
Critical Update on DAO Vulnerability - tasti
https://blog.ethereum.org/2016/06/17/critical-update-re-dao-vulnerability/
======
imglorp
This is what concerns me about contract programming. With human contract law,
if there's a minor typo or loophole, participants can generally see the spirit
and intent, and at worst go to a judge who will usually enforce the intent.
But with software contracts, only the characters matter and there's no intent
anywhere: either you get paid or you don't.

ETH is advising, "Contract authors should ... be very careful about recursive
call bugs, and listen to advice from the Ethereum contract programming
community," which indicates there's some subtle behaviors to be aware of and
secure contracts are apparently not easy to write.

Lest you think, "we'll just be careful, review and QA it", consider the bug[1]
in the "Programming Pearls" binary search. Bentley was clearly an expert who
had proven the algorithm correct and the algorithm had 20 years of careful
study by thousands of professionals. Yet it had a simple overflow.

How do _you_ know your contract is secure?

1\. [https://research.googleblog.com/2006/06/extra-extra-read-
all...](https://research.googleblog.com/2006/06/extra-extra-read-all-about-it-
nearly.html)

~~~
infodroid
Unlike traditional contracts, the idea was that smart contracts were going to
eliminate the need for enforcement or dispute resolution. So that law is
enshrined in code.

But this incident has set a precedent, at least within Ethereum, that the
project leadership will intervene to enforce the _spirit_ of a smart contract.

So what now are the benefits of Ethereum smart contracts over the traditional
legal system?

The way I see it, at least with traditional contracts you have the benefit of
a trained and experienced judge making the call in case of a serious problem.

~~~
ar0
Agreed. If this soft and hard fork idea really goes through, it seems that now
you are in fact getting the worst of both worlds: For your contract, you have
to write code that apparently is very hard to get right and bug-free[1], while
at the same time you are at the whim of a "community" \-- whose decisions
(sorry, "suggestions") can apparently be announced by one guy in a blog post
-- not to deem what you are doing an "attack".

PS: Also a second thought: Given that the "attacker" used apparently existing
functionality of the DAO and that the DAO site clearly states "[n]othing in
this explanation of terms or in any other document or communication may modify
or add any additional obligations or guarantees beyond those set forth in The
DAO’s code", I am wondering: If this (as measured by the DAO code: rightfully
obtained) ether is now taken from him/her, might this not be an opportunity to
sue the developers implementing this fork in a real-world court?

[1]: [http://hackingdistributed.com/2016/06/16/scanning-live-
ether...](http://hackingdistributed.com/2016/06/16/scanning-live-ethereum-
contracts-for-bugs/)

~~~
sznurek
Commenting on your second thought: I hoped that people behind DAO (and
Ethereum?) will stick to the terms they themselves proposed but it seems they
will push hard for forking the chain (see: Ethereum blog).

~~~
jchrisa
Maybe someone can write an insurance contract that future DAO authors can
hire, as an alternative to interventions. It would have to be bug free.

~~~
genmon
This is a smart response. The insurance company could also review the contract
code in order to provide cover -- this would give investors extra confidence.

~~~
vkou
Suppose that I want to make a medical device, and I want to get liability
insurance for when a bug in its code administers a lethal dose of radiation to
a patient.

Is there any extant insurance company that would want to review my code in
exchange for a lower premium?

If not, why would one be willing to do this for a flash-in-the-pan
cryptocurrency, but not a useful, real-world device?

~~~
rabidferret
For an insurance policy like that, they wouldn't offer any policy _without_
auditing the device, including the code.

------
joosters
Just remember, when the developers inevitably appear with suggestions about
how to stop the hack, roll back the blockchain, or come up with other schemes
to block the hackers, they are showing everyone that all the talk of
blockchains being decentralised, or being beyond the control of governments or
other powers... is a complete lie.

If this hack can be stopped, then it demonstrates that the currency can be
manipulated, that the decentralised system is not so fault tolerant or
uncensored after all, and that people out there know this.

~~~
infodroid
Vitalik Buterin, the co-founder and Chief Scientist of Ethereum, just called
for a DAO and ETH trading halt at all Ethereum exchanges:
[https://www.reddit.com/r/ethereum/comments/4oif2x/dao_attack...](https://www.reddit.com/r/ethereum/comments/4oif2x/dao_attack_exchanges_please_pause_eth_and_dao/)

~~~
mpeg
Apparently all that talk of decentralisation goes out the window when you're
losing money. Ha

~~~
icebraining
Actually, I'd say the fact that he has to publicly ask for exchanges to stop
the trades, and can't simply press a button or send out an order, shows the
decentralization.

Decentralization doesn't prevent coordination.

~~~
infodroid
I think you're missing the point. The fact that one man can bring the whole of
Ethereum trading to a halt with an announcement really demonstrates just how
much power he has. So it doesn't matter that he doesn't have a physical kill
switch if the end result is the same.

~~~
vintermann
He wouldn't have that power in just any old circumstance. He could have the
power to launch nukes, but if that power would only work if all of the world
agrees, I'd still not be afraid of him.

------
nneonneo
The provided link is just a page showing a bunch of transactions. For someone
like me, who is not so intimate with the Ethereum terminology in use (but who
is still interested in the DAO, as an observer), could someone provide a
layman's explanation of what's going on?

Somewhat more specifically, I'm wondering the following:

\- At a high level, what does this attack actually consist of?

\- How does ethereum "go missing" in a distributed blockchain, where you can
see all the transaction endpoints?

\- Who loses and who gains from an attack of this scale?

\- How severe could this attack be - does it pose an existential threat to The
DAO (or Ethereum, more broadly)?

\- How is this attack being perpetrated? Has the attack vector been previously
anticipated? Why is this unexpected?

~~~
jabgrabdthrow
It's a reentry bug - native ETH always calls the recipient contract's code on
transfer, which can call back into the current function. If you manage native
ETH do accounting in the wrong order, you can "withdraw" multiple times.

It doesn't "go missing", presumably the hacker will drain it into Bitcoin via
any anonymous exchange accounts they have. Everyone loses big time (except the
attacker if they manage to launder some of the coins). Watch for a wave of
rebranding.

> How severe could this attack be - does it pose an existential threat to The
> DAO (or Ethereum, more broadly)?

We will see. The group behind TheDAO has a lot of pull - if Ethereum
successfully rejects calls for a hard fork that will damage it severely in the
public's eye, but will be the ultimate proof of concept.

> How is this attack being perpetrated? Has the attack vector been previously
> anticipated? Why is this unexpected?

Why, take a look: [https://blog.slock.it/no-dao-funds-at-risk-following-the-
eth...](https://blog.slock.it/no-dao-funds-at-risk-following-the-ethereum-
smart-contract-recursive-call-bug-discovery-29f482d348b#.skdl752nu)

Copied:

""" No DAO funds at risk following the Ethereum smart contract ‘recursive
call’ bug discovery Our team is blessed to have Dr. Christian Reitwießner,
Father of Solidity, as its Advisor. During the early development of the DAO
Framework 1.1 and thanks to his guidance we were made aware of a generic
vulnerability common to all Ethereum smart contracts. We promptly circumvented
this so-called “recursive call vulnerability” or “race to empty” from the DAO
Framework 1.1 as can be seen on line 580: // we are setting this here before
the CALL() value transfer to // assure that in the case of a malicious
recipient contract trying // to call executeProposal() recursively money can’t
be transferred // multiple times out of the DAO p.proposalPassed = true; Three
days ago this design vulnerability potential was raised in a blog post which
subsequently led to the discovery of such an issue in an unrelated project,
MakerDAO. This was highlighted in a reddit post, with MakerDAO being able to
drain their own funds safely before the vulnerability could be exploited.
Around 12 hours ago user Eththrowa on the DAOHub Forum spotted that while we
had identified the vulnerability in one aspect of the DAO Framework, the
existing (and deployed) DAO reward account mechanism was affected. His message
and our prompt confirmation can be found here. We issued a fix immediately as
part of the DAO Framework 1.1 milestone. The important takeaway from this is:
as there is no ether whatsoever in the DAO’s rewards account — this is NOT an
issue that is putting any DAO funds at risk today. """

~~~
joosters
Slock.it are the cheerleaders of the DAO (and were the likely recipients of
its funds had it not been hacked). They previously boasted about how their
_audit_ of the code found no issues other than a slight rounding error if the
DAO became worth trillions of dollars. It's entirely in character for them to
post further messages reporting how wonderful, secure and perfect their code
is, in the face of terrible problems.

