The DAO platform was in trouble yesterday, following a hacking incident yesterday the platform is said to have lost about $50 million worth of digital currency. However, there is a good possibility that the stolen ether associated with the DAOs can after all be recovered, preventing huge losses to thousands of investors in the platform.
According to a recent update on the Ethereum blog, Vitalik Buterin, the creator of the platform has mentioned that all the investor funds are safe at the moment. He also goes on to explain the exploit utilized by the attacker and the process used to drain funds. All funds drained from the DAO in the form of ether are currently housed in a child DAO. The attacker is said to have exploited the recursive calling vulnerability by calling a split function and again calling a split function recursively inside the split to collect a lot more ether in one single transaction.
Ether safe for now
While the child fork managed to collect $50 million in ether, it can’t be withdrawn until the creation of child DAO is finished, which incidentally will take another 27 days. The Ethereum development community has decided to counter the issue by introducing a software fork which makes any transaction requiring ether to be transacted from the balance in the account with code hash – 0x7278d050619a624f84f51987149ddb439cdaadfba5966f7cfaea7ad44340a4ba will be deemed invalid, thereby preventing the attacker from withdrawing the ether even after the completion of 27 days leading to a successful child DAO creation.
Is the attacker’s actions justified?
With the DAO community working towards preventing the attacker from gaining access to the ether siphoned off into the child DAO, the attacker has posted an open letter addressed to all the members of DAO and Ethereum Community. In this letter, he defends his action by saying the made use of a feature that was available on the platform and the 3,641,694 ether he collected during the process rightfully belongs to him.
He also goes on to mention that the feature was intentionally put in place by the concerned developers of the platform to promote decentralization by encouraging people to create child DAOs. He believes that he legally took advantage of the incentive and that he is disappointed to be labeled as a thief. He has also warned that he will be taking legal recourse if the Ethereum Foundation or the DAO community attempt to prevent him from accessing the ether he has collected on the child DAO.
The attacker’s letter can be accessed here.
Some of the community members who checked the open letter have claimed that the digital signature used to sign the letter is a fake. However, there are few who believe it to be accurate.
The debate now is to understand whether it is right to penalize a community member for utilizing the features provided on the platform for their benefit. There is still time for another 27 days before the necessity for any action arises and by then we will know how the Ethereum Foundation will decide to proceed with the potential loss of ether from its platform. However, the recent attack has definitely exposed some serious security flaws in the DAO platform which may hurt its reputation.
Ref: Ethereum Blog | Attacker's Letter | Wired |Image: WSJ