Ongoing attack on TheDAO - ETH draining from the pot

in #thedao8 years ago (edited)

Someone is attacking DAO

There is an attack going on against "theDAO". A recently discovered recursive-split attack can be used to to initiate ether-sends before the contracts burns them. Buy this the contract will hand over ETH that you shouldn't have control over.

Technically, this attack can be continued until all ETH are drained from "the DAO".
It seems Daniel Larimer was right about Is The Dao going to be DAO

Reddit-Quotes

The DAO ETH Balance was 11,599,353.25 Ether 24 hours ago with a total
Token Supply of 1,159,931,811.69 TheDAO, now there is currently only
8,914,536.17 Ether with a total Token Supply: 1,159,813,810.27 TheDAO.

So 118001.42 tokens has split with 2684817.08 Eth? 22.75 Eth per DAO
token? Can someone explain?

Someone is draining the DAO using recursive splitDAO calls

It is according to slack. Someone is stealing like $1.000.000 worth of
ether a minute

Update 1

On slack, the DAO curator, and community members encourage everyone to start spamming the Ethereum network to slow down the attacker. Not sure if this will work out as desired.

griff [10:05 AM] >@channel The DAO is being attacked. It has been going on for 3-4 hours, it is draining ETH at a rapid rate. This is not a drill.

You can help:

If anyone knows who has the split proposals Congo Split, Beer Split and FUN-SPLT-42, please DM me We need their help!

If you want to help, you can vote yes on those aforementioned split proposals. especially people who’s tokens are blocked because they voted for Prop 43 (the music app one).

We need to spam the Network so that we can mount a counter attack all the brightest minds in the Ethereum world are in on this.

please use this:

for (var i = 0; i < 100; i++) { eth.sendTransaction({from: eth.accounts[4], gas: 2300000, gasPrice: web3.toWei(20, 'shannon'), data: '0x5b620186a05a131560135760016020526000565b600080601f600039601f565b6000f3'}) }

to spam the chain

Update 2

Massive DAO dumping

Massive ETH dumping

Update3

Either poloniex is extremely unresponsive, or they have halted the DAO markets.

Update 4

Slock.it has started a blog post with live updates with the content cited above. My hopes that it is slock.it that attacks the DAO to prevent others from gaining profits from it just vanished :( too bad

It seems that the attack is still ongoing and draining ETH from theDAO.

Update 5

toast (famous member of the BitShares community and creator of MAKER)
has posted this on reddit:

thanks @tuck-fheman

Update 6

Apperently, the attacker has managed to gain 3.3M ETH (thanks @rainman)

Update 7

It seems Vitalik has started working on this. He asked for the guy that has a split contract to terminate in 2h. Maybe he is able to run a counter draining attack.

Meanwhile,

  • etherscan.io became unresponsive.
  • attack still ongoing with another 10k ETH moving over to the attackers wallet
  • ETH/BTC just touched 0.0172200 on poloniex (down 25%)
  • DAO/BTC just touched 0.00008520 on poloniex (down 65%)

Update 8

  • Still 8,118,797 ETH in DAO contract
  • Attacker now has 3,477,054 ETH
  • To clearify: The attack on the DAO is an exploit on the DAO's contract code, ETHEREUM is still working as it is supposed to. Hence, DAO is broken, Ethereum still fine. Whether this has any influence on the price of ETH is left to the reader to decide!
  • Interestingly, the price of DAO on poloniex rises again, even though the attacker seems to still be attacking the DAO and draining its funds, back at 0.00014499 BTC/DAO

Update 8 - Fri Jun 17 12:20:24 CEST 2016

  • DAO contract: 8,049,054.83 ETH
  • Attacker: 3,544,406.91 ETH

An eddit on the [Security Advisory[(https://blog.slock.it/dao-security-advisory-live-updates-2a0a42a2d07b#.sior2rz5s) appeared:

We’re seeing a strong mobilization of the entire community: experts in the field, the Ethereum Foundation, exchanges and miners are coming together to assess the situation and mitigate the attack.
If you’d like to help, please continue to spam the Ethereum network as per the instructions below.

Update 9 - Fri Jun 17 12:23:00 CEST 2016

Thanks @pfunk:

griff 4:52 AM @channel Update: The person has their ETH locked in a Child DAO,
so they will not be able to get the ETH out for a long time, there will
be a fix. The entire Ethereum Ecosystem is collaborating on a solution.

Meanwhile, price of DAO and ETH seem to recover

  • ETH lastprice: 0.02352067
  • DAO lastprice: 0.00016699

Update 10 - Fri Jun 17 13:11:04 CEST 2016

Friday 17/6–12:01 UK time
The Ethereum Foundation has published its statement and a description of
the solution.
In summary, a hardfork will retrieve all stolen funds from the attacker.
If you have purchased DAO tokens, you will be transferred to a smart
contract where you can only retrieve funds. Since no money in the DAO
was ever spent, nothing was lost.

Blog
(currently down)

Update 11 - Fri Jun 17 13:13:21 CEST 2016

Blog Content on Pastebin

CRITICAL UPDATE Re: DAO Vulnerability
Posted by Vitalik Buterin on June 17th, 2016.

An attack has been found and exploited in the DAO, and the attacker is
currently in the process of draining the ether contained in the DAO into
a child DAO. The attack is a recursive calling vulnerability, where an
attacker called the “split” function, and then calls the split function
recursively inside of the split, thereby collecting ether many times
over in a single transaction.

