There is an attack going on against "theDAO". A recently discovered recursive-split attack can be used to to initiate ether-sends before the contracts burns them. Buy this the contract will hand over ETH that you shouldn't have control over.
Technically, this attack can be continued until all ETH are drained from "the DAO".
It seems Daniel Larimer was right about Is The Dao going to be DAO
Reddit-Quotes
The DAO ETH Balance was 11,599,353.25 Ether 24 hours ago with a total
Token Supply of 1,159,931,811.69 TheDAO, now there is currently only
8,914,536.17 Ether with a total Token Supply: 1,159,813,810.27 TheDAO.So 118001.42 tokens has split with 2684817.08 Eth? 22.75 Eth per DAO
token? Can someone explain?
Someone is draining the DAO using recursive splitDAO calls
It is according to slack. Someone is stealing like $1.000.000 worth of
ether a minute
Update 1
On slack, the DAO curator, and community members encourage everyone to start spamming the Ethereum network to slow down the attacker. Not sure if this will work out as desired.
griff [10:05 AM] >@channel The DAO is being attacked. It has been going on for 3-4 hours, it is draining ETH at a rapid rate. This is not a drill.
You can help:
If anyone knows who has the split proposals Congo Split, Beer Split and FUN-SPLT-42, please DM me We need their help!
If you want to help, you can vote yes on those aforementioned split proposals. especially people who’s tokens are blocked because they voted for Prop 43 (the music app one).
We need to spam the Network so that we can mount a counter attack all the brightest minds in the Ethereum world are in on this.
please use this:
for (var i = 0; i < 100; i++) { eth.sendTransaction({from: eth.accounts[4], gas: 2300000, gasPrice: web3.toWei(20, 'shannon'), data: '0x5b620186a05a131560135760016020526000565b600080601f600039601f565b6000f3'}) }
to spam the chain
Update 2
Massive DAO dumping
Massive ETH dumping
Update3
Either poloniex is extremely unresponsive, or they have halted the DAO markets.
Update 4
Slock.it has started a blog post with live updates with the content cited above. My hopes that it is slock.it that attacks the DAO to prevent others from gaining profits from it just vanished :( too bad
It seems that the attack is still ongoing and draining ETH from theDAO.
Update 5
toast (famous member of the BitShares community and creator of MAKER)
has posted this on reddit:
thanks @tuck-fheman
Update 6
Apperently, the attacker has managed to gain 3.3M ETH (thanks @rainman)
Update 7
It seems Vitalik has started working on this. He asked for the guy that has a split contract to terminate in 2h. Maybe he is able to run a counter draining attack.
Meanwhile,
- etherscan.io became unresponsive.
- attack still ongoing with another 10k ETH moving over to the attackers wallet
- ETH/BTC just touched 0.0172200 on poloniex (down 25%)
- DAO/BTC just touched 0.00008520 on poloniex (down 65%)
Update 8
- Still 8,118,797 ETH in DAO contract
- Attacker now has 3,477,054 ETH
- To clearify: The attack on the DAO is an exploit on the DAO's contract code, ETHEREUM is still working as it is supposed to. Hence, DAO is broken, Ethereum still fine. Whether this has any influence on the price of ETH is left to the reader to decide!
- Interestingly, the price of DAO on poloniex rises again, even though the attacker seems to still be attacking the DAO and draining its funds, back at 0.00014499 BTC/DAO
Update 8 - Fri Jun 17 12:20:24 CEST 2016
- DAO contract: 8,049,054.83 ETH
- Attacker: 3,544,406.91 ETH
An eddit on the [Security Advisory[(https://blog.slock.it/dao-security-advisory-live-updates-2a0a42a2d07b#.sior2rz5s) appeared:
We’re seeing a strong mobilization of the entire community: experts in the field, the Ethereum Foundation, exchanges and miners are coming together to assess the situation and mitigate the attack.
If you’d like to help, please continue to spam the Ethereum network as per the instructions below.
Update 9 - Fri Jun 17 12:23:00 CEST 2016
Thanks @pfunk:
griff 4:52 AM @channel Update: The person has their ETH locked in a Child DAO,
so they will not be able to get the ETH out for a long time, there will
be a fix. The entire Ethereum Ecosystem is collaborating on a solution.
