New Attack Against The DAO Reveals Sloppy Coding By Slock.It

Not too long ago, it appeared somebody has been draining funds from the DAO again. This is the third time such an attack took place in less than two months. More worryingly, it appears very similar attacks have been used in all three instances. Luckily, this final attack seems to be “white hat hacker probing”. Then again, they did reveal some very worrying parts about The DAO’s code, which may spell doom for the project altogether.

The DAO Has Some Very Bizarre Coding

It is safe to say the Ethereum community received a nasty surprise when The DAO was under attack for the third time. An unknown entity was withdrawing funds from the project’s account, even though the balance should have been zero after the hard fork. For some reason, there was close to 38,000 Ethereum in the balance, and funds were being transferred to a different account through a recursive bug.

As it turns out, one of the “white hat hackers” probing The DAO’s contract code was responsible for moving this funds out. But that was not the worrisome part, as further research unveiled sloppy coding that should not be there in the first place. Sometimes, it is tough to believe this project raised US$150m, as this was a honeypot waiting to be emptied by the look of things.




Reddit user DeviateFish_ explained the findings as follows:

“So this contract’s default function is really weird. It appears to send any ETH is has (so whatever is in it plus whatever was sent) to the DAO’s reward account. Then, it figures out how many DAO tokens it needs to retrieve those from the reward contract (by way of getMyReward) to a child contract, which then calls getMyReward. The call to getMyReward re-enters this child contract, at which point it transfers 99.9999999% of those tokens back to the parent contract before returning. Then, it sends the remaining tokens to another contract (which gains a bunch more paidOut). It’s also got some internal values set to keep an eye on certain proposals… presumably to splitDAO drain them. Maybe the first re-entrancy stuff is to drain the reward account (if it contains anything), but isn’t bothering to check that the reward account is empty in the first place?”

While not everybody speaks the coding language fluently, it is not hard to determine what is wrong with The DAO code. Smart contracts on Solidity are designed to be straightforward and “easy” to set up. For some reason, the Slock.it team has been rather sloppy when it comes to coding their solution. In fact, they left their own project open to attack by using functions that shouldn’t be there in the first place.

Image credit 1

If you liked this article follow us on Twitter @themerklenews and make sure to subscribe to our newsletter to receive the latest bitcoin and altcoin price analysis and the latest cryptocurrency news.