Ethereum DAO Reentrancy Attack

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Depiction Of The Exploit

The DAO was a large smart contract which allowed people to vote on blockchain proposals. Funds were stored such that members who had deposited could withdraw their funds again, however this was implemented such that they could trigger additional withdrawals within the single withdrawal, prior to the balance updating.

This was announced publicly on multiple blog posts, and weeks went by without it being properly fixed. Eventually, a hacker decided to exploit and take the funds.

As a result, the ethereum blockchain split in two. The main ethereum that we know today reverted the exploit. We also have ethereum classic, which is the original chain with the exploit intact.

There is a suspicion that the attacker was Toby Hoenisch, CEO of TenX.

This is a global/international case not involving a specific country.^{[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20][21][22][23][24]}

About The DAO

"A DAO is a Decentralized Autonomous Organization. Its goal is to codify the rules and decisionmaking apparatus of an organization, eliminating the need for documents and people in governing, creating a structure with decentralized control." "The DAO was a popular decentralized investment fund based on smart contracts." "If a project that requested funding received sufficient support from the DAO community, that project’s Ethereum address could withdraw ether from DAO." "Rather than the control that owning shares gives an investor in a traditional company, in a DAO, you have control over the organization's collected assets based on how many governance tokens you own."

"“The DAO” is the name of a particular DAO, conceived of and programmed by the team behind Slock.it — a company building “smart locks” that let people share their things (cars, boats, apartments) in a decentralized version of AirBNB." "The concept of a DAO was first ideated in 2015 by a team called Slock.it. In order to raise funds for various Web 3.0 projects and startups, the team built a crowdfunding smart contract  — but they took it one step further by programming in actual voting rights and ownership." "The DAO launched on April 30th, 2016, with a 28-day funding window. For whatever reason, The DAO was popular, raising over $100m by May 15, and by the end of the funding period, The DAO was the largest crowdfunding in history, having raised over $150 million from more than 11,000 enthusiastic members. The DAO raised far more money than its creators expected."

"As the days of the sale passed by, heads started to turn; something was happening that no one expected. The crowdsale was attracting investment figures in the tens of millions, way past expectations — more and more Ether kept flooding in. The flow of investment continued till by the end of the four week initial coin offering, a staggering 12 million Ether ($150 million based on ETH value in June 2016 and a staggering $33.3 billion based on today’s valuation) was deposited in the TheDAO smart contract." "In 2016, the DAO smart contract accumulated over $150,000,000 (at the time) of ether."

The Reality

"Computer scientists say that a procedure is re-entrant if its execution can be interrupted in the middle, initiated over (re-entered), and both runs can complete without any errors in execution. In the context of Ethereum smart contracts, re-entrancy can lead to serious vulnerabilities." "One of the major dangers of calling external contracts is that they can take over the control flow, and make changes to your data that the calling function wasn't expecting." "A reentrancy attack can occur when you create a function that makes an external call to another untrusted contract before it resolves any effects. If the attacker can control the untrusted contract, they can make a recursive call back to the original function, repeating interactions that would have otherwise not run after the effects were resolved."

"Unfortunately for the DAO, the transfer mechanism would transfer the ether to the external address before updating its internal state and noting that the balance was already transferred. This gave the attackers a recipe for withdrawing more ether than they were eligible for from the contract via re-entrancy." "When the contract fails to update its state (a user’s balance) prior to sending funds, the attacker can continuously call the withdraw function to drain the contract’s funds." "It’s important to note that the TheDAO smart contract was the first of its kind, grievously untested and written in Solidity, Ethereum’s main method of writing code, a language only a few months old." However, "the exact programming pattern that made the DAO vulnerable was not only known, but fixed by the DAO creators themselves in an earlier intended update to the framework's code."

"On June 5th Christian Reitwiessner discovered an antipattern in solidity which could lead to attacks on smart contracts (later described in a blog post). And then on June 9th, Peter Vessenes wrote a blog about Christian’s discovery. At this point the general Ethereum developer community was aware of this issue."

What Happened

"EARLY IN THE MORNING of June 17th, 2016, an unknown person or group attacked" the DAO.

Technical Details

"EARLY IN THE MORNING of June 17th, 2016, an unknown person or group attacked" the DAO. "The DAO smart contract suffered a reentrancy attack." "The DAO hack took advantage of Ethereum’s fallback function to perform re-entrancy."

The attack procedure is as follows: "(1) The attacker donates ether to the target contract. (2) The target contract updates the attacker’s balance for the donated Ether. (3) The attacker requests the funds back. (4) Funds are sent back. (5) The attacker’s fallback function is triggered and calls for a subsequent withdrawal. (6) The smart contract’s logic to update the attacker’s balance has yet to be executed, thus the withdraw is successfully called again. (7) Funds are sent to the attacker. (8) Repeat steps 5–7. (9) Once the attack is over, the attacker sends funds from their contract to their personal address."

