There has been an attack on the DAO! The attacker is currently siphoning the Ether in the DAO into a “child DAO”. Simply put, this person saw a weakness in the platform and exploited it thereby emptying about 40 million dollars worth of Ether. The hack was aimed at the re-entrancy problem in the Split DAO function. The hacker calls the split function inside of a split and can collect multiple times in one transaction.
So far no action has been taken, but the hacker won’t be able to withdraw any ETH, not until has elapsed 27 days which is the stagnant period for child DAOs. This is a huge problem that affects the DAO. The Ethereum platform itself does not share this vulnerability.
As a result of this hack, there has been a proposition of a soft fork; no blocks or transactions will be reversed once the software is implemented. This will force transactions that make delegate calls or call codes that minimize the balance of accounts with code hash.
What is a hack when you don’t have specifications?
Firstly, to say something is a bug or hack, there has to be specifications of the bug or unwanted behavior. There have been no such vocalized specifications for the DAO. In addition, there is no given specification for the organization to be realized for success.
There is not documentation in the code that explains what the developers did when they were writing the code. People say that the code was on its own self, it was its own parent.
Colloquially, the hacker might have read the fine print better than the developers themselves.
There is no safe haven at the moment
You might think that it’s easy to withdraw all your funds from the DAO once you are faced with an attack, but this is not always the case.The developers of DAO decided to make it hard for anyone to withdraw their funds out of the DAO. You are not given the option to just take out your Ether. What normally happens is that you have to sign up for a new child DAO account and move your Ether into the new account and store them there for at least 27 days. So if the attacker chooses to monitor account creations, he could get into the amateur accounts and drain the funds before they are upgraded. It is not easy to do this, if this happens, he will invoke censure.
Moving funds have a cost
The DAO wasn’t created to have a simple update function. Especially now, there is no way to reinstate the DAO account from its current state to a new contract code. The extra-balance account cannot be converted to new-contract version. This simply means an extra-balance account that has a million dollars worth of Ether is a write-off.
Is Ethereum ideal for secure smart contracts?
It is now clear that writing a broad and safe smart contract requires a lot of diligence and discipline, it just like writing a nuclear power reactor code. However, the solidity language seems to have been designed more for loose web code. The following are some of the miss-features.
A great language for coding would make sure there is no state which is difficult to recover.
A great language for coding would make it crystal clear when state conversions can be made and when they cannot be made.
An incredible language for maintaining the system would have features for improving the security of a live contract.
An impeccable language for coding would clearly stipulate that there shouldn’t be any implicit action, the code executes clearly, as read.
The current language in the DAO does not fully address any of the above commandments. In fact, the commandment that involves code executions and implicit actions is what happened in the DAO. The developers even had both the implementer and the designer of solidity write a review of the code. If these people cannot confirm the security of the DAO, then no one else can.
At the moment the main problem involves copycat attacks. Other people can learn from this event and do the same exact thing.
Stopping the attacker
The main issue is that no one knows how the Ethereum community will respond to this event. Furthermore, rolling back the blockchain will do nothing but send a negative message. If it was easy to reverse contracts, then how are smart contracts any safer than normal paper contracts.
Watching the organization being attacked by a hacker is really depressing and creates a whole new set of emotions regarding the DAO. Apparently, there is no reliable and long term solution. Perhaps the developers will just put a freeze the DAO and allow for the investors to withdraw their Ether to reduce ill-feelings. But in the end of it all, there is really no approach that will put a smile on everyone’s face.
Smart contracts are revolutionary and will remain one of the most exciting fields in the fintech world. We have only started scratching the surface. As they say, every new project has its growing pain. Every initial stage usually faces some setbacks, and it is people’s hope that Ethereum will come up with a great solution in the next few weeks- emerging stronger than ever before.