Science | Ethereum Battle for the Jedi!

Author: Spreeha Dutta

Translator: Meniscus

Production: Blockchain Base Camp

Ethereum is a blockchain-based open source platform that supports smart contracts. Ethereum, the cryptocurrency generated by the Ethereum platform, is the second highest cryptocurrency by market capitalization.

In June 2016, Ethereum found itself under attack. An unknown hacker used some existing vulnerabilities to steal more than 3.6 million Ethereum worth 50 million U.S. dollars.

To help newbies in the blockchain understand the entire attack process, here are some simple proper nouns:

DAO is a distributed autonomous organization. In this computer program, the organization's strategy and decision structure rely on smart contracts to execute on the blockchain. It is transparent to all participants and therefore does not require centralized authority.

A smart contract is a computer protocol designed to facilitate the negotiation of a contract digitally, verify the authenticity of the contract, and enforce the contract. Smart contracts do not require a third party to ensure the reliable execution of transactions. These transactions are trackable but irreversible. In short, smart contracts are code that executes on the Ethereum blockchain and can interact with Ethereum and user wallets.

The distributed ledger is a public database of all transactions on the Ethereum blockchain and is maintained by each Ethereum node.

Ethereum uses the above concepts. These blockchains have two important characteristics: security and immutability. If these very core principles are threatened, the stakeholders are bound to go crazy!

The backstory of the attack

Ethereum was founded in 2015 by 21-year-old Vitalik Buterin (founder of Ethereum, known as "V God"), and he hopes to achieve decentralization on the Internet through Ethereum. A crowdfunding campaign helped Ethereum raise capital (a total of $ 18 million worth of ether sold).

Ethereum is a distributed autonomous organization (DAO). "The DAO" is a DAO created in April 2016 by a German startup called Two months after launch, The DAO found himself under attack, and an unknown hacker kept extracting Ethereum from The DAO and transferred it to another child DAO, which had the same structure as the parent DAO. This caused the market price of Ethereum to fall sharply from $ 17.5 to $ 13.

What went wrong?

On June 17, The DAO announced that it had found a recursive call error, but claimed that there was no need to worry, all funds were safe. Six days later, an unknown hacker stole $ 50 million worth of ether. The attacker also claimed that his actions were within the legal limits of legal jurisdiction and that he could not be brought to criminal prosecution because everything he did was exploiting systemic loopholes.

What did the attacker do?

The hacker used the loophole to legally steal ether. Ethereum is a platform where transactions are calculated in units of "gas", where gas is the cost required to execute smart contracts on the blockchain. Attackers use this vulnerability to increase the size of the Ethereum blockchain through a large number of worthless illegal transactions. This results in transaction delays that are useful to attackers.

However, the attacker cannot withdraw the Ether in the child DAO within 28 days, because this funds is the initial fund raising period of the child DAO. Withdrawals from child DAOs trigger an alert. The attacker dared not take such a risk!

 To the DAO and the Ethereum community, 

I have carefully examined the code of The DAO and decided to participate after finding the feature where splitting is rewarded with additional ether. I have made use of this feature and have rightfully claimed 3,641,694 ether, and would like to thank the DAO for this reward. It is my understanding that the DAO code contains this feature to promote decentralization and encourage the creation of "child DAOs".

I am disappointed by those who are characterizing the use of this intentional feature as "theft". I am making use of this explicitly coded feature as per the smart contract terms and my law firm has advised me that my action is fully compliant with United States criminal and tort law. For reference please review the terms of the DAO:

"The terms of The DAO Creation are set forth in the smart contract code existing on the Ethereum blockchain at 0xbb9bc244d798123fde783fcc1c72d3bb8c189413. Nothing in this explanation of terms or in any other document or communication may modify or add any additional obligations or guarantees beyond those set forth in The DAO's code. Any and all explanatory terms or descriptions are merely offered for educational purposes and do not supercede or modify the express terms of The DAO's code set forth on the blockchain; to the extent you believe there to be any conflict or discrepancy between the descriptions offered here and the functionality of The DAO's code at 0xbb9bc244d798123fde783fcc1c72d3bb8c189413, The DAO's code controls and sets forth all terms of The DAO Creation. "

A soft or hard fork would amount to seizure of my legitimate and rightful ether, claimed legally through the terms of a smart contract. Such fork would permanently and irrevocably ruin all confidence in not only Ethereum but also the in the field of smart contracts and blockchain technology. Many large Ethereum holders will dump their ether, and developers, researchers, and companies will leave Ethereum. Make no mistake: any fork, soft or hard, will further damage Ethereum and destroy its reputation and appeal.

I reserve all rights to take any and all legal action against any accomplices of illegitimate theft, freezing, or seizure of my legitimate ether, and am actively working with my law firm. Those accomplices will be receiving Cease and Desist notices in the mail shortly.

I hope this event becomes an valuable learning experience for the Ethereum community and wish you all the best of luck.

Yours truly, "The Attacker" ===== END SIGNED MESSAGE =====

Message Hash (Keccak): 0xaf9e302a664122389d17ee0fa4394d0c24c33236143c1f26faed97ebbd017d0e Signature: 0x5f91152a2382b4acfdbfe8ad3c6c8cde45f73f6147d39b072c81637fe81006061603affcdc6f6c6f

Ethereum's unresolved drawbacks

The problem that Ethereum designers did not solve is that all Ethereum is stored in one address. This gives room for hacking. Of course, the idea of ​​blocking attacks through forks did get the attention of participants, but the time was too short to form a consensus and get enough votes to fork.

Proposed solution

There are only two ways left. One is to do nothing and end up losing tens of millions of dollars. The second solution is to go in two steps, first with a soft fork and then with a hard fork. But this violates the main principle of "immutability" of the blockchain, and thus raises many questions.

"The development community proposes a soft fork (but it will not roll back, nor will it revoke transactions and blocks), which will invalidate all The DAO and its child DAO transactions, thereby preventing the attacker from withdrawing after 27 days Ethereum. Then make a hard fork again to get back all the Ethereum. "

-Vitalik Buterin's "Emergency Update: Vulnerabilities in The DAO", June 17

However, the idea of ​​soft forks has been shelved, as it raises many security concerns. On the other hand, most participants in Ethereum voted in favor of and agreed to the hard fork proposal.

I finally got through this difficulty …

The hard fork was implemented on July 20, 2016. Since then Ethereum has formed two chains: one is the original chain (Ethereum Classic, ETC), and the other is a new fork chain (ETH).

Later, Ethereum took various measures to prevent the scale of the blockchain from expanding again. It also adds extra protection against denial of service (DDoS) attacks.

Since then, Ethereum has stood up again from the attack. It changed the mining method from the proof-of-work principle to the proof-of-stake principle. Today, Ethereum has become the second largest currency in the market, with a market value of 45 billion U.S. dollars.

Original: How Ethereum Reversed a $ 50 Million DAO Attack!