home > archive > 2016 > this article


The DAO job

By Daniel M. Ryan
web posted June 20, 2016

One thing you learn in the cryptocurrency frontier: hacking and robbery are clear and ever-present dangers. In a very real way, an altcoin exchange or any other store of cryptocurrency – very much including the humble cryptocurrency wallet – is a lot like a train chugging along in the Old West outback. Back in those old times, the chief risk in travel was not a crash, your luggage being sent to the wrong destination, or the refreshment car running out of drinks. It was robbery, armed robbery, by a gang of varmints that smelled easy pickings along those iron rails. Back in those frontier days, there was many a Train Job.

So it goes in the cryptocurrency frontier. Varmint hackers, armed with programming skills and a fine-honed sense for subtle bugs, are a continual threat to a cryptonaut's wealth. We cryptocurrency pioneers found this out last Friday when the crypto-venture that secured a record breaking amount of funds – The DAO - was nailed by a hack that represents an eight-figure robbery. Had the inevitable not happened on the altcoin markets, the estimated loss would have been more than fifty million dollars.

When it ran its crowdfund, The DAO graced the online pages of quite a few choice-demographic outlets. This last weekend, those same outlets got an introduction to the perils of the frontier. This Wiredarticle gives a good rundown on what happened in the wee hours of Friday morn:

It's not clear yet exactly how the hack worked, says Andrew Miller, a PhD student at the University of Maryland who studies smart contracts and helped audit Ethereum's code last year. But he says the attacker probably exploited a programming mistake that's exceedingly common in smart contracts.

Let's say you have $50 in the bank and you want to withdraw that from an ATM. You insert your card, punch in your PIN number and then request that $50. Before the machine spits out the cash it will check your balance. Once it spits out the cash, it will debit $50 from that balance. Then the machine asks you if you'd like to process another transaction. You tap "yes" and try to take $50 again. But the ATM sees that your balance is now $0 and refuses. It asks you again if you want to process another transaction, so this time you say "no." Your session ends.

Now imagine that the ATM didn't record your new balance until you ended the session. You could keep requesting $50 again and again until you finally told the machine you didn't want to process any more transactions—or the machine ran out of money….

The above from that Wired piece gibes with what I've been able to scry up myself. Despite the obvious parallel to a "Train Job," the real heist was quite intricate; in execution, it was more like a scheme to steal electricity or cable – or a stunty Western in which the bandits get the gold coins out of the train by drilling a hole underneath the safe car right into the safe and collect the coins that slip out of the hole.

Tag-Team Recursion Banditry

If you've ever wondered why Internet-security pros consider fussbudgetry to be a survival skill, you're about to find out. The most frustrating and dangerous security bugs are subtle. According to this tech-rich analysis of the hack that enabled the theft, the underlying vulnerability that enabled the "hole" to be "drilled" (so to speak) was caused by something apparently innocuous: the order of the lines of code in a function called SplitDao.  This function dealt with transferring Ether out of the DAO in exchange for DAO tokens. The Ethers have to be sent to a child DAO, and then the submitted DAO tokens are voided or "burned." In that order.

If a normal Split is effectuated, nothing goes wrong. But the split is activated by a message sent from another address containing another smart contract, and Ethereum's smart-contract language permits a feature called "recursion." Recursion entails an active function calling itself and generating multiple copies of itself to perform the same task several times. You can compute powers by recursion: for example, 2 to the power of 4 can be coded as 2(2(2(2))). 

But the trouble was, a recursive function is like driving off the highway into a gated subdivision with only one road out: the same one that takes you in. Once you've finished driving around, you exit the subdivision at the same point on the highway that you entered it. Imagine that the subdivision is a new one, whose houses are yet unsold, and the developer offers a $50 gift card for everyone that takes the tour through it. Once you drive in, you get the gift card. To prevent abuse, the welcome staff enters your licence-plate number in a database which checks to see if you've been there before. If you haven't, then you get the gift certificate. If you have, you don't.

Here's where the trouble enters: your license plate number is added to the already-got-one database after you leave the subdivision and get back on the highway. If you can find a sneaky way to get back to the entryway before your license plate is entered into the "Already Paid" database, you can scam a lot more than one single $50 gift card.

The analogy breaks down at this point, because recursion is most similar to a "Groundhog Day" effect. But it does work, which is why it's been fingered as a recursive calling vulnerability or the Recursion Bug. The sad part of this theft is, the hacker (or team of hackers) took advantage of the bug after it was announced to the world and fixed in The DAO. Fixed in all places, except in that single function SplitDao.

According to this DAO-hack FAQ, the recursion bug was good enough for about twenty transfers when only one should have been authorized. At that point, the load on the Ethereum block containing the recursions would have been heavy enough to conk out the attack. To return to the admittedly shaky analogy, you could only run the Groundhog Day magic machine about twenty times before it overheats and seizes up.

Had the robbery been done with only a recursion attack, the amount of Ethers stolen would have been much less than the 3,641,694 Ether haul.

