Ethereum DAO Reentrancy Attack: Difference between revisions

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

The DAO

The DAO was a large smart contract which allowed people to vote on blockchain proposals. Funds were stored such that members who had deposited could withdraw their funds again, however this was implemented such that they could trigger additional withdrawals within the single withdrawal, prior to the balance updating.

This was announced publicly on multiple blog posts, and weeks went by without it being properly fixed. Eventually, a hacker decided to exploit and take the funds.

As a result, the ethereum blockchain split in two. The main ethereum that we know today reverted the exploit. We also have ethereum classic, which is the original chain with the exploit intact.

There is a suspicion that the attacker was Toby Hoenisch, CEO of TenX.

This is a global/international case not involving a specific country. ^{[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20][21][22][23][24][25]}

About The DAO

"A DAO is a Decentralized Autonomous Organization. Its goal is to codify the rules and decisionmaking apparatus of an organization, eliminating the need for documents and people in governing, creating a structure with decentralized control." "The DAO was a popular decentralized investment fund based on smart contracts." "If a project that requested funding received sufficient support from the DAO community, that project’s Ethereum address could withdraw ether from DAO." "Rather than the control that owning shares gives an investor in a traditional company, in a DAO, you have control over the organization's collected assets based on how many governance tokens you own."

"“The DAO” is the name of a particular DAO, conceived of and programmed by the team behind Slock.it — a company building “smart locks” that let people share their things (cars, boats, apartments) in a decentralized version of AirBNB." "The concept of a DAO was first ideated in 2015 by a team called Slock.it. In order to raise funds for various Web 3.0 projects and startups, the team built a crowdfunding smart contract  — but they took it one step further by programming in actual voting rights and ownership." "The DAO launched on April 30th, 2016, with a 28-day funding window. For whatever reason, The DAO was popular, raising over $100m by May 15, and by the end of the funding period, The DAO was the largest crowdfunding in history, having raised over $150 million from more than 11,000 enthusiastic members. The DAO raised far more money than its creators expected."

"As the days of the sale passed by, heads started to turn; something was happening that no one expected. The crowdsale was attracting investment figures in the tens of millions, way past expectations — more and more Ether kept flooding in. The flow of investment continued till by the end of the four week initial coin offering, a staggering 12 million Ether ($150 million based on ETH value in June 2016 and a staggering $33.3 billion based on today’s valuation) was deposited in the TheDAO smart contract." "In 2016, the DAO smart contract accumulated over $150,000,000 (at the time) of ether."

"Computer scientists say that a procedure is re-entrant if its execution can be interrupted in the middle, initiated over (re-entered), and both runs can complete without any errors in execution. In the context of Ethereum smart contracts, re-entrancy can lead to serious vulnerabilities." "One of the major dangers of calling external contracts is that they can take over the control flow, and make changes to your data that the calling function wasn't expecting." "A reentrancy attack can occur when you create a function that makes an external call to another untrusted contract before it resolves any effects. If the attacker can control the untrusted contract, they can make a recursive call back to the original function, repeating interactions that would have otherwise not run after the effects were resolved."

"Unfortunately for the DAO, the transfer mechanism would transfer the ether to the external address before updating its internal state and noting that the balance was already transferred. This gave the attackers a recipe for withdrawing more ether than they were eligible for from the contract via re-entrancy." "When the contract fails to update its state (a user’s balance) prior to sending funds, the attacker can continuously call the withdraw function to drain the contract’s funds." "It’s important to note that the TheDAO smart contract was the first of its kind, grievously untested and written in Solidity, Ethereum’s main method of writing code, a language only a few months old." However, "the exact programming pattern that made the DAO vulnerable was not only known, but fixed by the DAO creators themselves in an earlier intended update to the framework's code."

"On June 5th Christian Reitwiessner discovered an antipattern in solidity which could lead to attacks on smart contracts (later described in a blog post). And then on June 9th, Peter Vessenes wrote a blog about Christian’s discovery. At this point the general Ethereum developer community was aware of this issue."

