Ethereum block chain was hacked around a month back on June 17. Ethereum DAO, a Distributed Autonomous Organization, is a funding platform that works along the core principles of block chain technology – Open, neutral, and immutable.
The hacker divereted DAO tokens, a form of cryptocurrency worth USD 50 million from smart contracts in the Distributed Autonomous Organization (DAO) that runs on Ethereum blockchain to a “Child DAO” from which the hacker could have withdrawn the funds. The hacker succeeded and transferred the funds, but what worked against the hacker is the 27 days waiting period in the Ethereum system before the cryptocurrency can be claimed. This wait period triggered the attempt to stop the hacker from getting Ethereum coins. An interesting capture is available here:
How did the hacker infiltrate Ethereum Defences?
Emin Gun Sirer, a critic of the DAO project and a go-to source for Ethereum coders, recently pointed out over 10 new exploits in Ethereum’s smart contract code. The attacks, all Ethereum code specific; the stalking attack, the ambush attack, the token raid, the extra balance attack, and more have potential fixes that was published after the attack. The detailed analysis can be found be here.
The exploits that was discovered by Emin and team included the “recursive call” (Ethereum code specific) vulnerability that the attacker exploited to move the funds into a “Child DAO” from where the hacker or the group planned to withdraw the funds.
How did Ethereum recover the funds?
At first, Ethereum considered several white-hat hacking techniques to recover the funds, but when it failed recovering the hacked amount meant going back in time and making the changes in the Ethereum system to roll back the fraudulent contract.
This is similar to a back to the future approach. Technically an execution like this requires a soft fork or a hard fork. A fork means changes to the software or rules that drive the system. A soft fork requires the support of a majority of miners in the Ethereum DAO system. Though this was the initial proposed approach, it was ruled out due to a security flaw in this process. It finally came down to doing a hard fork, this essentially entails intervention from developers to change the software and create a new version of the network without the fraudulent contract. This was carried out yesterday, July 20th.
This incident has brought forward many technical and ethical dilemmas around block chain technology. First is the concept of software developers changing the software to roll back changes in a transaction system. One of the basic tenets of block chain technology is immutability. This looks violated in this case. The implication of this could be that financial and other mission critical industries that adopt block chain might need to keep it as Closed User Group(CUG) with tight controls similar to SWIFT network as against being participants in a public block chain.
The other aspect that comes in to picture is the possibility of “Tyranny of the majority”. Even if it is not in the best interests, majority view can prevail, this is how the block chain voting process works. This can lead to significant losses to minority sets of users participating in the system.]
This incident has opened up many such questions that we will see getting debated and solved. It will definitely lead to faster maturity for block chain technology.
I would love to hear all your views on this incident and how you think this can shape the future of block chain technology.
Vinod Vasudevan is a co-founder of Paladion and has over 17 years of experience in technology and information risk management domain. As the CTO at Paladion, Vinod has serviced large enterprise organizations across the globe for setting up of integrated risk management systems and for stream lining system based operations. He has held key positions with global firms including Microsoft. He is the co-author of “Application Security in the ISO27001 Environment” and “Enhancing Computer Security with Smart Technology”. He has also authored several papers. He sits on the expert panel of industry consortiums.