Home / Capital & Crypto / Ethereum’s Solidity Flaw Exploited in DAO Attack Says Cornell Researcher

Ethereum’s Solidity Flaw Exploited in DAO Attack Says Cornell Researcher

Last Updated March 4, 2021 4:49 PM
Andrew Quentson
Last Updated March 4, 2021 4:49 PM

Ethereum itself seems to be flawed according to the latest developments on the DAO Hack. Philip Daian, a researcher at Cornell University’s Initiative for Crytocurrencies & Contracts, just presented his latest findings on the hack, concluding:

I would lay at least 50% of the blame for this exploit squarely at the feet of the design of the Solidity language.  This may bolster the case for certain types of corrective action.

I refuse to lay the blame exclusively on a poorly coded contract when the contract, even if coded using best practices and the following language documentation exactly, would have remained vulnerable to attack.

In a highly technical publication detailing the exploits that the hacker may have used, Daian stated:

[T]his was actually not a flaw or exploit in the DAO contract itself: technically the EVM was operating as intended, but Solidity was introducing security flaws into contracts that were not only missed by the community, but missed by the designers of the language themselves.

These latest findings are likely to have a significant effect on the fork debate that is currently on-going in the Ethereum community with the researcher suggesting in a tweet  that “the case for a fork becomes clearer and more analogous to previous BTC forks” as the flaw in Ethereum’s Solidity smart contract programming language is revealed.

A hard fork, therefore, will be necessary to correct the bug in Solidity. Currently, an emergency softfork has already been merged with potential activation in just four days. However, It is not clear whether miners are upgrading with Dwarfpool’s admin stating that they were “still learning about the DAO incident,” while Etherpool is undergoing a vote.

These latest findings are likely to raise questions on the security of Ethereum’s smart contract protocol itself with some wondering whether the Turing complete approach can be secure considering the potentially many parameters that cannot be fully known.

Vitalik Buterin recently published an update on smart contract security  without any suggestions that Ethereum itself may be flawed. These latest findings, however, are likely to bring a more holistic focus on the entire system with security now of paramount importance.

Featured image from Shutterstock.