and get their Ether back, they do so by calling the function splitDAO (the code is taken from the official github in a format prior the attack).

function splitDAO(
    uint _proposalID,
    address _newCurator
) noEther onlyTokenholders returns (bool _success) {
    ...
    // Move ether and assign new Tokens.
    uint fundsToBeMoved = (balances[msg.sender] * p.splitData[0].splitBalance) /
    p.splitData[0].totalSupply;
    
    // This is the line the attacker wants to run more than once.
    if (p.splitData[0].newDAO.createTokenProxy.value(fundsToBeMoved)(msg.sender) == false)
        throw;
    ...
    // Burn DAO tokens.
    Transfer(msg.sender, 0, balances[msg.sender]);
    // Get his rewards.
    withdrawRewardFor(msg.sender); 
 
    // This is done at the end...
    totalSupply -= balances[msg.sender];
    balances[msg.sender] = 0;
    paidOut[msg.sender] = 0;
    return true;
}

The basic idea is this: propose a split, execute the split. The propose requires a minimum of 7 days before it executes, so this indicates that the attacker has taken action on 10th June (a day after a personal blog explained this type of vulnerability). After the propose has been accepted The DAO goes to withdraw the reward, at this point the attacker calls the function to execute a split before that withdrawal finishes. The function will start running without updating the balance, and line 11 will run more than once. Recursion 101.

This then led to a cycle of the transaction repeating itself over and over again, transferring Ether to the attacker each time. In theory, this meant that the hacker could initiate the splitDAO function repeatedly until the entirety of the tokens stored on the DAO had been drained. No one knows with certainty why the attacker stopped just after taking one third of the funds. Some people speculate that he did so to not give enough reason for a fork of the blockchain.

The first thing the attacker needed to do to pave the way for his success (working exploit) was to run the withdraw function. Let’s look at the code:

function withdrawRewardFor(
address _account
) noEther internal returns (bool _success) { // We need to get false here. if ((balanceOf(_account) * rewardAccount.accumulatedInput()) / totalSupply < paidOut[_account]) throw; uint reward = (balanceOf(_account) * rewardAccount.accumulatedInput()) / totalSupply - paidOut[_account]; // Vulnerable function. if (!rewardAccount.payOut(_account, reward)) throw; // Done a bit too late. paidOut[_account] += reward; return true; }

If the hacker could get the first if statement (line 5) to evaluate to false, the statement marked vulnerable (line 11) would run. Afterwards the payOut function would be called:

function payOut(
address _recipient,
uint _amount
) returns (bool) { // We need to get false here. if (msg.sender != owner || msg.value > 0 || (payOwnerOnly && _recipient != owner)) throw; // Vulnerable function. if (_recipient.call.value(_amount)()) { PayOut(_recipient, _amount); return true; } else { return false; } }

That vulnerable line would then send a message from The DAO’s contract to “_recipient” (the attacker). “_recipient” would of course contain a default function, which would call splitDAO again with the same parameters as the initial call from the attacker. Remember that because this is all happening from inside withdrawFor from inside splitDAO, the code updating the balances in splitDAO hasn’t run yet. So the split will send more tokens to the child DAO, and then ask for the reward to be withdrawn again. Which will try to send tokens to “_recipient” again, which would again call split DAO before updating the balances array. You get the point…

NOTE: The .call function could be considered similar to javascript’s eval and therefore is pretty dangerous when calling untrusted code. It’s actually mentioned in the docs as a function which needs to be avoided.

The implemented mitigations

Whilst you would think that the sane, sensible thing to do would be to undo the hacker’s transactions and return the Ether to all the users’ accounts, this goes against the way decentralised cryptocurrencies are meant to work.

Point of note is that when you decide to exit the investment fund, the DAO makes you wait 27 days before you can withdraw your money, so the hacker couldn’t actually use the money for almost a month anyway. However, no one wants to be ripped off, which is why Vitalik decided to make a “soft fork” to lock up all the Ether inside the DAO.

The problem is that the entire principle of cryptocurrencies is to get around the corruption inherent in human nature, whereby the DAO’s code is the contract and cannot be reinterpreted by humans. Miners add transactions to the network by running the mining software on their computers, and it is designed so that no one person can make a decision without collective approval.

By changing the code to prevent the theft, this causes a “fork” in the blockchain, so the miners who run the software as they have done in the past are on one blockchain, while the miners who update their software to make the hack impossible are essentially working on a completely different blockchain. And if at least 51% of all the miners do not agree to all update to the new software, the existing blockchain would have been broken.

Shortly after Vitalik took the extreme precautions (on 18 June), the hacker posted a carefully worded message on pastebin where the emphasis was placed on the fact that the “attack” wasn’t against any of Ethereum’s terms and conditions and that the developers don’t have the right to deny his request for funds withdraw. The content of the message could be found below:

To the DAO and the Ethereum community,

 

I have carefully examined the code of The DAO and decided to participate after finding the feature where splitting is rewarded with additional ether. I have made use of this feature and have rightfully claimed 3,641,694 ether, and would like to thank the DAO for this reward. It is my understanding that the DAO code contains this feature to promote decentralization and encourage the creation of “child DAOs”.

