A vulnerability in the way some developers are implementing Ethereum has resulted in a last-minute fix to The DAO, a distributed autonomous organization with over $150m at its disposal to invest in Ethereum-based projects.
Without a leader or any formal security team to identify and fix potential security threats, that responsibility falls to an open-source community comprised of members who bought voting rights in the organization with ether as part of its creation phase.
While the identities of some of those involved are still unclear, the method by which the vulnerability was identified and reportedly fixed amounts to the first real-world test of The DAOâs structure and problem-solving techniques.
The issue kicked off last week, when GitHub user chriseth âcasually pointed out a terrible, terrible attack on wallet contractsâ that could arise from the way some developers were implementing smart contracts written with Ethereumâs Solidity language, according to Blockchain Foundation founder Peter Vessenes.
Vessenesâ own blog post about the issue then caught the attention of a Reddit user affiliated with the Maker DAO, which is built on the Ethereum blockchain.
The vulnerability, which lets attackers drain one particular type of account, was then successfully tested by the Maker DAO, according to their post, which in turn caught the attention of eththrowa, a user of The DAO membersâ forum.
Eththrowa confirmed that the vulnerability also existed in the implementation then being used by The DAO, which was built using open-source software written by Slock.it, and is the largest distributed autonomous organization with about $162m worth of ether currently at its disposal.
It was that post that, in the end, caught the attention of Slock.it founder Stephen Tual. He, along with other forum members, promptly responded and a day later posted a link to a fix.
Yesterday, Tual announced a series of upgrades to the projectâs software designed to combat the vulnerability and other game theoretical attack vectors unrelated to the ârecursive callâ vulnerability as it is now being called.
In his post, Tual wrote:
âWe extend our gratitude to the community ⦠who once again proved that an open development process leads to the rapid identification, isolation and resolution of potential vulnerabilities, and in this case, the overall improvement of design patterns as part of programming languages.â
No DAO funds were at risk due to the vulnerability, according to a separate post.
Launched earlier this year by an unnamed person or group, The DAO is built on open-source code that lets users collectively vote on how to both disperse funds to projects that members think are worthy and receive dividends if the project is successful.
In this case, the vulnerability would have let a recipient of those dividends âdrain many times his entitlement by calling the contract recursively,â according to eththrowa.
But as Vessenesâ post on Friday made clear, the recursive call threat wasnât about just a weakness in The DAO, but a more general issue with the way some developers implement smart contracts written with the Solidity programming language.
In an email to CoinDesk, Vessenes provided a more technical description of the vulnerability:
âAll public Solidity functions that send money or use âcallâ on another contract may be called recursively by an attacking recipient. This isnât how Bitcoin works, so it might be a surprise to inexperienced Ethereum developers. The practical implication is that each of your functions (and in fact your entire contract) should be âreentrantâ, which is to say they should function the same if parts of it are re-called prior to completion.â
Ethereum Foundation member Taylor Gerring told CoinDesk that Vessenesâ original description of the problem was accurate. However, he added that the vulnerability wonât require any changes to the Ethereum codebase to fix.
Rather, the vulnerability requires a different kind of implementation by developers.
In interview, Gerring said the vulnerability âis a concern insofar as a human programmer may make this problemâ but âitâs not an inherent problem with Solidity or EVM [the Ethereum Virtual Machine]â, the scripting language and code interpreters that power the network.
Vessenes included two possible solutions to the ârecursive callâ weakness in his post.
Other fixes specific to The DAOâs code also announced yesterday by Slock.it are designed to resolve potential issues that some have pointed out regarding the organizationâs governance model.
Specifically, these are fixes to certain game theoretical attacks, including what is called a âyes biasâ, which results from a disincentive to cast ânoâ votes. The fixes have been implemented in the form of pull requests on GitHub.
Now itâs up to the 23,000 voting members of The DAO to agree to the changes or push for an alternative solution.
Tual wrote on the Slock.it blog:
âThis is a completely open-source project. Starting today and during the course of a two week review period, everyone including curators are encouraged to review and participate in the release.â
Crowd image via Shutterstock