------
sznurek
I have a (maybe naive) question: why is the person draining ETH from DAO
called "attacker"?

I seems to me that the idea behind smart contracts was to have unambiguous
description of what are participants agreeing to. The "attacker" is doing
precisely this - I had not heard of any bug in Ethereum implementation that is
used, only "bug" in DAO's smart contract. So he is allowed to do this, by
contract definition.

Isn't the whole idea of that kind of contracts worthless if people are still
rolling back effects of it when "it does not what it was meant to do"?

~~~
cpa
Obviously you're right, that's tautological! The "attacker" didn't do more
than what the system allowed her to do.

People have expectations about what the DAO is and isn't. I'd guess that very
few people bothered to read the source code of the contract, let alone look
for vulnerabilities. So you have a group of people who have agreed on an
informal contract (we pool money, votes are weighted by the sum I've put…) but
it turns out that the implementation is not correct w.r.t the informal
specification. That's called a software bug and abusing a bug to your own
profit makes you an attacker in my book, just as much that using a flash 0-day
to drop a rootkit makes you an attacker.

People should have been more careful, but hey, I'm not sure I would have.

~~~
sznurek
The 'Terms' section on DAO website states:

    
    
      The terms of The DAO Creation are set forth in the smart contract code existing on the Ethereum blockchain at 0xbb9bc244d798123fde783fcc1c72d3bb8c189413. Nothing in this explanation of terms or in any other document or communication may modify or add any additional obligations or guarantees beyond those set forth in The DAO’s code.
    

Doesn't it state that, by definition, that DAO contract is bug-free, so it
cannot be exploited? This is exactly what separates DAO case from flash-0-day-
rootkit case.

~~~
6502nerdface
> The terms of The DAO Creation are set forth in the smart contract code
> existing on the Ethereum blockchain at
> 0xbb9bc244d798123fde783fcc1c72d3bb8c189413. Nothing in this explanation of
> terms or in any other document or communication may modify or add any
> additional obligations or guarantees beyond those set forth in The DAO’s
> code.

Nice. So if the community ultimately succeeds in preventing the "attacker"
from withdrawing his funds, which he acquired in perfect accordance with the
DAO code, which is the entirety of the agreement, could he publicly bring suit
for violation of contract?

~~~
Miner49er
I think he could, but he would be bringing a lawsuit against a decentralized
community with no leader. Also, the community still has to accept the fork, if
no one does (or very few), he keeps the money. At least that's how it works
from my understanding.

------
pjc50
Well, that was kind of inevitable. Building a financial system out of pure
code with no humans in the loop and no legal structure is building a self-
distributing bug bounty piñata. It's decentralised, so there's nobody who can
throw a breaker and shout "stop!"; cryptocurrency transactions are
irreversible, so thefts are permanent; and it's somewhat anonymous, so thefts
are hard to trace.

It also demonstrates that being first-to-market trumps security. If the DAO
had waited until a full formal verification system exists and had been
applied, they wouldn't have been able to pick up the $160m of overenthusiastic
money keen to rush headlong into the hands of hackers.

~~~
kalleboo
I find it endlessly amusing that people are willing to bet their cold hard
cash on "this code has no bugs".

When widespread old and tested code like OpenSSL has massive security bugs,
what chance does something as new and in-development as Bitcoin/Ethereum have?
An in the case of Ethereum, the contracts themselves?

~~~
themusicgod1
> I find it endlessly amusing that people are willing to bet their cold hard
> cash on "this code has no bugs".

It's not "this code has no bugs" it's "this code has less visible bugs than
the lower hanging fruit". If it's harder to find than any bug in any system
with bitcoin (or other ethereum) in it, then people will find that stuff
first. Bitcoin gave us out here in the IT world, for the first time in
history, a realistic way to measure the large-scale security of various kinds
of systems. Microsoft, for example, has not had the bitcoin from any of their
wallets stolen. With every flaw that's found, we get the chance of learning
how not to fail in the future.

Furthermore you have to invest in _something_. And it's remarkably hard to
invest these days. Just try buying a house with ethereum, see how frustrating
it is.

------
zepolud
"They say 'there are no atheists in foxholes.' Perhaps, then, there are also
no libertarians in crises." [1]

[1]
[https://www.hks.harvard.edu/fs/jfrankel/CatoRespCrisesJun07+...](https://www.hks.harvard.edu/fs/jfrankel/CatoRespCrisesJun07+fn15&2.pdf)

~~~
dmix
(Not to take this post too serious, but I'll take the bait)

I'd argue that the solution proposed by Ethereum in this blog post is not
antithetical to mainstream Libertarianism. It actually fits perfectly well
into the role the majority of libertarians believe a state should take.

To begin with, from my understanding they merely proposed a solution which the
community has to agree to implement. Just like modifying the bitcoin codebase.

It's still ultimately an additional layer of decentralization in between.
Taken as a whole - even if Ethereum takes action against the attacker - what
DAO represents would still be very very far from the representative democracy
style system that libertarians take issue with.

Importantly, libertarians are not all anarchists (or 'crypto-anarchists' or
'anarcho-capitalists' to be more accurate) who believe in total decentralized
control structures. Mainstream libertarians wish for a minimal state or
"night-watchman" state, a not the total absence of a state.

This the most prevalent myth about libertarianism and the faulty premise of
most attacks against it.

Even many hardcore anarcho-capitalists are against the idea of decentralized
judicial and law enforcement systems - as they see it as unworkable.

In the book "Anarchy, State, and Utopia" [1] popular libertarian thinker
Robert Nozick argues that

    
    
        [..] only a minimal state "limited to the narrow functions of protection against force, theft, fraud, enforcement of contracts, and so on" could be justified without violating people's rights. 
    

Therefore supporting the solution Ethereum proposed does not make you less of
a libertarian. But it does make you less of a crypto-anarchist.

[1] [https://www.amazon.com/Anarchy-State-Utopia-Robert-
Nozick/dp...](https://www.amazon.com/Anarchy-State-Utopia-Robert-
Nozick/dp/0465051006/)

~~~
llamataboot
Doesn't necessarily make you less of an anarchist either. Anarchy isn't an
absence of rules or decisions, it's having decision making mechanisms that are
non-hierarchical (now, the preferred size of those decision making structures
and how to keep them from becoming psuedo (or real) States in their own right
is a whole different discussion). In this case, one could argue that miners
are making a decision collectively through a very imperfect mechanism (subject
to possible hijacking, attacks, and tyranny of the majority), but still a non-
hierarchical one.