"EARLY IN THE MORNING of June 17th, 2016, an unknown person or group attacked" the DAO. "The DAO smart contract suffered a reentrancy attack." "The DAO hack took advantage of Ethereum’s fallback function to perform re-entrancy."

The attack procedure is as follows: "(1) The attacker donates ether to the target contract. (2) The target contract updates the attacker’s balance for the donated Ether. (3) The attacker requests the funds back. (4) Funds are sent back. (5) The attacker’s fallback function is triggered and calls for a subsequent withdrawal. (6) The smart contract’s logic to update the attacker’s balance has yet to be executed, thus the withdraw is successfully called again. (7) Funds are sent to the attacker. (8) Repeat steps 5–7. (9) Once the attack is over, the attacker sends funds from their contract to their personal address."

"Imagine you walk up to an ATM and withdraw $200. You get $200, yet you notice your balance didn’t change… you go ahead and withdraw another $200… no change in the balance!"

"You keep withdrawing in figures higher and higher until your cash in hand is greater than your total balance — and then you keep going! Only once you remove your card does your balance finally care to reflect what just happened: -$120,000, or $0 in the ideal case — yet you only had a total initial balance of $2,000."

"All you know is that you now have $100,000 cash-in-hand because the ATM kept withdrawing from your original balance without updating each of those withdrawals. Every time you selected “Withdraw $200,” the ATM checked that your balance was enough — saw your original $2,000  balance — and withdrew from it… but then never updated it to $1,800! You just kept the ATM in a loop of withdrawing from the initial $2,000 indefinitely."

"Unfortunately there is no way to stop the attack once it has started. The attacker’s withdrawal function will be called over and over again until the contract either runs out of gas or the victim’s ether balance has been depleted."

"We all know what happened next: a series of futile attempts to recover the funds, the infamous chat room conversation, and the contentious hard fork that resulted in the creation of Ethereum Classic."

"Unlike traditional contracts, the idea was that smart contracts were going to eliminate the need for enforcement or dispute resolution. So that law is enshrined in code." "But this incident has set a precedent, at least within Ethereum, that the project leadership will intervene to enforce the spirit of a smart contract."

"Initially, Ethereum founder Vitalik Buterin proposed a soft fork of the Ethereum network, adding a snippet of code that would effectively blacklist the attacker and prevent them from moving the stolen funds. However, shortly thereafter, the attacker (or someone posing as the attacker — it has not been verified) published an open letter to the Ethereum community that claimed the funds had been obtained in a “legal” way in accordance with the rules set out in the smart contract. The attacker also said they would take legal action against anyone who attempted to seize the ether."

"Shortly after, tensions were heightened yet again as the attacker (or someone posing as them) claimed through an intermediary on The DAO Slack channel that they would attempt to thwart any soft fork by bribing Ethereum miners with a collective reward of one million ether and 100 bitcoin to not comply and thus split the Ethereum network in two. The situation not only presented technical challenges, but questioned the moral and philosophical underpinnings of the technology — and the resilience of the Ethereum project’s leadership."

"Before the Ethereum community could proceed with the soft fork, a bug was discovered in the update’s code, making it vulnerable to attack." "[D]espite being implemented in the two major clients (Geth, Parity) and having received majority support from the miners, this modification to the clients opened up a DoS vulnerability and the soft fork was called off before it could come into action."

"The last chance was a hard fork allowing for the safe return of funds to their original owners. A hard fork is of course a very contentious topic, and for good reasons should only be the last resort." "The hard fork effectively rolled back the Ethereum network’s history to before The DAO attack and reallocated The DAO’s ether to a different smart contract so that investors could withdraw their funds. This was extremely controversial — after all, blockchains are supposed to be immutable and censorship-resistant." "Although the tools to really measure the interest in the hard fork were in their early stage and did not cover the whole community, Reddit, Carbonvote and mining pools with polls all indicated that there was enough interest in it to justify its implementation."

"In parallel, a Robin Hood Group spontaneously formed and drained the remaining funds of the DAO in order to prevent further attacks and of course with the intent of handing the ETH back to its original owners."

