The total is rising and closing in on $60 million with a reported fresh attack Sunday. The latest attack was small according to the ethereum reddit community and apparently the result of a "test" of the exploited vulnerability.
The new attack used the same "recursive call" flaw that was used in the recent attack that ended up draining nearly $60 million USD worth of Ether out of the DAO. There have been more than one of these "copy cat" attacks it appears as others "test" the vulnerability.
Ether trading on exchanges continues to suffer as well having not made any recovery progress since the DAO hack.
It's not the first attack of the sort. Vitalik Buterin listed in a blog that these attacks had also occurered of the same "recursive call" nature. These were listed as:
- The dao (obviously)
- The "payout index without the underscore" ponzi
- The casino with a public RNG seed
- Governmental (1100 ETH stuck because payout exceeds gas limit)
- 5800 ETH swiped (by whitehats) from an ETH-backed ERC20 token
- The King of the Ether game
- Rubixi : Fees stolen because the constructor function had an incorrect name, allowing anyone to become the owner
- Rock paper scissors trivially cheatable because the first to move shows their hand
- Various instances of funds lost because a recipient contained a fallback function that consumed more than 2300 gas, causing sends to them to fail.
- Various instances of call stack limit exceptions.
Damned if you do, Damned if you don't
Correcting the vulnerability seems to be a toxic topic that's going to be easier said then done. To prevent further demolition of the already battered DAO and its funds (as well as others vulnerable to the recursive attack) a fork has been proposed. This is your classic "damned if you do, damned if you don't" scenario.
Damn if you do:
If ethereum does a fork to rollback the transaction or block it from happening again you essentially provide a "bail-out" for the parties involved which basically destroys the integrity of the network. For a system based on blockchain technology this breaks the very trust it provides. With ethereum as small as it is currently, this is still theoretically possible to do with miner support. The problem is not that it can be done it's if it should be done.
The loss is tragic, and sad, but destroying the integrity of the network could be catastrophic. Then moving forward, how are you to determine who gets a bail-out? Under this fork transactions are no longer guaranteed. Very messy...damned if you do.
Damned if you don't:
If you do nothing, then the ethereum community is going to just sit there and watch as more and more funds are stolen. Essentially knowingly giving the hackers a free pass to steal 150 million in Ether. This is almost as bad as the fork. It give the impression of "your transactions are not safe AND we'll do nothing to help you when something bad happens". Messy and morally questionable... Damned if you don't.
There really is no right answer short of a time machine, which is sort of like what is being proposed in the fork, but regardless of this happening or not. Not everybody is going to like it regardless. Ethereum is going to have to endure some more damage and chalk this lesson up to a growing pain.
That may sting a bit and ache for a long time, but there's nothing that can be done about it now, bitcoin and the blockchain have certainly felt a pinch or two like this in its history. Mt Gox took nearly 3 years to recover from fully.
However, Mt Gox was not the end of the world, and neither will the DAO hack be the end of ethereum. In a way this is a good thing. Ethereum is still young enough to recover from something like this without major destruction, and most people knowledgeable in the industry half-expected problems like this anyway. It's time to just suck it up and move past it while hoping for the best long term.
Arguing isn't going to fix anything and at the end of the day either decision will be the wrong one.
It is what it is.
Report by dinbits
Image by dinbits.com staff