------
SakiWatanabe
developer asks token holders to spam the network to delay the attack o.O

griff [10:05 AM] @channel The DAO is being attacked. It has been going on for
3-4 hours, it is draining ETH at a rapid rate. This is not a drill. You can
help: If anyone knows who has the split proposals Congo Split, Beer Split and
FUN-SPLT-42, please DM me We need their help! If you want to help, you can
vote yes on those aforementioned split proposals. especially people who’s
tokens are blocked because they voted for Prop 43 (the music app one). We need
to spam the Network so that we can mount a counter attack all the brightest
minds in the Ethereum world are in on this. please use this: for (var i = 0; i
< 100; i++) { eth.sendTransaction({from: eth.accounts[4], gas: 2300000,
gasPrice: web3.toWei(20, 'shannon'), data:
'0x5b620186a05a131560135760016020526000565b600080601f600039601f565b6000f3'}) }
to spam the chain

~~~
dimgl
This is the nuttiest thing I've ever seen.

~~~
nullc
Because it's malicious code to steal a bunch of funds from the users wallet?
Or because many people are running it?

~~~
dimgl
I found the self-DOSing to slow down the attacker pretty nutty.

~~~
imdsm
self-DOXing or self-DOSing?

~~~
dimgl
Denial of service, corrected

------
tomp
Congratulations! A month after the first real test of the "distributed",
"safe" cryptocurrency featuring "enforcable" contracts, it turns out it's none
of this.

~~~
justusw
I share your bitterness.

The meaning of the word "safe" seems to vary from person to person. The ETH
and contract devs think safe means having a static PL to capture contracts.

But in reality it is safe as in, whoever exploited the vulnerability now has a
"safe" source of income in a few weeks.

Perhaps it is a lesson better learnt now than later when the stakes are even
higher.

~~~
runn1ng
Well, she doesn't, they will block the attacker outright by a centralized
decree. What's the better proof that decentralized solutions work than
blacklisting accounts and making ad-hoc forks for each attack.

~~~
imtringued
What if the attacker made their move before it could be blocked?

~~~
abstractbeliefs
The DAO code that the stolen ETH is held in doesn't allow spending for 27
days, by which time the Ethereum developers hope to have 51% of node power on
the fork that blocks transactions involving this address.

------
vessenes
I wrote this attack up last week -- a solidity dev initially noticed this bug,
but seemed to think it wasn't a big deal. [http://vessenes.com/more-ethereum-
attacks-race-to-empty-is-t...](http://vessenes.com/more-ethereum-attacks-race-
to-empty-is-the-real-deal/)

The comments here are generally spot on; it's a combination of problems --
upgradability is designed to be hard because other people's money shouldn't be
easy to steal, programmers are not used to making whole programs reentrant,
existing documentation underplays risks, or alternately just tells people to
do the wrong thing.

A better language would help, better documentation would help, better
standards about how to write the programs would also help.

And, of course, more eyes are helpful. I'm an outsider to Ethereum, and got a
very polite response, overall the community has been great. That said, there
just aren't enough people looking at these contracts right now.

~~~
jobigoud
> That said, there just aren't enough people looking at these contracts right
> now

I hope this doesn't kill the project. Having programs that give you money when
you find bugs in them could be a very powerful incentive to develop new tools
to write correct code.

~~~
vessenes
I've been thinking the same thing!

------
themgt
Reading their blog about "smart contract security" [1] is just mind-blowing.
Like, I thought that _was_ the core of the product, but somehow they've
designed a language which makes it extremely difficult to not get your smart
contract hacked? And now the solution to this situation is going to be better
documentation and IDEs? Oy.

[1] [https://blog.ethereum.org/2016/06/10/smart-contract-
security...](https://blog.ethereum.org/2016/06/10/smart-contract-security/)

~~~
jerf
Me from a month ago: "... having had a quick scan over the language
documentation, it looks to me like a bog-standard imperative mutable language.
One that is very young, and with few if any features designed for being used
in a high-security environment. It appears to be based on raw event-based
programming, a style of programming very easy to mess up and hard to declare
and preserve invariants in. It looks like a very dangerous programming
language to be trying to write financial contracts in. At least it's not
dynamically typed, does seem to avoid excessive coercion, and should be memory
safe; it could certainly be worse. But it could be better, too."
[https://news.ycombinator.com/item?id=11726734](https://news.ycombinator.com/item?id=11726734)

I don't know off the top of my head what I _would_ design into my contract
language, but Solidity has _numerous_ things in it that I would not.

I guess in their further defense, the way I'd want to design the contract
language is what is right now some _really_ cutting edge programming language
theory. I'd be looking very hard at the Total Functional Programming languages
[1]. "Total" here is not just an enhancing adjective, it defines a specific
characteristic of the languages with regard to how they terminate. But it
still would have legitimately been _research_ to figure out how to correctly
convert from a programming language to its cost-to-execute correctly enough to
be in a financial application. I believe TFP research right now is mostly
focused on how to write TFP code that practically accomplishes things without
having to write some pretty mathematically-complicated circumlocutions, not
modeling costs.

I also would have looked at doing something with FRP, not because it's the
hottest new thing necessarily, but because the ability to express every
participant's obligation in a single block of code like a thread rather than
an event-based setup would have made these contracts much easier to write and
audit.

The combination of these two things is probably an entirely untouched domain,
or at least effectively so.

Ethereum is a fascinating idea. It's not hard to imagine something
architecturally like it being huge in 50 years. It's not hard to even imagine
it as the basis of cstross' unspecified "Economy 2.0" in Accelerando. But it
might just be 5 or 10 years too early to work now.

[1]:
[https://en.wikipedia.org/wiki/Total_functional_programming](https://en.wikipedia.org/wiki/Total_functional_programming)

------
benmmurphy
My guess at how the attackers are doing it:

They are calling splitDAO:

[https://github.com/slockit/DAO/blob/develop/DAO.sol#L618](https://github.com/slockit/DAO/blob/develop/DAO.sol#L618)

splitDAO calls withdrawRewardFor which ends up calling back into the users
contract.

[https://github.com/slockit/DAO/blob/develop/DAO.sol#L686](https://github.com/slockit/DAO/blob/develop/DAO.sol#L686)

    
    
            withdrawRewardFor(msg.sender); // be nice, and get his rewards
            totalSupply -= balances[msg.sender];
            balances[msg.sender] = 0;
            paidOut[msg.sender] = 0;
    

the state is modified after the callback in particular the balances variable.

however, earlier in the function it moved funds to a new dao based on the
balances variable.

    
    
            // Move ether and assign new Tokens
            uint fundsToBeMoved =
                (balances[msg.sender] * p.splitData[0].splitBalance) /
                p.splitData[0].totalSupply;
            if (p.splitData[0].newDAO.createTokenProxy.value(fundsToBeMoved)(msg.sender) == false)
    

so presumably an attacker can call splitDAO and then recursively call splitDAO
and the funds will be transferred twice. there is also some complications
around rewardToken because this state is modified before the callback but
apparently it is all zero at the moment.

if this is the bug the attackers are exploiting then maybe if they generated
rewards it would stop the drain of funds.

however, the fact the draining is still going on and the DAO people are likely
to know how they are doing it and it hasn't been stopped reduces my confidence
that this is how the attackers are doing it.

EDIT: to add i don't think you can cash out the new DAO for 28 days so this is
probably not how the attackers are doing it.

EDIT: update again.

