The DAO job
By Daniel M. Ryan
One thing you learn in the cryptocurrency frontier: hacking and robbery are clear and ever-present dangers. In a very real way, an altcoin exchange or any other store of cryptocurrency – very much including the humble cryptocurrency wallet – is a lot like a train chugging along in the Old West outback. Back in those old times, the chief risk in travel was not a crash, your luggage being sent to the wrong destination, or the refreshment car running out of drinks. It was robbery, armed robbery, by a gang of varmints that smelled easy pickings along those iron rails. Back in those frontier days, there was many a Train Job.
So it goes in the cryptocurrency frontier. Varmint hackers, armed with programming skills and a fine-honed sense for subtle bugs, are a continual threat to a cryptonaut's wealth. We cryptocurrency pioneers found this out last Friday when the crypto-venture that secured a record breaking amount of funds – The DAO - was nailed by a hack that represents an eight-figure robbery. Had the inevitable not happened on the altcoin markets, the estimated loss would have been more than fifty million dollars.
When it ran its crowdfund, The DAO graced the online pages of quite a few choice-demographic outlets. This last weekend, those same outlets got an introduction to the perils of the frontier. This Wiredarticle gives a good rundown on what happened in the wee hours of Friday morn:
The above from that Wired piece gibes with what I've been able to scry up myself. Despite the obvious parallel to a "Train Job," the real heist was quite intricate; in execution, it was more like a scheme to steal electricity or cable – or a stunty Western in which the bandits get the gold coins out of the train by drilling a hole underneath the safe car right into the safe and collect the coins that slip out of the hole.
Tag-Team Recursion Banditry
If you've ever wondered why Internet-security pros consider fussbudgetry to be a survival skill, you're about to find out. The most frustrating and dangerous security bugs are subtle. According to this tech-rich analysis of the hack that enabled the theft, the underlying vulnerability that enabled the "hole" to be "drilled" (so to speak) was caused by something apparently innocuous: the order of the lines of code in a function called SplitDao. This function dealt with transferring Ether out of the DAO in exchange for DAO tokens. The Ethers have to be sent to a child DAO, and then the submitted DAO tokens are voided or "burned." In that order.
If a normal Split is effectuated, nothing goes wrong. But the split is activated by a message sent from another address containing another smart contract, and Ethereum's smart-contract language permits a feature called "recursion." Recursion entails an active function calling itself and generating multiple copies of itself to perform the same task several times. You can compute powers by recursion: for example, 2 to the power of 4 can be coded as 2(2(2(2))).
But the trouble was, a recursive function is like driving off the highway into a gated subdivision with only one road out: the same one that takes you in. Once you've finished driving around, you exit the subdivision at the same point on the highway that you entered it. Imagine that the subdivision is a new one, whose houses are yet unsold, and the developer offers a $50 gift card for everyone that takes the tour through it. Once you drive in, you get the gift card. To prevent abuse, the welcome staff enters your licence-plate number in a database which checks to see if you've been there before. If you haven't, then you get the gift certificate. If you have, you don't.
Here's where the trouble enters: your license plate number is added to the already-got-one database after you leave the subdivision and get back on the highway. If you can find a sneaky way to get back to the entryway before your license plate is entered into the "Already Paid" database, you can scam a lot more than one single $50 gift card.
The analogy breaks down at this point, because recursion is most similar to a "Groundhog Day" effect. But it does work, which is why it's been fingered as a recursive calling vulnerability or the Recursion Bug. The sad part of this theft is, the hacker (or team of hackers) took advantage of the bug after it was announced to the world and fixed in The DAO. Fixed in all places, except in that single function SplitDao.
According to this DAO-hack FAQ, the recursion bug was good enough for about twenty transfers when only one should have been authorized. At that point, the load on the Ethereum block containing the recursions would have been heavy enough to conk out the attack. To return to the admittedly shaky analogy, you could only run the Groundhog Day magic machine about twenty times before it overheats and seizes up.
Had the robbery been done with only a recursion attack, the amount of Ethers stolen would have been much less than the 3,641,694 Ether haul.
But the hacker(s) were smart enough to add a tag-team feature, by which a pair of addresses kept the unauthorized withdrawals going in a slow bleed. As that FAQ said,
Had some observant vigilants not spotted it, the bandit(s) could have stripped The DAO of all of its Ethers.
The Posse Saddles Up
It's almost certainly not a coincidence that the hacker(s) stoppered the hole once the hue and cry arose. That's because snagging the proceeds of this heist is a lot more complicated than grabbing and running.
The vulnerable function, DAOSplit, is part of a set of features added to The DAO to protect minority token holders. It gets activated if a group of disgruntled shareholders want to split off with their share of their held Ethers. As I explained in my earlier article on The DAO:
It's this feature that the hacker(s) exploited.
What this means is, the stolen Ether is currently in a different DAO – a split-off- child DAO - created by abusing that right-of-exit. The thief, or gang of thieves, can't touch it until July the 14th. That's given the posse assembled a fair bit of time to foil the heist.
Right now, the Good Guys are pushing a modification to the Ethereum node code that would reject any transaction from the address that holds the child DAO. Since this modification would not change the blockchain, it's a "soft fork" that doesn't mandate an upgrade from the current wallets. Its effect would be to freeze the stolen funds indefinitely. Then the crime would be like a money-kidnapping, in which the kidnappers' avenues of escape are all sealed. At this point, negotiations would commence.
But this remedy, which will likely be implemented, is only one of two being discussed. The second is far more radical and would almost certainly mean the end of The DAO and an end-of-the-innocence for Ethereum. This second is a hard fork which would roll back the blockchain ledger to before the point where the robbery began and excise it from the ledger. After that's done, The DAO would be wound down as a failed first "alpha" version. After a decent interval and more thorough security audits, a new DAO with more secure smart-contract code would be launched to take its place.
There's a surprisingly large base of support for this hard fork, even though its rationale is that The DAO is too prominent a part of the Ethereum ecosystem to let the hacker(s) get away with the robbery. Simply put: The DAO is too big to fail.
If the Ethereum community goes this route, it'll be a deep disappointment to a community that has been trying to build a better financial system than Bailout Nation through replacing human intervention with incorruptible computer code. However it turns out, the altcoin markets have made their own judgment: when news broke, the price of Ethereum was whacked hard and the price of The DAO tokens was whacked even harder. Interestingly, the altcoin markets have marked down the latter to trade at a valuation equal to fair-value if the bandit(s) behind The DAO Job succeed in getting their hands on their ill-gotten loot.
Daniel M. Ryan, as Nxtblg, is shepherding the independently-run Open Audi Initiative Prediction Market Shadowing Project. He has stubbornly assumed all the responsibility and blame for the workings and outcome of the project.