Ethereum’s future in cryptocurrency and one of its key supporters, the DAO is in doubt after hackers exploited software flaws in the latter’s code to steal millions of units of the currency (ether) worth around $ 60 million.
According to the co-founder of Ethereum, Vitalik Butelin, the hackers exploited a “security hole in recursive calls”.
In this way, they could call the “split” function of the DAO software system and “then recursively call the split function within the split, which collected the ether many times over in a single transaction,” he explained in a blog post.
A second flaw was then exploited so that the hackers could repeat this attack over and over again.
They were able to transfer more than 3.6 million ethers from The DAO – an Ethereum mutual fund that relies on complex computer code – which, according to Ars Technica, accounts for more than a third of its cryptocurrency inventory.
Ethereum bosses have proposed a software fork of Ethereum designed to prevent the attackers from withdrawing their illicit funds, followed by a hard fork to return them to The DAO. The stolen ether cannot be moved for 27 days according to Ethereum rules.
However, the decision to do so has to be made by over 50% of Ethereum’s miners, many of whom appear to be against the move – which they believe would set a dangerous precedent that goes against everything that cryptocurrencies stand for.
Rob Graham, security officer, stated that helping the DAO would provide preferential treatment to similar but smaller companies that may have the same bugs in their software.
“The whole point of cryptocurrencies is to evade corrupt people, and that is exactly the attempt to fix that problem – corruption,” he argued. “It is a violation of TheDAO’s own contract, which states that the Code is the contract and cannot be replaced by human reinterpretation.”
It doesn’t help that some of Ethereum’s founders appear to have invested in The DAO.
In the meantime, more copycat hackers have exploited the same flaw to steal hundreds of ethers.
Security experts were quick to point out the importance of having good quality code and systems in order to react quickly when bugs are found.
Paul Cant, EMEA director of enterprise solutions operations at BMC Software, argued that most companies cannot keep up with patching such vulnerabilities.
“It is therefore crucial and long overdue that companies have a strategy that enables SecOps teams to quickly identify the vulnerability and its threat to their system, prioritize it over other threats, and remediate it quickly before the company does System suffers a violation of the system, ”he added.
“This particular case is a clear example of the impact an organization can have if it does not implement such a strategy. In less than a week, the hack caused the value of Ethereum to drop by up to 25%. “
Veracode solutions architect Chris Campbell claimed that security is often forgotten in the race to go to market.
“The attack on The DAO shows that any system that manages huge sums of money needs to be scrutinized by security-conscious professionals if it is to be a place where secure transactions can take place,” he argued.
“Attacks like this threaten to destroy confidence in early-stage technology that has the potential to revolutionize the way the world thinks about currency. Getting security right out of the box is critical to its survival.”