0
As the sale was coming to its end, a blog post titled “A Call for a Temporary Moratorium on The DAO” was published by Dino Mark, Vlad Zamfir and Emin Gun Sirer.The post highlighted several possible attacks, including The Stalking Attack. This attack involved the splitting functionality (the only way to extract ether from the contract) and the recursive nature of sub-contracts, “effectively trapping the victim’s funds and prohibiting conversion back to ether." More flaws related to the recursive nature of theDAO had been highlighted by various group and plans had been made to address some of the problems, when suddenly it became evident that someone had figured out a way to exploit a vulnerability.
In the early morning of June 17 2016, at block 1718497, the account at theDAOAttacker.aetheriablockmuseum.eth started draining theDAO.
One of the advertised properties of theDAO was that it was possible, by anyone, to retrieve their initial investment in theDAO. For example: if they weren’t happy with the direction that the organization was going with a certain proposal. This would be executed by calling splitDAO() which would refund the money and burn theDAO tokens. However, the balance on the initial theDAO contract would only be updated after the ETH had been sent, thus exposing the contract to recursive attacks. In this case, the contract would calculate the funds to be moved; then payout would occur, then the balances would be updated. During payout, the funds would be transferred from theDAO treasury to the recipient. What if the recipient was a contract address? What if the default behavior on that contract was to call splitDAO too? Since balances were only updated later, this would allow someone to get payouts multiple times before their balance is updated. The attacker did exactly that via "The Dark DAO", their own malicious child DAO (theDarkDAO.aetheriablockmuseum.eth).
Future token sales were designed after learning from theDAO contract flaws. In particular, the lack of separation of concern was addressed by dividing the logic in multiple contracts (for example: one contract dedicated for the sale, and another one to implement the ERC20 interface). Another common improvement for future sales was to transfer the funds to a dedicated contract (mostly a multi-signature wallet controlled by the team) as opposed to keeping the funds within the sale contract. As of January 2019, theDao contract had processed over 173,000 transactions.
Source: https://coincodex.com/article/50/the-dao-hack-what-happened-and-what-followed/ https://ethereum.stackexchange.com/questions/6224/which-accounts-are-involved-in-mounting-the-recursive-call-vulnerability-attacks/6225#6225 http://hackingdistributed.com/2016/05/27/dao-call-for-moratorium http://hackingdistributed.com/2016/06/18/analysis-of-the-dao-exploit/
theDAO is drained
Owned by
momuscollection
visibility
56 views- PriceUSD PriceQuantityExpirationFrom
- PriceUSD PriceQuantityFloor DifferenceExpirationFrom
keyboard_arrow_down
Event
Price
From
To
Date
theDAO is drained
Owned by
momuscollection
0
visibility
56 views- PriceUSD PriceQuantityExpirationFrom
- PriceUSD PriceQuantityFloor DifferenceExpirationFrom
As the sale was coming to its end, a blog post titled “A Call for a Temporary Moratorium on The DAO” was published by Dino Mark, Vlad Zamfir and Emin Gun Sirer.The post highlighted several possible attacks, including The Stalking Attack. This attack involved the splitting functionality (the only way to extract ether from the contract) and the recursive nature of sub-contracts, “effectively trapping the victim’s funds and prohibiting conversion back to ether." More flaws related to the recursive nature of theDAO had been highlighted by various group and plans had been made to address some of the problems, when suddenly it became evident that someone had figured out a way to exploit a vulnerability.
In the early morning of June 17 2016, at block 1718497, the account at theDAOAttacker.aetheriablockmuseum.eth started draining theDAO.
One of the advertised properties of theDAO was that it was possible, by anyone, to retrieve their initial investment in theDAO. For example: if they weren’t happy with the direction that the organization was going with a certain proposal. This would be executed by calling splitDAO() which would refund the money and burn theDAO tokens. However, the balance on the initial theDAO contract would only be updated after the ETH had been sent, thus exposing the contract to recursive attacks. In this case, the contract would calculate the funds to be moved; then payout would occur, then the balances would be updated. During payout, the funds would be transferred from theDAO treasury to the recipient. What if the recipient was a contract address? What if the default behavior on that contract was to call splitDAO too? Since balances were only updated later, this would allow someone to get payouts multiple times before their balance is updated. The attacker did exactly that via "The Dark DAO", their own malicious child DAO (theDarkDAO.aetheriablockmuseum.eth).
Future token sales were designed after learning from theDAO contract flaws. In particular, the lack of separation of concern was addressed by dividing the logic in multiple contracts (for example: one contract dedicated for the sale, and another one to implement the ERC20 interface). Another common improvement for future sales was to transfer the funds to a dedicated contract (mostly a multi-signature wallet controlled by the team) as opposed to keeping the funds within the sale contract. As of January 2019, theDao contract had processed over 173,000 transactions.
Source: https://coincodex.com/article/50/the-dao-hack-what-happened-and-what-followed/ https://ethereum.stackexchange.com/questions/6224/which-accounts-are-involved-in-mounting-the-recursive-call-vulnerability-attacks/6225#6225 http://hackingdistributed.com/2016/05/27/dao-call-for-moratorium http://hackingdistributed.com/2016/06/18/analysis-of-the-dao-exploit/
keyboard_arrow_down
Event
Price
From
To
Date