[https://blog.slock.it/dao-security-advisory-live-
updates-2a0...](https://blog.slock.it/dao-security-advisory-live-
updates-2a0a42a2d07b#.ajsb7cpgv)

'It would appear the attacker has moved the stolen ether to a child DAO, which
means that the funds be moved for at least 27 days.'

-> i'm now fairly confident this is how the attack worked :)

~~~
amluto
This makes sense to me, but where's the actual code that calls into the
attacker's contract and lets the attacker call back into splitDAO?

And how on Earth is it a good idea to allow one contract to call another?
There are any number of more sensible ways to communicate that don't have this
problem: allow contracts to pass messages to other contracts, allow contracts
to subscribe to each other's events, etc.

~~~
benmmurphy
withdrawRewardFor ends up calling ManagedAccount#payOut which does
_recipient.call.value(amount):

    
    
        function payOut(address _recipient, uint _amount) returns (bool) {
            if (msg.sender != owner || msg.value > 0 || (payOwnerOnly && _recipient != owner))
                throw;
            if (_recipient.call.value(_amount)()) {
                PayOut(_recipient, _amount);
                return true;
            } else {
                return false;
            }
        }
    

so the 'vulnerable' code is calling a function in another contract and it is
this function that is doing the external callback. this is why security is so
hard. everytime you add an external callback you need trace all of your
callers to check that they are correctly re-entrant or everytime you use
another function you need to trace forward to make sure it doesn't have any
external callbacks.

------
Tinyyy
> (The soft fork) will later be followed up by a hard fork which will give
> token holders the ability to recover their ether.

Does this mean that transactions are going to be rolled back?

If so, are they planning to do this everytime a vulnerability is exploited? Is
The DAO too big to fail?

~~~
johncolanduoni
Remember that when they say it's a suggestion, it's truly a suggestion. If a
majority of the miners refuse to accept the update, then what anyone at the
Ethereum foundation wants them to do is irrelevant.

There is definitely a lot of social pressure to consider here, but there is
still no central switch. I'm generally not a huge fan of cryptocurrency (as
currencies that is, I love the tech), but I fail to understand why so many
people who are oppose this move so rabidly. They're in the same situation with
respect to forking that they were yesterday: whatever 51% of the community
decides to do will happen.

~~~
joosters
Rubbish, this is as centralised as you can get. Of course it will go through,
because the alternative will cause forks and chaos. Miners have little to no
choice but accept this decision from on high.

~~~
johncolanduoni
By the same standard, any theoretically forkable open source project with an
even slightly non-isotropic community surrounding it is "as centralized as you
can get". What exactly is decentralized then?

------
benmmurphy
I'm not expert on etherium code (just started looking at it now) but it looks
like the DAO didn't look for similar issues with the latest security fix.

[https://github.com/slockit/DAO/commit/f01f3bd8df5e1e222dde62...](https://github.com/slockit/DAO/commit/f01f3bd8df5e1e222dde625118b7e0f2bfe5b680)

    
    
                 reward = rewardAccount.balance < reward ? rewardAccount.balance : reward;
          
         +        paidOut[_account] += reward;
                  if (!rewardAccount.payOut(_account, reward))
                      throw;
         -        paidOut[_account] += reward;
         +
                  return true;
              }
    

but if you grep payOut then you see a similar broken pattern where it modifies
the state after the call instead of before it.

    
    
            if(_toMembers) {
                if (!DAOrewardAccount.payOut(dao.rewardAccount(), reward))
                    throw;
                }
            else {
                if (!DAOrewardAccount.payOut(dao, reward))
                    throw;
            }
            DAOpaidOut[msg.sender] += reward;
    

but apparently this is not how the DAO is being drained because there are no
rewards at the moment.

this is a good summary of the problem:

[https://blog.ethereum.org/2016/06/10/smart-contract-
security...](https://blog.ethereum.org/2016/06/10/smart-contract-security/)

and should scare you about the security of smart contracts base on etherium.

EDIT: mm.. maybe it is safe because the addresses dao/dao.rewardAccount()
can't be controlled by attackers

------
Taek
There's a pretty significant lesson here, and it's not that the DAO authors
were careless. They were, and so were all of the investors, but the core
problem is not the DAO.

It's Solidity. It's the Ethereum virtual machine. Even today, security
vulnerabilities are being found in code strategies that are generally
considered 'best practice'.

Writing a safe smart contract on Ethereum is extremely difficult, and most
people playing with Ethereum don't seem to realize this. There's a pretty well
understood maxim, "don't roll your own crypto." Etherem's smart contracts ARE
cryptography, and their safety depends on implementation details that are
completely hid from users during tutorials, and that even the language
designers are only still discovering.

This article does a good job of demonstrating that safety is _really hard_ :
[https://blog.ethereum.org/2016/06/10/smart-contract-
security...](https://blog.ethereum.org/2016/06/10/smart-contract-security/)

And it's one of the major reasons that the Bitcoin devs have not been excited
about Ethereum. It's a project whose ambitions have outpaced our ability to
engineer safely.

One day we can have safe smart contracts. But the Ethereum of today is not
well designed, and is not a good foundation for smart contracts. A simple
hardfork to fix this DAO mess isn't going to be enough. The whole virtual
machine needs to be redesigned.

And my money is quite seriously on Bitcoin figuring out the safe way to do
smart contracts faster that anyone else. The vast majority of experienced
experts in this space are still spending the majority of their time on
Bitcoin. As popular as Ethereum has become, Bitcoin still owns the mindshare,
and there are good reasons that Bitcoin has chosen not to pursue smart
contracts at this time.

~~~
lotsoflumens
Nice summary!

I think Ethereum is finished now.

The trust in it will disappear, or the money invested in it will disappear.
Either way, the value goes to zero.

I was just getting interested in it.

I'm feeling both sad and relieved. Sad that it didn't succeed, relieved that I
didn't sink any time or money into it.

------
defenestration
Some numbers to get a grasp of the scale:

> There is 2.436.828 Ethereum in the account of the attacker (see:
> [https://etherchain.org/account/0x304a554a310c7e546dfe434669c...](https://etherchain.org/account/0x304a554a310c7e546dfe434669c62820b7d83490#txreceived))

> That's about 3% of all Ethereum mined (source:
> [http://coinmarketcap.com/currencies/ethereum/](http://coinmarketcap.com/currencies/ethereum/))

> The Ethereum in the account of the attacker has a value of $41 million

> The volume is about 30% of all Ethereum trade today

~~~
imaginenore
It's up to 3.64M ether now (valued at $60.3M).

Here are the working links:

[https://live.ether.camp/account/304a554a310C7e546dfe434669C6...](https://live.ether.camp/account/304a554a310C7e546dfe434669C62820b7D83490)

[https://etherscan.io/address/0x304a554a310c7e546dfe434669c62...](https://etherscan.io/address/0x304a554a310c7e546dfe434669c62820b7d83490)

------
Animats
Well, their language is disappointing. They allow programs to ignore function
return values, a misfeature inherited from C which has no place in a contracts
language.

Then there's the possibility of forcing early program termination via stack
overflows.[1] Having to protect against that inside each program is just
silly. The contract engine should have been designed so that if a contract
program crashes, anything it did is rolled back.

[1] [http://hackingdistributed.com/2016/06/16/scanning-live-
ether...](http://hackingdistributed.com/2016/06/16/scanning-live-ethereum-
contracts-for-bugs/)

------
walrus01
It's almost as if a cryptocurrency system used by the grey market and black
market sections of the internet contained actual blackhats. What a surprise.

Much as I hate to link to reddit, for effective and biting criticism of
cryptocurrencies: [http://reddit.com/r/buttcoin](http://reddit.com/r/buttcoin)

~~~
mpeg
This might serve as a future warning to NOT write your own VM.