Example To Illustrate Attack

"Imagine you walk up to an ATM and withdraw $200. You get $200, yet you notice your balance didn’t change… you go ahead and withdraw another $200… no change in the balance!"

"You keep withdrawing in figures higher and higher until your cash in hand is greater than your total balance — and then you keep going! Only once you remove your card does your balance finally care to reflect what just happened: -$120,000, or $0 in the ideal case — yet you only had a total initial balance of $2,000."

"All you know is that you now have $100,000 cash-in-hand because the ATM kept withdrawing from your original balance without updating each of those withdrawals. Every time you selected “Withdraw $200,” the ATM checked that your balance was enough — saw your original $2,000  balance — and withdrew from it… but then never updated it to $1,800! You just kept the ATM in a loop of withdrawing from the initial $2,000 indefinitely."

"Unfortunately there is no way to stop the attack once it has started. The attacker’s withdrawal function will be called over and over again until the contract either runs out of gas or the victim’s ether balance has been depleted."

Total Amount Lost

The total amount lost has been estimated at $60,000,000 USD.

Immediate Reactions

"We all know what happened next: a series of futile attempts to recover the funds, the infamous chat room conversation, and the contentious hard fork that resulted in the creation of Ethereum Classic."

"Unlike traditional contracts, the idea was that smart contracts were going to eliminate the need for enforcement or dispute resolution. So that law is enshrined in code." "But this incident has set a precedent, at least within Ethereum, that the project leadership will intervene to enforce the spirit of a smart contract."

"Initially, Ethereum founder Vitalik Buterin proposed a soft fork of the Ethereum network, adding a snippet of code that would effectively blacklist the attacker and prevent them from moving the stolen funds. However, shortly thereafter, the attacker (or someone posing as the attacker — it has not been verified) published an open letter to the Ethereum community that claimed the funds had been obtained in a “legal” way in accordance with the rules set out in the smart contract. The attacker also said they would take legal action against anyone who attempted to seize the ether."

Ultimate Outcome

Message from the hacker:

To the DAO and the Ethereum community,

I have carefully examined the code of The DAO and decided to participate after finding the feature where splitting is rewarded with additional ether. I have made use of this feature and have rightfully claimed 3,641,694 ether, and would like to thank the DAO for this reward. It is my understanding that the DAO code contains this feature to promote decentralization and encourage the creation of "child DAOs".

I am disappointed by those who are characterizing the use of this intentional feature as "theft". I am making use of this explicitly coded feature as per the smart contract terms and my law firm has advised me that my action is fully compliant with United States criminal and tort law. For reference please review the terms of the DAO:

"The terms of The DAO Creation are set forth in the smart contract code existing on the Ethereum blockchain at 0xbb9bc244d798123fde783fcc1c72d3bb8c189413. Nothing in this explanation of terms or in any other document or communication may modify or add any additional obligations or guarantees beyond those set forth in The DAO’s code. Any and all explanatory terms or descriptions are merely offered for educational purposes and do not supercede or modify the express terms of The DAO’s code set forth on the blockchain; to the extent you believe there to be any conflict or discrepancy between the descriptions offered here and the functionality of The DAO’s code at 0xbb9bc244d798123fde783fcc1c72d3bb8c189413, The DAO’s code controls and sets forth all terms of The DAO Creation."

A soft or hard fork would amount to seizure of my legitimate and rightful ether, claimed legally through the terms of a smart contract. Such fork would permanently and irrevocably ruin all confidence in not only Ethereum but also the in the field of smart contracts and blockchain technology. Many large Ethereum holders will dump their ether, and developers, researchers, and companies will leave Ethereum. Make no mistake: any fork, soft or hard, will further damage Ethereum and destroy its reputation and appeal.

I reserve all rights to take any and all legal action against any accomplices of illegitimate theft, freezing, or seizure of my legitimate ether, and am actively working with my law firm. Those accomplices will be receiving Cease and Desist notices in the mail shortly.

I hope this event becomes an valuable learning experience for the Ethereum community and wish you all the best of luck.

Yours truly,

"The Attacker"

"Shortly after, tensions were heightened yet again as the attacker (or someone posing as them) claimed through an intermediary on The DAO Slack channel that they would attempt to thwart any soft fork by bribing Ethereum miners with a collective reward of one million ether and 100 bitcoin to not comply and thus split the Ethereum network in two. The situation not only presented technical challenges, but questioned the moral and philosophical underpinnings of the technology — and the resilience of the Ethereum project’s leadership."

"Before the Ethereum community could proceed with the soft fork, a bug was discovered in the update’s code, making it vulnerable to attack." "[D]espite being implemented in the two major clients (Geth, Parity) and having received majority support from the miners, this modification to the clients opened up a DoS vulnerability and the soft fork was called off before it could come into action."