But the hacker(s) were smart enough to add a tag-team feature, by which a pair of addresses kept the unauthorized withdrawals going in a slow bleed. As that FAQ said,

what made it really painful is that the attacked managed to replicate this attack from the same two addresses with the same tokens over and over again (roughly 250 times from 2 addresses each). So the attacker found a second exploit that allowed to split without destroying the tokens in the main DAO. They managed to transfer the tokens away before they [got voided]… The combination of both attacks multiplied the effect. Attack one on its one would have been very capital intensive (you need to bring up 1/20 of the stolen amount upfront) - the attack two would have taken a long time.

Had some observant vigilants not spotted it, the bandit(s) could have stripped The DAO of all of its Ethers.   

The Posse Saddles Up

It's almost certainly not a coincidence that the hacker(s) stoppered the hole once the hue and cry arose. That's because snagging the proceeds of this heist is a lot more complicated than grabbing and running.

The vulnerable function, DAOSplit, is part of a set of features added to The DAO to protect minority token holders. It gets activated if a group of disgruntled shareholders want to split off with their share of their held Ethers. As I explained in my earlier article on The DAO:

the binding vote, offers a unique "right of exit" that's a first in corporate governance. Whichever way the vote goes, the minority – the losing side – has the opportunity to "fork" The DAO into a new DAO. This new DAO retains the right to any and all income streams from any and all crowdfunds approved up to the point of the split. It's this right of exit that provides the protection against a 50%-plus-1 attack. More serious than collusion, this attack could take place if a malicious holder of the tokens acts like a Gordon Gekko by slyly buying up enough tokens to control 50%-plus-one of the vote. Had the right of exit not been in place, this malicious majority stakeholder could asset-strip The DAO by using his majority stake to send all its ether to his own personal Ethereum account and leave the thing gutted.

Take a mosey sometime through the parts of the securities and corporate laws that deal with takeovers. You will find a lot of words devoted to forbidding 50%-plus-one attacks of this sort in the securities arena. In this older part of the world, the protection for minority shareholders is a lot of legal verbiage, lots of regulations and lots of lawyering. But in the new world of The DAO, all the protection a minority shareholder needs inheres in some lines of shrewdly-written automatically-executing smart-contract code.

But this right of exit heralds a world that's even more liberating than automated protection from a Gordon Gekko. It's as if corporate law allowed the disgruntled minority shareholders of a company the right to split off into a new company and take their share of the cash-and-marketable –securities held by the old company after they lose a proxy fight – and take with them the right to an aliquot share of the income from the continuing business(es) that the parent company has established up to the point of split. Imagine a world where Apple shareholders who've had it with Tim Cook and lose a proxy fight to unseat him set up a new company called Dapple with new top management. By right, Dapple starts off with those shareholders' aliquot share of Apple's legendary cash hoard – plus the right to their aliquot share in the profits from every Apple product on sale at the time of the split.

It's this feature that the hacker(s) exploited.

What this means is, the stolen Ether is currently in a different DAO – a split-off- child DAO - created by abusing that right-of-exit. The thief, or gang of thieves, can't touch it until July the 14th. That's given the posse assembled a fair bit of time to foil the heist.

Right now, the Good Guys are pushing a modification to the Ethereum node code that would reject any transaction from the address that holds the child DAO. Since this modification would not change the blockchain, it's a "soft fork" that doesn't mandate an upgrade from the current wallets. Its effect would be to freeze the stolen funds indefinitely. Then the crime would be like a money-kidnapping, in which the kidnappers' avenues of escape are all sealed. At this point, negotiations would commence.

But this remedy, which will likely be implemented, is only one of two being discussed. The second is far more radical and would almost certainly mean the end of The DAO and an end-of-the-innocence for Ethereum. This second is a hard fork which would roll back the blockchain ledger to before the point where the robbery began and excise it from the ledger. After that's done, The DAO would be wound down as a failed first "alpha" version. After a decent interval and more thorough security audits, a new DAO with more secure smart-contract code would be launched to take its place. 

There's a surprisingly large base of support for this hard fork, even though its rationale is that The DAO is too prominent a part of the Ethereum ecosystem to let the hacker(s) get away with the robbery. Simply put: The DAO is too big to fail.

If the Ethereum community goes this route, it'll be a deep disappointment to a community that has been trying to build a better financial system than Bailout Nation through replacing human intervention with incorruptible computer code. However it turns out, the altcoin markets have made their own judgment: when news broke, the price of Ethereum was whacked hard and the price of The DAO tokens was whacked even harder.  Interestingly, the altcoin markets have marked down the latter to trade at a valuation equal to fair-value if the bandit(s) behind The DAO Job succeed in getting their hands on their ill-gotten loot. ESR

Daniel M. Ryan, as Nxtblg, is shepherding the independently-run Open Audi Initiative Prediction Market Shadowing Project. He has stubbornly assumed all the responsibility and blame for the workings and outcome of the project.





Site Map

E-mail ESR



© 1996-2016, Enter Stage Right and/or its creators. All rights reserved.