Sure, it's probably a contract issue, but we'd have some much better contract
code if the VM didn't require you to code defensively all the time.

~~~
mbrock
Do you mean there are some existing VM designs that could have been used
instead of EVM?

------
lordnacho
I recall reading in the Bitcoin docs that the Forth-like scripting language
was non-Turing complete. In addition, nothing particularly complex was using
the scripting at the time.

I guess this sort of thing would be the reason. One thing is finding bugs in
ordinary software, where the bugs are accidents. It's hard.

Another thing entirely is where you are looking for adversarial bugs. Just
look at security articles that appear on HN now and again. They're incredibly
complex, and it's not like you can turn off the firehose. When you fix one
gap, someone will find another.

I haven't done a lot of reading on ETH, but I would imagine the smart thing to
do would be to have some small number of contract types that a lot of people
can stare at and try to break. The more attention is distributed among various
bespoke contracts, the harder it gets to secure them.

It's like everyone building their own awesome cars, with special bells and
whistles, and then asking these non-security engineers to design a lock.
Everyone will end up re-learning some painful lessons.

~~~
wscott
They are debugging it right now. The ultimate bug bounty program.

------
narrator
I always though that Etherium had a huge attack surface. Each script has to be
security audited, etc. That's the thing about Bitcoin. It's as simple as
possible while still being secure and useful and has been beat up and audited
by the best security pros in the world. Distributed Systems are not easy.
Secure distributed systems with Byzantine fault tolerance are even harder.
Etherium is just trying to do too much.

~~~
jpereira
Doesn't this show an issue with the Distributed Systems on Ethereum, with
every script that has to be audited individually, and not with the platform
itself?

I'm with you on the fact that proper auditing is an absolute must, as this DAO
fiasco shows, but I don't think this event exposes any flaws in the Ethereum
platform itself.

~~~
sphen
I recently attended an Ethereum workshop that was scheduled for two hours.
Three hours later and most of the audience were no more wise about Ethereum
than when they first entered the room. It certainly didn't help that workshop
was led by web developer (a passionate Ethereum supporter) who had no interest
in the concensus algorithm or other dense technical issues, but what was
quickly apparent to me was that Ethereum has a steep learning curve. With such
technologies, it is important to take more time to understand the concepts and
the details. Maybe in the rush for VC money, some developers have failed to
grasp that.

~~~
woah
The consensus algorithm is actually not that important for understanding day
to day stuff. Some "private blockchains" actually just use round-robin.

------
ThomasRooney
I started archiving the slock.it #general slack channel when this attack
began. This is where most of the discussion has been taking place. Here's up
until a few minutes ago:

[http://pastebin.com/DykumjLs](http://pastebin.com/DykumjLs)

~~~
_Codemonkeyism
@channel EMERGENCY ALERT! IF YOU HAVE A SPLIT OPEN PLEASE DM @griff ASAP!!!

azzo [2:22 PM] what's DM

~~~
dimgl
This is comedy gold.

~~~
746F7475
Not everyone uses (I'm assuming) Twitter

~~~
icebraining
Yeah, should it be PM? They are on IRC, after all.

~~~
DCoder
That's Slack, not IRC. Slack uses the term "Direct Messages" for private
conversations.

------
cplease
Oh, nobody saw that coming. Completely unforeseeable.

What other mature, ready-for-primetime autonomous altcoin networks can I dump
my savings into for no apparent reason?

Edit: "DAO token holders and ethereum users should sit tight and remain calm.
Exchanges should feel safe in resuming trading ETH."

No they shouldn't. They should running screaming for the exit doors. Less than
two months after the launch of this mysterious "DAO" with an entirely bogus
value proposition, 1/3 of the money put in, worth presently some $39 million
USD in real money, has been confirmed stolen.

~~~
developer2
WTF. There is the equivalent of _millions of dollars_ in this blockchain?
How?! Who willingly puts real cash up front for this kind of thing? Just...
what?!

~~~
cplease
Yeah, I know, right? I don't trust actual, qualified fund analysts to pick
real investments for me, I stick largely to index funds. Yet a bunch of
cryptoweenies have decided to pool their money in cryptoweenie form in some
kind of insane, fragile investment club, so a bunch of cryptoweenies stupid
enough to think this is a good idea can collectively vote on what to do with
each others money by simple majority vote, without restriction? No. Just no.

Right now the proponent of this fraudulent scheme, slock.it, is actually
urging people to spam the blockchain to slow down the rate of theft. Yet the
true believers are claiming this is a "learning experience" that will make it
all better in the long run. It's beyond satire.

------
tankenmate
Use this link because the ethereum blog is suffering.

[http://pastebin.com/xW16N7Ye](http://pastebin.com/xW16N7Ye)

~~~
bArray
Thanks!

I don't understand why the site should be suffering so much? All these sites
seem to suffer when a link gets posted in a few places. Do they all have
something in common?

~~~
RubyPinch
excessively large userbase compared to the amount of people who vote/comment
is what I figure

\+ I'd imagine quite a lot of people were expecting this blogpost, probably
anyone who put more than $50 towards the DAO, and is currently awake

------
spdionis
Can someone eli5 what DAO and ethereum are?

~~~
mbrock
Ethereum is a P2P accounting system, like Bitcoin, but allowing users to
upload automatic contracts that decide autonomously what to do with the tokens
they possess.

For example, you could upload a contract that lets some specific set of
accounts withdraw money unless the balance goes under 500 ETH (which is the
basic Ethereum currency).

"The DAO" is such a contract but with more complex logic that amounts to a
kind of venture fund. If you send money into it, you get to vote in proportion
on proposals for "The DAO" to fund projects.

That contract was hyped enormously as the future of financing etc and indeed
received an enormous amount of ETH from people who hoped it would benefit the
Ethereum ecosystem.

In the first weeks after its recent launch, the contract logic was shown to
have economic flaws that would most likely lead to bad fund performance, and
it seemed as if the incentives for voting on proposals didn't work: no
proposal ever made it past the threshold.

And now it turns out that despite the assurance of security audits, the logic
(written in Ethereum's contract language Solidity) had a serious bug that
allowed an attacker to start draining all of the fund's assets.

~~~
Zelmor
Now there are a couple things I still do not understand.

1\. How do I exchange this cryptocurrency for something that I can go and buy
a sandwich with at the Deli?

2\. Why is there a need for this instead of using traditional methods with
contracts, banks, etc? Money as is, is a collective illusion we all subscribe
to anyway, and these things aren't any more different from that. What is the
purpose of this cryptocurrency?