"The last chance was a hard fork allowing for the safe return of funds to their original owners. A hard fork is of course a very contentious topic, and for good reasons should only be the last resort." "The hard fork effectively rolled back the Ethereum network’s history to before The DAO attack and reallocated The DAO’s ether to a different smart contract so that investors could withdraw their funds. This was extremely controversial — after all, blockchains are supposed to be immutable and censorship-resistant." "Although the tools to really measure the interest in the hard fork were in their early stage and did not cover the whole community, Reddit, Carbonvote and mining pools with polls all indicated that there was enough interest in it to justify its implementation."

"In parallel, a Robin Hood Group spontaneously formed and drained the remaining funds of the DAO in order to prevent further attacks and of course with the intent of handing the ETH back to its original owners."

"Eventually, after a controversial community vote where only holders of 5.5% of the total Ether supply participated, the hard fork option was approved and set to happen at block number 1,920,000. In the end, the extraordinary nature of the situation meant extreme measures had to be taken and thus the immutability of the chain sacrificed — just in this one instance. So: to fork."

"It was initially unclear as to whether the fork would be executed. Though it was proposed by Ethereum developers, they did not have the unilateral power to implement the change. Miners, exchanges, and node operators also had to agree to update their software. After more heated debate in public forums, on July 20, 2016, at block 192,000, the Ethereum hard fork was implemented."

"It’s because the stolen funds were frozen in a childDAO that a hard fork was able to undo the theft cleanly. Thanks to this failsafe in the DAO code, the attacker was unable to transfer the funds out of their child DAO until a certain period of time had expired. Otherwise, the funds would have already made their way to the exchanges and a hard fork would have become unfeasable. This in turn created a huge time pressure to execute on the hardfork."

"While the vast majority of stakeholders adopted the change and the fork was implemented, not everyone was on board. As a result, the hard fork resulted in two competing — and now separate — Ethereum blockchains. Those who refused to accept the hard fork that rolled back the blockchain’s history supported the pre-forked version — now known as Ethereum Classic (ETC). The blockchain presently known as Ethereum is the blockchain that implemented the hard fork and altered the blockchain’s history — and the history of blockchain as a whole."

"Though the funds stolen from The DAO were restored to its investors, the attacker did not lose out entirely. The pilfered tokens still remained in their possession on the Ethereum Classic chain and were worth around $8.5 million in ETC in the months following the attack."

Included in ^[25][26]

Total Amount Recovered

As a result of the attack, the Ethereum chain split. All funds were returned to their original owners as part of this split.

Ongoing Developments

"Original DAO token holders started to withdraw their ETH, while the signatories of the curator multisig started to work on the edge cases (note: this is still a work in progress)"

"Surprisingly, the old chain did receive more support than expected. Exchanges listed the token of the old chain (under the name “Ether classic”), and blockchain explorers were created. Users found themselves confronted with the choice of two chains, which challenged the former Robin Hood Group to start the process of also returning the ETC, an ongoing process."

"Now, more than two years later, Ethereum has largely put The DAO hack in its rearview mirror." "The DAO has been resolved. As far as I know, the DAO is now over. All that’s left is tokens sitting in a recovery contract, waiting for investors to come pick them up and resume life as usual."

"There is a great Ethereum Stack Exchange post that details many different avenues you can take to get ether out of the Withdraw Contract, including a fantastic UI built by the MyEtherWallet.com team. The only thing it lacks currently is screenshots to make using Mist easier."

However, "according to Emin Gün Sirer‏, a computer science professor at Cornell and the co-director of cryptocurrency research initiative IC3, who said that he has seen a variety of smart contracts that may be vulnerable to a “reentrancy” attack that allows a malicious user to drain ETH from a payment channel."

“BTW, I’ve seen other contracts like this one that implicitly trust the erc-20 tokens issued on top of their platform to not perform reentrant calls. I’m sure this isn’t the last episode of this bug,” he wrote on Twitter.

Individual Prevention Policies

Avoid the use of smart contracts unless necessary. Minimize the level of exposure by removing or withdrawing assets whenever possible. Aim to choose smart contracts which have obtained third party security audits, preferably having been audited by at least three separate reputable firms. Pay attention to the audit reports, which smart contracts are covered, and whether the smart contract has been upgraded or modified since the report. Ensure that any administrative functions with the ability to remove funds from the smart contract are under the authority of a multi-signature wallet which is controlled by at least three separate and reputable entities.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

There are many ways that the smart contract security could have been improved from fixing the original reentrancy vulnerability, requiring multi-signature approval on large withdrawals, or limiting the amount of funds which could be withdrawn within a particular time period.

All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.

Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.

Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

Cite error: <ref> tag with name "hackingdistributed-1910" defined in <references> is not used in prior text.