The price of Ether dropped substantially today after news broke of an ongoing cyber-attack on the DAO platform from where crooks managed to steal more than $50 million in Ether, a third of the platform’s total funds.
DAO stands for Decentralized Autonomous Organization, and is a mix between Wall Street and Kickstarter, an organization that allows users to pool money and make investments via “smart contracts.” Users put Ether crypto-currency in the DAO and then vote on smart contracts if to approve the investment or not.
The platform launched at the start of June, and it received backing for over $130 million in Ether funds.
DAO platform hacked via publicly disclosed bug
According to Vitalik Buterin, one of the people behind DAO and Ethereum (Ether crypto-currency network) creator, the DAO has suffered a cyber-heist that allowed an unknown party to steal over $50 million in Ether from the DAO’s funds.
For the past day, the attacker has been quietly siphoning money from the main DAO wallet to a child DAO fund.
A day earlier, Zikai Alex Wen and Andrew Miller havetheir findings of a bug in the DOA platform that allowed for a recursive function in the operation responsible for sending Ether.
Researchers found that they could create a crash state in the send funds process that would enable attackers to collect more funds than usual. The DAO staff detected the attack soon after. Here is Buterin’s explanation for the cause of the attack:
“ The attack is a recursive calling vulnerability, where an attacker called the “split” function, and then calls the split function recursively inside of the split, thereby collecting ether many times over in a single transaction. ”
Buterin says that because DAO smart contracts have a minimum period of 30 days, the attacker can’t collect his funds until the contract expires, which is in 27 days.
DAO staff plans to pull the rug from under the attacker’s feet
Because the DAO staff has ample time to mitigate the attack,to literally pull the rug from under the attacker’s feet by changing the DAO source code itself.
DAO engineers said they first intend to launch a “soft fork” of the DAO source code which will allow them to invalidate any transactions made with the attacker’s code hash (signature). Only the crooks’ transactions will be rolled back this way, and the other DAO operations will remain standing.
At a later point, the team plans a “hard fork” that will return the stolen Ether funds to their rightful owners.
Despite their mitigation strategy, the impact of the news was felt in the general Ether-Dollar exchange rate, which dropped from $21 to $16 in a matter of minutes. At this point, trust in the DAO is at an all-time low.
… but will shut down for good later on
Later today, one of the DAO creators, Stephan Tual,on the DAO Slack channel that the DAO will be shut down.
“ The DAO will be winded down completely and transformed into a simple contract where you can only withdraw. It’s shutting down but as no ether was stolen and no ether was spent, nothing was lost. ”
Problems with the Dao platform aren’t new. Just a day before the platform launched officially, a group of researchers detailed. Their findings were .
hacked for $50M
— Angelo฿TC (@AngeloBTC)