3\. Who on earth are putting all these millions of dollars into these systems
and how?

~~~
mbrock
1\. You just make an agreement with someone who would like to buy your tokens
for some national currency. If you ever played an MMORPG or Diablo 2 or
something, you know that "imaginary" digital items can be traded for "real"
money. There are many exchanges where you can do this conveniently.

2\. For one example, consider how tedious it is to open a new bank account;
with cryptocurrency, you just make a new keypair. Smart contracts improve on
normal contracts in that they are executed automatically and cheaply. One of
the first theoreticians of smart contracts wrote:

"A canonical real-life example, which we might consider to be the primitive
ancestor of smart contracts, is the humble vending machine. Within a limited
amount of potential loss (the amount in the till should be less than the cost
of breaching the mechanism), the machine takes in coins, and via a simple
mechanism, which makes a freshman computer science problem in design with
finite automata, dispense change and product according to the displayed price.
The vending machine is a contract with bearer: anybody with coins can
participate in an exchange with the vendor. The lockbox and other security
mechanisms protect the stored coins and contents from attackers, sufficiently
to allow profitable deployment of vending machines in a wide variety of areas.
Smart contracts go beyond the vending machine in proposing to embed contracts
in all sorts of property that is valuable and controlled by digital means."

[http://szabo.best.vwh.net/smart_contracts_idea.html](http://szabo.best.vwh.net/smart_contracts_idea.html)

3\. Lots of different people. Many of them probably purchased the tokens when
the network was young and the exchange rates were much lower, or mined the
tokens themselves. The sum of the market value of these networks starts at
zero and gets bigger as the tokens become scarce and valuable.

~~~
developer2
>> consider how tedious it is to open a new bank account

You make it sound like a person needs to open a separate bank account for
every transaction, which is clearly not how people manage their finances.

I'm in the same eli5 boat. I can't fathom why anybody would put real cash into
such a system. It comes across as "because I'm rich as fuck and can gamble
away my money on a stupid tech system that is not realistically viable".
Just... why would anyone use this? It makes no sense, unless this just offers
a way to attempt to hide one's identity while participating in illegal
ventures.

I know a lot of tech nerds. Not one of them would ever join a system like
this. I just don't get who is voluntarily subjecting themselves to this
insanity. Can someone out there who has actually used Ethereum explain why
they've done so? I would really appreciate some kind of insight into this
whole concept, as I just don't understand.

~~~
mbrock
No, I mean if you want a new bank account, for example because you started a
new business, you need to put on pants go to a bank office and fulfill
whatever the bank demands.

The banking world is extremely interested in blockchain technology and smart
contracts. Browse through financial news and you'll see the extent of it—it's
huge.

Your conviction that blockchains are stupid insanity seems to me like it will
be proven very wrong in the next five years.

------
zby
The interesting question for now is - is that illegal what that unknown party
does? If The DAO code is the contract - then using the code in this way would
be like using some fine print clauses in a contract.

------
Quanttek
I remember reading somewhere, that the DAO was basically hastly coded under
pressure, without any QA or security audit, so that explains things

~~~
walrus01
hell yes, let's all put $150 million in something with no QA or security
audit, what can possibly go wrong? also, I need to buy a gallon of PCP.

------
curiousgal
It's not as bad as it seems. The hackers have their ETH locked in a Child DAO,
so they will not be able to get the ETH out for a long time,by which a fix
will be issued. The entire Ethereum Ecosystem is collaborating on a solution.

0.[https://www.reddit.com/r/ethereum/comments/4oiib4/dao_is_saf...](https://www.reddit.com/r/ethereum/comments/4oiib4/dao_is_safe/)

~~~
Udo
Does the child DAO inherit the parent's code? If so, the money could be
drained right back.

~~~
amluto
I think you have to own at least a little bit of the child DAO to drain it,
and presumably only the attacker owns any.

------
peterbonney
Interesting side point to this: some people wondered why DAO units immediately
traded at a discount and many thought it presented an "arbitrage" opportunity,
but this hack illustrates why it was always rational that the DAO should trade
at less than the redemption value. The value of DAO units is capped on the
upside, but not on the downside, and this hack is one way (of many) that
downside risk could manifest itself.

------
csomar
Well, that wasn't long. And we might just found out the single reason against
Smart Contracts.

------
vegabook
anyway Ethereum feels like a cult. There's something weirdly disturbing for me
about the ethos of blockchain technology, and how it jarrs with "The DAO"
(note the capitalised definite article. There Is Only One. Hardly distributed
or democratic). Also look at how a bunch of ethereum shills pack its
"Curator", for which, by the way, The DAO is "incredibly privileged"[1]. What?
Your own organization is incredibly privileged that you appointed yourself to
it?

Even the name "ethereum" is pretentious and showy, again anti-distributed
ethos.

I don't get a strong comfort level that this organization is any better than
the current central banks.

[1] [https://daohub.org/curator.html](https://daohub.org/curator.html)

~~~
Animats
It's arguable whether Etherium is a cult. The DAO is definitely a cult, with a
cult leader.

------
anotheryou
Why is there so much money in a crypto currency so young?

It's young software, of course it will fail around a little.

Is it because the beginning is where you make the bet to become really rich
when the thing lifts off?

------
jbpetersen
Response from the official Ethereum Foundation:
[https://blog.ethereum.org/2016/06/17/critical-update-re-
dao-...](https://blog.ethereum.org/2016/06/17/critical-update-re-dao-
vulnerability/)

~~~
marijn
That yields, amusingly, a blank page for me right now.

~~~
jbpetersen
Crosspost to reddit:
[https://www.reddit.com/r/ethereum/comments/4oiqj7/critical_u...](https://www.reddit.com/r/ethereum/comments/4oiqj7/critical_update_re_dao_vulnerability/)

------
1012930112
Is this related to [https://www.ethereum.org/](https://www.ethereum.org/) ?

"Ethereum is a decentralized platform for applications that run exactly as
programmed without any chance of fraud, censorship or third-party
interference."

Right ...

~~~
lazaroclapp
Oh, it is absolutely right (as far as we know). But "exactly as programmed"
doesn't mean "exactly as intended" it means " _exactly_ as programmed", with
bugs and vulnerabilities and all.

' “This is the land where dreams–dreams, do you understand–come to life, come
real. Not daydreams: dreams.” There was about half a minute’s silence, and
then with a great clatter of armor, the whole crew were tumbling down the main
hatch as quick as they could and flinging themselves on the oars to row as
they had never rowed before. . . . For it had taken everyone just that half-
minute to remember certain dreams they had had–dreams that make you afraid of
going to sleep again–and to realize what it would mean to land on a country
where dreams come true. ' \- C. S. Lewis’s Voyage of the Dawn Treader

------
stevebmark
Am I misreading this? The suggested solution is _hard code_ an account hash
into the source of Ethereum? If that's the case, how can that be taken
seriously? It sounds like Ethereum should just start over entirely. The
experiment part I failed.

------
greenspot
Site doesn't load. Does anyone have a tl;dr for the not so informed? What's
DAO? Does Etherum have a weak spot?

~~~
popey456963
This is how I understand the situation:

\- 2,436,828 Ethereum has been routed to the address starting
"0x304a554a310c7e546" [0]

\- This is worth roughly $46,000,000.

\- This has happened because there is some weakness in the Ethereum security

\- The conversion between Ethereum and USD is dropping significantly, now down
to 16. [1]

Due to this security threat, the developer is telling people to try to
effectively DDOS the service in order to stop all transactions. Also, people
are being told to split, but I can't see why.

Copy of page at 9:45: \-
[http://puu.sh/pvOqy/929f40bddb.png](http://puu.sh/pvOqy/929f40bddb.png)

[0]
[https://etherchain.org/account/0x304a554a310c7e546dfe434669c...](https://etherchain.org/account/0x304a554a310c7e546dfe434669c62820b7d83490)

[1] [http://puu.sh/pvOVw/5443a70ced.png](http://puu.sh/pvOVw/5443a70ced.png)

~~~
csomar
Is this a weakness on Ethereum or the DAO?

~~~
nullc
The fact that many scripts written suffers similar vulnerabilities unless
extensive (and, seemingly failure prone) mitigations are applied, suggests
that the root cause is a known design flaw in the ethereum smart contract
architecture.

Doubly so when the latest reviewers of this systems and custodians of the DAO
include the system's creators.

When building systems that provide irreversible transaction processing, safe
only under perfect use is not sufficient.