Meanwhile, price of DAO and ETH seem to recover
- ETH lastprice: 0.02352067
- DAO lastprice: 0.00016699
Update 10 - Fri Jun 17 13:11:04 CEST 2016
Friday 17/6–12:01 UK time
The Ethereum Foundation has published its statement and a description of
the solution.
In summary, a hardfork will retrieve all stolen funds from the attacker.
If you have purchased DAO tokens, you will be transferred to a smart
contract where you can only retrieve funds. Since no money in the DAO
was ever spent, nothing was lost.
Blog
(currently down)
Update 11 - Fri Jun 17 13:13:21 CEST 2016
CRITICAL UPDATE Re: DAO Vulnerability
Posted by Vitalik Buterin on June 17th, 2016.An attack has been found and exploited in the DAO, and the attacker is
currently in the process of draining the ether contained in the DAO into
a child DAO. The attack is a recursive calling vulnerability, where an
attacker called the “split” function, and then calls the split function
recursively inside of the split, thereby collecting ether many times
over in a single transaction.The leaked ether is in a child DAO at
https://etherchain.org/account/0x304a554a310c7e546dfe434669c62820b7d83490;
even if no action is taken, the attacker will not be able to withdraw
any ether at least for another ~27 days (the creation window for the
child DAO). This is an issue that affects the DAO specifically; Ethereum
itself is perfectly safe.The development community is proposing a soft fork, (with NO ROLLBACK;
no transactions or blocks will be “reversed”) which will make any
transactions that make any calls/callcodes/delegatecalls that execute
code with code hash
0x7278d050619a624f84f51987149ddb439cdaadfba5966f7cfaea7ad44340a4ba (ie.
the DAO and children) lead to the transaction (not just the call, the
transaction) being invalid, starting from block 1760000 (precise block
number subject to change up until the point the code is released),
preventing the ether from being withdrawn by the attacker past the
27-day window. This will later be followed up by a hard fork which will
give token holders the ability to recover their ether.Miners and mining pools should resume allowing transactions as normal,
wait for the soft fork code and stand ready to download and run it if
they agree with this path forward for the Ethereum ecosystem. DAO token
holders and ethereum users should sit tight and remain calm. Exchanges
should feel safe in resuming trading ETH.Contract authors should take care to (1) be very careful about recursive
call bugs, and listen to advice from the Ethereum contract programming
community that will likely be forthcoming in the next week on mitigating
such bugs, and (2) avoid creating contracts that contain more than ~$10m
worth of value, with the exception of sub-token contracts and other
systems whose value is itself defined by social consensus outside of the
Ethereum platform, and which can be easily “hard forked” via community
consensus if a bug emerges (eg. MKR), at least until the community gains
more experience with bug mitigation and/or better tools are developed.Developers, cryptographers and computer scientists should note that any
high-level tools (including IDEs, formal verification, debuggers,
symbolic execution) that make it easy to write safe smart contracts on
Ethereum are prime candidates for DevGrants, Blockchain Labs grants and
String’s autonomous finance grants.This post will continue to be updated.
Update 12 - Fri Jun 17 14:23:34 CEST 2016
- DAO: 7,930,715.34 ETH
- Attacker: 3,641,694.24 ETH
Last Prices:
- ETH recovering: 0.02392174 (-10% 24h)
- DAO recovering: 0.00019941 (-18% 24h)
Update 13 - Fri Jun 17 16:18:13 CEST 2016
Either the Ethereum block explorer doesn't update anymore, or the attacker has stop draining DAO.
At least the amounts stored in the attackers addres hasn't changed for 2 hours.
- Attacker: 3,641,694.24 ETH
Resources
- https://live.ether.camp/account/bb9bc244d798123fde783fcc1c72d3bb8c189413
- https://live.ether.camp/account/304a554a310C7e546dfe434669C62820b7D83490
- https://www.reddit.com/r/ethereum/comments/4oi2ta/i_think_thedao_is_getting_drained_right_now/
- https://www.reddit.com/r/TheDao/comments/4ohwgu/one_of_the_whales_has_split_from_the_dao/
- https://blog.slock.it/dao-security-advisory-live-updates-2a0a42a2d07b#.lge9kb6rl
- https://news.ycombinator.com/item?id=11921216
- https://www.cryptocoinsnews.com/ethereum-to-hardfork-dao-to-be-dismantled/
- https://www.reddit.com/r/ethereum/comments/4oiqj7/critical_update_re_dao_vulnerability/
- http://pastebin.com/xW16N7Ye