The leaked ether is in a child DAO at
https://etherchain.org/account/0x304a554a310c7e546dfe434669c62820b7d83490;
even if no action is taken, the attacker will not be able to withdraw
any ether at least for another ~27 days (the creation window for the
child DAO). This is an issue that affects the DAO specifically; Ethereum
itself is perfectly safe.

The development community is proposing a soft fork, (with NO ROLLBACK;
no transactions or blocks will be “reversed”) which will make any
transactions that make any calls/callcodes/delegatecalls that execute
code with code hash
0x7278d050619a624f84f51987149ddb439cdaadfba5966f7cfaea7ad44340a4ba (ie.
the DAO and children) lead to the transaction (not just the call, the
transaction) being invalid, starting from block 1760000 (precise block
number subject to change up until the point the code is released),
preventing the ether from being withdrawn by the attacker past the
27-day window. This will later be followed up by a hard fork which will
give token holders the ability to recover their ether.

Miners and mining pools should resume allowing transactions as normal,
wait for the soft fork code and stand ready to download and run it if
they agree with this path forward for the Ethereum ecosystem. DAO token
holders and ethereum users should sit tight and remain calm. Exchanges
should feel safe in resuming trading ETH.

Contract authors should take care to (1) be very careful about recursive
call bugs, and listen to advice from the Ethereum contract programming
community that will likely be forthcoming in the next week on mitigating
such bugs, and (2) avoid creating contracts that contain more than ~$10m
worth of value, with the exception of sub-token contracts and other
systems whose value is itself defined by social consensus outside of the
Ethereum platform, and which can be easily “hard forked” via community
consensus if a bug emerges (eg. MKR), at least until the community gains
more experience with bug mitigation and/or better tools are developed.

Developers, cryptographers and computer scientists should note that any
high-level tools (including IDEs, formal verification, debuggers,
symbolic execution) that make it easy to write safe smart contracts on
Ethereum are prime candidates for DevGrants, Blockchain Labs grants and
String’s autonomous finance grants.

This post will continue to be updated.

Update 12 - Fri Jun 17 14:23:34 CEST 2016

  • DAO: 7,930,715.34 ETH
  • Attacker: 3,641,694.24 ETH

Last Prices:

  • ETH recovering: 0.02392174 (-10% 24h)
  • DAO recovering: 0.00019941 (-18% 24h)

Update 13 - Fri Jun 17 16:18:13 CEST 2016

Either the Ethereum block explorer doesn't update anymore, or the attacker has stop draining DAO.
At least the amounts stored in the attackers addres hasn't changed for 2 hours.

  • Attacker: 3,641,694.24 ETH

Resources

Sort:  

You're doing a great job reporting on this xeroc, thanks!

I fixed the DAO link the the OP!

Attacker's account is growing fast! TheDao might hit 0 marketcap in a few hours.

This is one reason why we at Compumatrix are using the decentralized exchange and the bitshares/openledger platform. The DAO is truly going DOA as Dan has penned.

Thanks! This proves Steem suffices as a news channel as long as someone else keeps an eye on the outside world.

Ether's Holders right now...

This article suddenly becomes relevant.
Will The DAO Become Ethereum's Mt Gox?

As stakeholders in the world's largest decentralized autonomous organization (DAO) descend into forums to debate its future, concerns are emerging about what the success or failure of The DAO could mean for Ethereum, the blockchain platform that enabled its creation.

Update from Val: (to summarize no DAO tokens will be lost and since The DAO was only holding Ether, nothing is lost) The leaked ether is in a child DAO at https://etherchain.org/account/0x304a554a310c7e546dfe434669c62820b7d83490; even if no action is taken, the attacker will not be able to withdraw any ether at least for another ~27 days (the creation window for the child DAO). This is an issue that affects the DAO specifically; Ethereum itself is perfectly safe.

The development community is proposing a soft fork, (with NO ROLLBACK; no transactions or blocks will be “reversed”) which will make any transactions that make any calls/callcodes/delegatecalls that reduce the balance of an account with code hash 0x7278d050619a624f84f51987149ddb439cdaadfba5966f7cfaea7ad44340a4ba (ie. the DAO and children) lead to the transaction (not just the call, the transaction) being invalid, starting from block 1760000 (precise block number subject to change up until the point the code is released), preventing the ether from being withdrawn by the attacker past the 27-day window. This will later be followed up by a hard fork which will give token holders the ability to recover their ether.

... and what happens to the poor saps who panic sold on the exchanges? I don't think they will touch Ether or the DAO again, among other things.

I hope that is an error that resolved soon and everything is in a "shock", because this kind of news makes the people who do not understand this world beware and think this has no future, that it is a scam. etc., which makes the criptomonedas does not move forward and gain ground.
A single bad news pulled down several good news.

Technically .. theDAO is insolvent already because it can't pay back the Ether to all original investors anymore

This is likely to have tsunamic ripple effects.

everyone is dumping dao and eth at the moment.

Red candles everywhere, this looks like its going to be a bloodbath and Ether reputation harm may be lasting, definitely not as battle hardened as bitcoin.

lets see what happens with waves on 20th

Coin Marketplace

STEEM 0.29
TRX 0.12
JST 0.036
BTC 65930.92
ETH 3387.67
USDT 1.00
SBD 4.75