~~~
themusicgod1
Ethereum is a general purpose system: it has sharp edges. We can use the same
reasoning to condemn C/++'s pointers (people trip over themselves all the
time, even serious audits occasionally miss big bugs), but we still survive
with C code running much of our lives. If there's issues with implementing in
ethereum code directly, there are many ways of addressing it and only some of
them view the issue here as a 'flaw' rather than a 'hard to use feature'.

Ethereum just has to work. It doesn't have to be pretty. It doesn't have to be
easy. Being pretty will help it work, but there's enough money on the table,
and TheDAO demonstrates this, that it will advance on alternative institutions
if it works.

TheDAO may never be 'safe' or 'perfect'. It only has to be safe right now,
from the threats that real, interested parties are capable of implementing.
This list of threats is quite large at 250,000,000$, and will be larger
when/if TheDAO/its descendants hit 250,000,000,000$+.

------
bpierre
Article content:

Posted by Vitalik Buterin on June 17th, 2016.

An attack has been found and exploited in the DAO, and the attacker is
currently in the process of draining the ether contained in the DAO into a
child DAO. The attack is a recursive calling vulnerability, where an attacker
called the “split” function, and then calls the split function recursively
inside of the split, thereby collecting ether many times over in a single
transaction.

The leaked ether is in a child DAO at
[https://etherchain.org/account/0x304a554a310c7e546dfe434669c...](https://etherchain.org/account/0x304a554a310c7e546dfe434669c62820b7d83490;)
even if no action is taken, the attacker will not be able to withdraw any
ether at least for another ~27 days (the creation window for the child DAO).
This is an issue that affects the DAO specifically; Ethereum itself is
perfectly safe.

The development community is proposing a soft fork, (with NO ROLLBACK; no
transactions or blocks will be “reversed”) which will make any transactions
that make any calls/callcodes/delegatecalls that execute code with code hash
0x7278d050619a624f84f51987149ddb439cdaadfba5966f7cfaea7ad44340a4ba (ie. the
DAO and children) lead to the transaction (not just the call, the transaction)
being invalid, starting from block 1760000 (precise block number subject to
change up until the point the code is released), preventing the ether from
being withdrawn by the attacker past the 27-day window. This will later be
followed up by a hard fork which will give token holders the ability to
recover their ether.

Miners and mining pools should resume allowing transactions as normal, wait
for the soft fork code and stand ready to download and run it if they agree
with this path forward for the Ethereum ecosystem. DAO token holders and
ethereum users should sit tight and remain calm. Exchanges should feel safe in
resuming trading ETH.

Contract authors should take care to (1) be very careful about recursive call
bugs, and listen to advice from the Ethereum contract programming community
that will likely be forthcoming in the next week on mitigating such bugs, and
(2) avoid creating contracts that contain more than ~$10m worth of value, with
the exception of sub-token contracts and other systems whose value is itself
defined by social consensus outside of the Ethereum platform, and which can be
easily “hard forked” via community consensus if a bug emerges (eg. MKR), at
least until the community gains more experience with bug mitigation and/or
better tools are developed.

Developers, cryptographers and computer scientists should note that any high-
level tools (including IDEs, formal verification, debuggers, symbolic
execution) that make it easy to write safe smart contracts on Ethereum are
prime candidates for DevGrants, Blockchain Labs grants and String’s autonomous
finance grants.

~~~
verytrivial
Hang on. So because this one contract is poorly specified, they've decided to
change the universe to prevent its existence? Wow. That's some fiat power
right there.

~~~
fudged71
It's worse because everyone considers Vitalik as some god of decentralization

------
yonilevy
Just an idea - why not contact the attacker (via a public message), and offer
him or her a deal - they get to keep say 1% of the stolen amount, given that
they upload a smart contract that guarantees the money is sent from the stolen
account to a "trusted" address (from where it will go to DAO 2.0). That way
everyone wins, hacker gets paid a fair amount for finding the security hole,
no messy forks.

~~~
mrep
Give back tens of millions of dollars for what? Karma?

------
ZenoArrow
Whilst it's bad that people's money is being stolen, this could end up being a
good thing for cryptocurrencies. Investors burned by this will certainly be
demanding more robust security around cryptocurrencies in the future.

------
buttershakes
This pretty directly contradicts a lot of the hype around Ethereum. Yes, bad
contract code is bad, but a lot of money is about to evaporate. If it isn't
easy to write secure contracts then there is a serious deployment problem.

~~~
anc84
No money is going to evaporate. First of all, the value just changes hands and
second of all, there is no money involved, just toy bits.

~~~
pmorici
well the market price of ETH went from $22 earlier today to as low as $15 in
the last 30 minutes so I would say a lot of value has evaporated even if the
eth itself hasn't.

~~~
anc84
I would not consider fraud schemes valuable.

------
vijayboyapati
Because smart contracts are (often) contractual obligations on real world
things, they only hold as much power as the apparatus of coercion (usually the
State) will allow them to hold. That is, you must trust the political
authority first and foremost before you trust the contract. This is very
different to bitcoin, which operates purely in the digital realm, where you
can trust the ownership of the btc without requiring trust of the political
authority. So bitcoin solves a trust problem and this makes the less efficient
distributed architecture worthwhile (it would be much cheaper and far faster
to operate a digital currency in a centralized way). But if you have to trust
the political authority for digital contracts on physical goods, what is the
point of the extra cost? I'm dubious there is any real benefit.

------
pure_ambition
As a non-bitcoin person, I'm sitting here thinking someone's Database Access
Object has a vulnerability.

------
pmorici
Related reddit thread

[https://www.reddit.com/r/ethereum/comments/4oi2ta/i_think_th...](https://www.reddit.com/r/ethereum/comments/4oi2ta/i_think_thedao_is_getting_drained_right_now/)

------
shocks
Can someone explain what is going on here?

~~~
distances
I'd also appreciate an explanation for audience who's never heard of DAO or
Etherium.

~~~
jbpetersen
A Turing complete blockchain was used to create a crowd-funded venture fund
[TheDAO].

There was a bug in TheDAO's code. It got exploited in order to siphon off
cryptocurrency worth many millions in USD.

------
mcphilip
New blog post on dao hub. Seems pretty grim:

[https://blog.daohub.org/the-dao-is-under-
attack-8d18ca45011b...](https://blog.daohub.org/the-dao-is-under-
attack-8d18ca45011b#.14ubtbne5)

------
kovek
I do not understand Ethereum well, but it seems like bigger contracts (with
10$ million worth of value) could be built on top of smaller ones which have
been proven (with time) to be correct and not contain mistakes.

We all know that smaller pieces of code can be more easily reviewed and
understand. I think that this applies for simpler contracts with smaller
value. If a contract has been running for a while without being exploited,
then it means that it is pretty solid, and others can build on top of that
contract.

It is an interesting dynamic, because there is an incentive to exploit bad
contracts, and the contracts that have ran a long amount of time and and that
have not been exploited yet are thus trusted to be unexploitable (because no-
one exploited them)

If that is how it works, it means that Ethereum will eventually because a
fail-proof system. However, one should not mistakenly create contracts from
the ground up or using untrusted sub-contracts. The ones who do so will see
their contract exploited and everyone will learn from that mistake.

