Friday morning, many woke up to a disastrous scene in the Ethereum/DAO market. Both markets have suffered a great deal due to na hack on the DAO smart contact system. It seems that one of the DAO holders managed to drain The DAO wallet’s Ether
Over 3.6M Ethers were withdrawn. Leaving The DAO with about 8.09 Ether according to: http://etherscan.io/address/0xbb9bc244d798123fde783fcc1c72d3bb8c189413
The DAO has fallen over 45% in value
While Etherem seems to be holding with a 20% loss
We will try to explain how this attack happened:
Ethereum is a decentralized network, much like bitcoin, it runs on a Blockchain. The major difference between the two is that Ethereum allows the creation of dapps, decentralized organizations and smart contracts. Smart contracts can be programmed to send pre-specified amounts of ether to whitelisted addresses without the need for human maintenance.
When The DAO was created it got funded through a smart contract built on the Ethereum Virtual Machine (EVM), this smart contract was designed to receive Ether, store it, create DAO Tokens and send them to the correct Ethereum wallet addresses.
The DAO smart contract i salso programmed to give back Ethereum to The DAO holders, through a process called “Splitting”, this process was created to give DAO holders the choice to leave the organization in case they don’t agree with a proposal that was accepted.
When a DAO holder Splits his tokens, he creates his own DAO. The ethereum proportional to is DAO Holdings (1ETH per 100DAO) is sent to the new DAO and locked for a period of time.
OK, got it! So how did the hack occur?
When a Smart contract designed to send Ether to a specific wallet, what the contract will do is: Send the Ether, wait for a new block to mined (~23 Seconds) and check his balance to see if the amount was sent. If it was sent, the contract will not send the same amount again if requested.
The DAO is programmed to send Ether back to the DAO holder’s wallet, creating a new DAO and storing the respective amount of Ether in this new DAO. This is achieved by asking The DAO smart contract to send you your Ether back or “Splitting”.
The hacker saw the vulnerability in these 23 seconds, and was able to request the same amount of Ether multiple times on the same Block through the splitting process. This means that the smart contract did not have the information that the Ether was sent, and sent it multiple times.
This seems to be a problem relative the Ethereum Smart Contract System and to the way The DAO Splitting function was designed.
Vitalik Buterin and many other great minds are working non-stop to fix this attack, along side the community. Ethereum users are spamming the Network, making transactions impossible at this moment, in order to stop all malicious activity that could happen on The DAO. Vitalik has also asked Mining Pool operators to help with this process by upping the gas price. An Hard fork solution was also presented by Vitalik in order to retrieve all stolen funds, as Sephan Tual explains:
stephan [12:07 PM]
@channel – ELI5 – In summary, a hardfork will retrieve all stolen funds from the attacker. If you have purchased DAO tokens, you will be transferred to a smart contract where you can only retrieve funds. Since no money in the DAO was ever spent, nothing was lost.