The DAO Eliminates Vulnerability That Allowed Endless Withdrawals from Some Accounts

News and Analysis
A vulnerability in the implementation of Ethereum protocol by some developers has resulted in a need for fixing the DAO. The first decentralized venture foundation owns around $165 million accumulated during the recently closed crowdsale campaign.

The very need for amending mistakes in a code isn’t a shocker. However, in The DAO’s case, the situation is somewhat unique, as the organization lacks any formal leader or a security team that could have identified and eliminated possible threats. So, the full responsibility for that is born by the community of members who had bought their right to vote during the crowdsale.

Considering the identities of investors aren’t always known, the way the vulnerability had been detected and eliminated may be considered the first serious test for the DAO’s entire ecosystem.

According to CoinDesk, the problem became known last week when GitHub user chriseth noted the possibility of an attack on wallet contracts resulting from the implementation of smart contracts written in Solidity.

Peter Vessens, founder of Bitcoin Foundation, also spoke about the matter in his blog, thus drawing attention from a Reddit user associated with Maker DAO, a DAO based on Ethereum blockchain.

The vulnerability allowing attackers to withdraw everything from a particular kind of account was later successfully tested by Maker DAO developers. The entry on that subject was noticed by eththrowa, a The DAO forum user.

The latter has confirmed that the vulnerability was present in the implementation used by The DAO at the moment. As the software was written by, the startup’s founder joined the search for the solution. The next day after the vulnerability had been detected, he posted a link to the fix.

However, Tual went even further announcing a series of software upgrades aimed at tackling the vulnerability in question now referred to as ‘recursive call’, as well as some other possible attack directions.

In particular, Tual wrote:

“We extend our gratitude to the community and in particular Eththrowa who once again proved that an open development process leads to the rapid identification, isolation and resolution of potential vulnerabilities, and in this case, the overall improvement of design patterns as part of programming languages.”

According to an entry in blog, the DAO assets weren’t subject to any danger at the time.

The DAO launched earlier this year by a group of unknown individuals is an open code allowing users to collectively vote on investment they deem worthy and receive dividends should those projects succeed.

In this case, the vulnerability could have allowed the receiver of the dividends to repeatedly receive the due payment by recursively calling the contract. Peter Vessens, however, noted that recursive call is not about just The DAO, but a more extended problem of how some developers implement smart contracts written in Solidity.

Taylor Gerring, the member of Ethereum Foundation, confirmed that Vessens was right. He stressed that the vulnerability would not entail any changes in Ethereum’s code.

Recently, Stephan Tual told ForkLog about the degree of investment protection in The DAO.

Found a typo? Highlight text and press CTRL+ENTER

Subscribe to our Newsletter


Related posts

Tags: , , ,