The future of crypto-currency Ethereum and one of its main backers The DAO is in doubt after hackers exploited software bugs in the latter’s code to steal millions of units of the currency (ether) worth around $60m.
The hackers exploited a “recursive calling vulnerability,” according to Ethereum co-founder, Vitalik Butelin.
In so-doing they were able to call The DAO software system’s “split” function, “and then call the split function recursively inside of the split, thereby collecting ether many times over in a single transaction,” he explained in a blog post.
A second bug was then exploited, allowing the hackers to repeat this attack over and over again.
They were able to transfer over 3.6m ether out of The DAO – an Ethereum investment fund reliant on complex computer code – which amounts to more than a third of its stockpile of the crypto-currency, according to Ars Technica.
Ethereum bosses have proposed a software fork of Ethereum which would prevent the attackers being able to cash out their ill-gotten funds, followed by a hard fork to return it to The DAO. The stolen ether can’t be moved for 27 days, according to Ethereum rules.
However, the decision to do so has to be made by over 50% of Ethereum miners, many of whom seem opposed to the move – which they believe would set a dangerous precedent that goes against everything cryptocurrencies stand for.
Security bod Rob Graham explained that helping out The DAO would give it preferential treatment over similar but smaller entities which might have the same kind of bugs in their software.
“The entire point of cryptocurrencies is to get around corrupt humans, and that's what trying to repair this problem is – corruption,” he argued. “It's a violation of TheDAO's own contract, which says the code is the contract, not to be superseded by human re-interpretation.”
It doesn’t help that some of Ethereum’s founders apparently have investments in The DAO.
In the meantime, more copycat hackers have exploited the same bug to steal hundreds of ether.
Security experts were quick to point out the importance of good quality code and systems in place to act quickly when bugs are found.
Paul Cant, EMEA head of enterprise solutions operation for BMC Software, argued that most companies can’t keep up with patching such vulnerabilities.
“It is therefore critically important and overdue that enterprises have a strategy in place to enable SecOps teams to quickly identify the vulnerability and its threat to their system, prioritize it against other threats and fix it – fast – before the organization suffers a breach to its system,” he added.
“This particular case is a clear example of the repercussions that an organization may face when failing to implement such a strategy. In less than a week, the hack has caused the value of Ethereum to drop by as much as 25%.”
Veracode solution architect, Chris Campbell, claimed security is often forgotten in the race to be first-to-market.
“The attack on The DAO shows that any system that manages vast sums of money needs to be thoroughly assessed by security conscious professionals if it is to be a place where safe transactions can take place,” he argued.
“Attacks like these threaten to destroy confidence in early stage technologies that have the potential to revolutionize the way the world thinks about currency, getting security right at the very beginning is crucial to their survival.”