"Eventually, after a controversial community vote where only holders of 5.5% of the total Ether supply participated, the hard fork option was approved and set to happen at block number 1,920,000. In the end, the extraordinary nature of the situation meant extreme measures had to be taken and thus the immutability of the chain sacrificed — just in this one instance. So: to fork."

"It was initially unclear as to whether the fork would be executed. Though it was proposed by Ethereum developers, they did not have the unilateral power to implement the change. Miners, exchanges, and node operators also had to agree to update their software. After more heated debate in public forums, on July 20, 2016, at block 192,000, the Ethereum hard fork was implemented."

"It’s because the stolen funds were frozen in a childDAO that a hard fork was able to undo the theft cleanly. Thanks to this failsafe in the DAO code, the attacker was unable to transfer the funds out of their child DAO until a certain period of time had expired. Otherwise, the funds would have already made their way to the exchanges and a hard fork would have become unfeasable. This in turn created a huge time pressure to execute on the hardfork."

"While the vast majority of stakeholders adopted the change and the fork was implemented, not everyone was on board. As a result, the hard fork resulted in two competing — and now separate — Ethereum blockchains. Those who refused to accept the hard fork that rolled back the blockchain’s history supported the pre-forked version — now known as Ethereum Classic (ETC). The blockchain presently known as Ethereum is the blockchain that implemented the hard fork and altered the blockchain’s history — and the history of blockchain as a whole."

"Though the funds stolen from The DAO were restored to its investors, the attacker did not lose out entirely. The pilfered tokens still remained in their possession on the Ethereum Classic chain and were worth around $8.5 million in ETC in the months following the attack."

"Original DAO token holders started to withdraw their ETH, while the signatories of the curator multisig started to work on the edge cases (note: this is still a work in progress)"

"Surprisingly, the old chain did receive more support than expected. Exchanges listed the token of the old chain (under the name “Ether classic”), and blockchain explorers were created. Users found themselves confronted with the choice of two chains, which challenged the former Robin Hood Group to start the process of also returning the ETC, an ongoing process."

"Now, more than two years later, Ethereum has largely put The DAO hack in its rearview mirror." "The DAO has been resolved. As far as I know, the DAO is now over. All that’s left is tokens sitting in a recovery contract, waiting for investors to come pick them up and resume life as usual."

"There is a great Ethereum Stack Exchange post that details many different avenues you can take to get ether out of the Withdraw Contract, including a fantastic UI built by the MyEtherWallet.com team. The only thing it lacks currently is screenshots to make using Mist easier."

However, "according to Emin Gün Sirer‏, a computer science professor at Cornell and the co-director of cryptocurrency research initiative IC3, who said that he has seen a variety of smart contracts that may be vulnerable to a “reentrancy” attack that allows a malicious user to drain ETH from a payment channel."

“BTW, I’ve seen other contracts like this one that implicitly trust the erc-20 tokens issued on top of their platform to not perform reentrant calls. I’m sure this isn’t the last episode of this bug,” he wrote on Twitter.

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

• Known history of when and how the service was started.
• What problems does the company or service claim to solve?
• What marketing materials were used by the firm or business?
• Audits performed, and excerpts that may have been included.
• Business registration documents shown (fake or legitimate).
• How were people recruited to participate?
• Public warnings and announcements prior to the event.

Don't Include:

• Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
• Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

• When the service was actually started (if different than the "official story").
• Who actually ran a service and their own personal history.
• How the service was structured behind the scenes. (For example, there was no "trading bot".)
• Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Total Amount Lost

The total amount lost has been estimated at $60,000,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Prevention Policies

While not specifically related to exchanges, this is the most classic case to highlight how storage of funds in complex smart contracts is often insecure. In general, a smart contract has a similar security profile to a hot wallet, since the funds are "online" and only protected by a layer of software.

When evaluating storage methods for significant quantities of funds, preference must be given to simpler methods of security such as simple multi-sig. Complexity is typically the enemy of security.

References