Wen and Miller, security pros watch ethereum:
Smart contract programming in Ethereum is notoriously error-prone [1]. We've recently seen that several high-profile smart contracts, such as King of the Ether and The DAO-1.0, contained vulnerabilities caused by programming mistakes.
Smart-contract programmers have been warned about particular programming hazards that can crop up when contracts send messages to each other since March 2015, when the Ethereum Foundation commissioned a security report [6] from Least Authority about the Ethereum Virtual Machine. Multiple programming guides contain best-practice recommendations to avoid common pitfalls (in the official Ethereum docs [3], and in an independent guide from UMD [2]). While these hazards seem like they should be straightforward to recognize and to avoid, the consequences of even a single mistake are dire: money can get stuck, destroyed, or stolen.
These folks know the vulnerabilities, and are likely persons of interest in the so called hack. But the hack is a feature, not a bug:
Forbes: For the geeks among you, Phil Daian at Hacking, Distributed has anexcellent dissection of exactly how this worked. For ordinary mortals, all you need to know is that the DAO’s attacker created a “child” DAO, then drained the DAO’s funds into the child.The ether coins drained in the hack are in ether limbo, awaiting a time out before completion. The drainer is offering a deal, they release 70% back to the system, but keep 30%. Sounds like a deal can be had.
And this is where it all becomes unintentionally funny. There is absolutely nothing new about draining corporate funds into a new company. Embezzlers the world over have been doing this for centuries. In the real world, it is illegal. But in the DAO’s case, it isn’t. The DAO’s “smart contract” allows it.
No comments:
Post a Comment