 

I am disappointed by those who are characterizing the use of this intentional feature as “theft”. I am making use of this explicitly coded feature as per the smart contract terms and my law firm has advised me that my action is fully compliant with United States criminal and tort law. For reference please review the terms of the DAO:

 

“The terms of The DAO Creation are set forth in the smart contract code existing on the Ethereum blockchain at 0xbb9bc244d798123fde783fcc1c72d3bb8c189413. Nothing in this explanation of terms or in any other document or communication may modify or add any additional obligations or guarantees beyond those set forth in The DAO’s code. Any and all explanatory terms or descriptions are merely offered for educational purposes and do not supercede or modify the express terms of The DAO’s code set forth on the blockchain; to the extent you believe there to be any conflict or discrepancy between the descriptions offered here and the functionality of The DAO’s code at 0xbb9bc244d798123fde783fcc1c72d3bb8c189413, The DAO’s code controls and sets forth all terms of The DAO Creation.”

 

A soft or hard fork would amount to seizure of my legitimate and rightful ether, claimed legally through the terms of a smart contract. Such fork would permanently and irrevocably ruin all confidence in not only Ethereum but also the in the field of smart contracts and blockchain technology. Many large Ethereum holders will dump their ether, and developers, researchers, and companies will leave Ethereum. Make no mistake: any fork, soft or hard, will further damage Ethereum and destroy its reputation and appeal.

 

I reserve all rights to take any and all legal action against any accomplices of illegitimate theft, freezing, or seizure of my legitimate ether, and am actively working with my law firm. Those accomplices will be receiving Cease and Desist notices in the mail shortly.

 

I hope this event becomes a valuable learning experience for the Ethereum community and wish you all the best of luck.

 

Yours truly,
“The Attacker”

Even before the attack, several lawyers raised concerns that The DAO overstepped its crowdfunding mandate and ran afoul of securities laws in several countries. By keeping unreasonable amount of money in one address the developers provided this single point of failure. The Lawyers also pointed to its creators as potentially liable for any problems that may occur, and several expressed concern that token holders of The DAO were accepting responsibility they were likely unaware of. The DAO exists in a grey area of law and regulation.

The idea is that since The DAO is decentralised, there are no terms of conditions or governing laws, so the hacker using this feature, considers the 3.6 million ETH to be a “reward” from The DAO (see Legal experts examine the DAO attack and Ethereum fork).

Aftermath of the attack

One thing is for sure, Ethereum took a huge blow. The repercussions on the currency and the whole infrastructure have been devastating, as could be seen from the graph below:

Capture

Below is the patch which could have prevented the attack:

Capture2

Cryptocurrency magazine Cryptocoins News had an exclusive interview with someone who claimed to be the hacker, there he kindly explained that he would be willing to pay the miners one million ETH (about $12 million) if they agree not to update to the newest version of the software.

As of as of 20th July 2016 the Ethereum members successfully completed a hard fork and as such the attack has been mitigated. Enough people have moved to the new blockchain and the vote for the hacker’s transactions has been discarded. Still, it was a good example of how a whole infrastructure could be blown away in a couple of hours and the effect it has on its community.

If you would try to install a GUI client version of Ethereum these days you would be presented with the following message:

Capture3

Last thoughts

The technological dream for Ethereum is a scalable blockchain platform, securing trustless interactions on the internet. On a much larger scale, there is a vision of a more agile society, responding to needs at a local level, enabled by the low-cost coordination of blockchains. Ethereum was believed to inherently resist censorship, even by a majority of its miners. This has changed.

Seen on its own, the proposal was reasonable. It was a one-time fix to a one-time (big) problem. But many people don’t see it that way. In the period of the fork (and after) the community didn’t stay silent. There was a strong presence on the official website and social forums, where people raised their concerns.

Some of the comments are included below:

The involvement of the ethereum foundation in the DAO has been and is a mistake. As I see it ethereum is supposed to be the foundational infrastructure upon which a flurry of projects and experiments are supposed to blossom, and in order for them to blossom they need a foundation that is strong, and that has integrity in the face of challenges. The hard fork proposal is a compromise that ruins that integrity and signals that projects like the DAO can influence the underlying foundation to their own advantage. To me that is totally unacceptable and is a departure from the principles that drew me to ethereum.

The fact that the Ethereum Foundation has been involved and promoted the fork for The DAO project sake, has been an error and it only weakened the trust that people have in Ethereum as a foundational infrastructure for other projects.

Other comments as the one below also started to arise:

I made a bad contract in the first days ETH was online and lost 2K ETH with it, can I also get it back? Thanks!

The problem with statement above is that the person is right. Do we have to start to do a hard fork every time something like this happens or someone makes a mistake, or is this only allowed when a project in which Vitalik is personally involved gets in trouble?

And last one:

Ethereum worked exactly as intended. I don’t believe software should be updated when it works exactly as intended. You assume the risks of your investment. If you don’t understand your investment, you assume unknown risk. Anything else is a bailout by a central authority, i.e. the antithesis of the crypto world. In a related way, this is why Lehman Brothers was allowed to fail – because the deal is the deal, and if you bend the rules for a particular player, all other players will want special treatment, too.