Ethereum: We Haven’t Seen the Last of the Bug That Killed the DAO

More than two years after the collapse of The DAO thrust the Ethereum community into civil war, one of the bugs that caused that caused that black swan event continues to lurk in many smart contracts, waiting to be exploited by hackers.

That’s according to Emin Gün Sirer‏, a computer science professor at Cornell and the co-director of cryptocurrency research initiative IC3, who said that he has seen a variety of smart contracts that may be vulnerable to a “reentrancy” attack that allows a malicious user to drain ETH from a payment channel.

“BTW, I've seen other contracts like this one that implicitly trust the erc-20 tokens issued on top of their platform to not perform reentrant calls. I'm sure this isn't the last episode of this bug,” he wrote on Twitter.

Sirer was commenting on the news that SpankChain, an adult entertainment startup whose platform runs partially on Ethereum smart contracts, had been hacked for nearly $40,000 worth of cryptocurrency over the weekend.

As CCN reported, the company said that the hacker used a reentrancy attack to siphon 1165.38 ETH out of the smart contract over a series of transactions. In short, the attacker used a malicious smart contract to trick the SpankChain contract into believing that the attacker could withdraw funds from the payment channel.

The firm explained:

“The attacker created a malicious contract masquerading as an ERC20 token, where the ‘transfer’ function called back into the payment channel contract multiple times, draining some ETH each time.”

ethereum

As both Spankchain and Sirer noted, the attack was similar to the one that crippled The DAO, a decentralized venture capital fund that long held the record for most funds raised by an initial coin offering (ICO).

Worth as much as $150 million at a time when the total market cap of ethereum was still far below $2 billion, The DAO held nearly 15 percent of the total ETH supply on June 17, 2016, when an attacker stole 3.6 million ETH -- today worth nearly $815 million -- by exploiting its vulnerable smart contract.

We all know what happened next: a series of futile attempts to recover the funds, the infamous chat room conversation, and the contentious hard fork that resulted in the creation of Ethereum Classic.

Now, more than two years later, Ethereum has largely put The DAO hack in its rearview mirror. The ethereum price, which plunged as low as $6 in the months following the hack, now stands at $230. Hundreds of blockchain startups have used Ethereum to raise billions of dollars through ICOs, and thousands of developers are building decentralized applications (dApps) that run on the platform.

However, though the consequences may not always be quite as serious as they were on that infamous morning in June 2016, the bug that permanently altered the cryptocurrency landscape appears determined to continue to rear its ugly head.

Images from Shutterstock

This article is protected by copyright laws and is owned by CCN Markets.

About the author

Josiah Wilmoth
Josiah Wilmoth

Josiah is the US Editor at CCN, where he focuses on financial markets and cryptocurrencies. He has written over 2,000 articles since joining CCN in 2014. His work has also been featured on ZeroHedge, Yahoo Finance, and Investing.com. He holds bitcoin, but does not engage in day trading. He lives in rural Virginia. Follow him on Twitter @y3llowb1ackbird or email him directly at josiah.wilmoth(at)ccn.com.

Do NOT follow this link or you will be banned from the site!