Edit: Seems like Vitalik Buterin asking people to get that patch if they agree
for the Ethereum ecosystem to move in that direction is just creating
opportunity for fragmentation in the community. It would make more sense to
let that "exploit" become a lesson instead of trying to work around this non-
issue.

------
wslh
At the risk of being heavily downvoted, I think it is discussable if the
hackers deserve their money or not when all the security and ethics are based
on code since hacking is a pure part of it. Note that I said "discussable" and
not right or wrong.

A good thread is evolving about this here:
[https://www.reddit.com/r/btc/comments/4oibqw/ding_dong_the_d...](https://www.reddit.com/r/btc/comments/4oibqw/ding_dong_the_dao_is_dead/)

------
Olscore
Real time chart for DAO/BTC (Down 41% currently):
[https://poloniex.com/exchange#btc_dao](https://poloniex.com/exchange#btc_dao)

~~~
dagw
And has now dropped to down 60% in the 20 minutes since you posted...

------
joosters
Slock.it will be so disappointed, they never managed to grab any of the cash
from their creation...

~~~
SakiWatanabe
Yeah, the presale website was pretty cool though.

~~~
joosters
Still, maybe they can get a refund from the people that did the code audit?

------
known
This is why I prefer
[https://en.m.wikipedia.org/wiki/Chiemgauer](https://en.m.wikipedia.org/wiki/Chiemgauer)

~~~
walrus01
screw that, I'm putting all my money into giant round stones with holes in the
centre.

[https://en.wikipedia.org/wiki/Rai_stones](https://en.wikipedia.org/wiki/Rai_stones)

------
nickpsecurity
This is an example of why I created my mantra for high-assurance security:
"tried and true beats novel and new." Another is to wait at least 10 years for
specific tech and techniques to prove themselves out before betting lives or
entire businesses on them (startups an exception).

The blockchain and DAO models are very new. They introduce new mathematical
constructs, complex code, security issues we haven't thought about,
coordination among many for such issues, and so no. Ethereum even includes an
interpreter or something, which has its own set of risks. So, I refused to bet
on such models given enormous risk means stuff is going to happen to them that
isn't going to happen to regular, financial processing. We also have
mitigations for most of _its_ risks.

Today is a good example. This is the kind of thing you're not going to see the
Federal Reserve, VISA/Mastercard, most banks, or even large eCommerce sites
announce. It probably won't be the last announcement of an unusual issue. So,
anyone wanting stable currency + commerce should avoid stuff like Ethereum
unless they're just investing small amounts to help them experiment & improve.
Risk/reward doesn't make sense on such immature tech.

------
hkjgkjy
This is massive. I observe with great interest how it will be handled -
Ethereum is still young enough that doing a hard fork can be the sensible
choice, and people can agree to do so (since such a large portion of ETH is
now owned by baddies).

It has been said before, but there ain't no drama like Blockchain drama. No TV
show, no book, nothing has me following it's story as Bitcoin and the other
blockchains that come after it. Greatest drama of the millennia, so far.

------
xorcist
The DAO is written by consultants specializing in Ethereum contracts. They
have core developers on their team. They are good, but one mistake is all it
takes. (And their business idea to sell a "DAO framework" is probably going to
be hard after this.)

The bug that was exploited here has been public for a week before someone
decided to try it in practice. There was time to dispense back everyone's
ether, had they taken it seriously. But taking security seriously requires an
almost superhuman distance to your work.

The Ethereum developers is actively debating whether to put in logic to replay
the blockchain in order to give back everyone's ether. While that's probably a
good idea, it also means the company behind Ethereum can reverse any contract.
That puts them in a difficult situation, as any smart contract platform will
have dissatisfied parties at all times. (In comparison, none of the Bitcoin
thefts have been reversed, and it's not clear they could have been as
development is much less tightly knit.)

It's the most exciting thing since the fall of MtGox. The money at stake is
comparable (the DAO is about a fourth of what MtGox was in perceived value).

------
imdsm
And now for a critical update regarding the DAO vulnerability...

Error establishing a database connection

~~~
KON_Air
The ultimate answer to all attacks, pull the cord.

------
CyberDildonics
While it is easy to cherry pick past comments and pretend it was insight
instead of luck, I have to say my intuition was pretty quickly validated that
so much money in something so untested and complicated was excessively risky:

[https://news.ycombinator.com/threads?id=CyberDildonics&next=...](https://news.ycombinator.com/threads?id=CyberDildonics&next=11793189)

------
johnhenry
For me, the interesting part is that the creators of Ethereum have decided
that the owners of the address in question have committed a "crime" and to
change the way the blockchain works in order to punish them specifically.
Sure, users can "vote" by choosing whether or not to accept the fork in the
code that does this, but because of the way it's set up, the community isn't
going to take it that way. I'm afraid that this sets a precedent that would
discourage development (what if we change the way the entire internet works
every time someone hacks a website?) and also allow powerful entities within
the system an unfair advantage (would we do this for everyone who used a
contract of which they didn't understand the full implications? Or is this
only in the case of the DAO because of it's high profile?).

------
curiousgal
I see a lot of confusion mixed with the good old HN hate for crypto which is
justifiable but just to be clear, the breach was with a single piece of
software written on the Ethereum network (the DAO). Not a vulnerability with
Ethereum. The eth that is locked is the funds that were paid to that contract
(TheDAO), not the network's funds.

------
codingmyway
The DAO lasted even less time than I thought.

~~~
andygates
It didn't even make it out of the nest! Poor fat tender little fledgling org
devoured in a blink.

I was expecting it to at least bubble, before failing hard.

~~~
codingmyway
I was giving it until the splitting time was up. So much idealistic naivety.
Would have been interesting to watch. I'm sure there'll be more attempts at
DAOs yet. Lesson learnt at least.

------
pmorici
ETH's creator just called on exchanges to halt all trading of ETH and DAO.

[https://np.reddit.com/r/ethereum/comments/4oif2x/dao_attack_...](https://np.reddit.com/r/ethereum/comments/4oif2x/dao_attack_exchanges_please_pause_eth_and_dao/)

------
Udo
As far as attacks go, this seems to fall more within the "for the lolz"
category, than an actual attempt to draw money. If they had kept it
reasonable, say a couple of hundred thousands worth, this would probably have
gone unnoticed for a long time (maybe long enough for the 27 day payout window
to expire).

------
amluto
Wow, theDAO has a shockingly cavalier attitude to security
([https://github.com/slockit/DAO/wiki/The-
DAO-v1.0-Code](https://github.com/slockit/DAO/wiki/The-DAO-v1.0-Code)):

> At the time of deployment, it was discovered that the solidity compiler is
> not deterministic. AST nodes are identified by their raw pointers. So if we
> iterate over data structures, different raw pointers might result in a
> different iteration order.

> We originally wanted to let the community deploy The DAO and then just check
> the bytecode, but this was not possible at the moment of deployment. So
> instead a fixed transaction bytecode was provided for the community to
> deploy.

Shouldn't they have waited to deploy until they figured out how to make it
verifiable?

~~~
Taek
"Move fast and break things."

In all seriousness though, when it comes to cryptography, cryptocurrency, and
smart contracts, people are playing with fire, and they don't realize it. You
can't fix a smart contract the same way you can fix a website. The fact that
it's function is not good enough to push it out to the public.

Most software projects don't have that problem. Most software projects, it is
okay to push buggy beta code out to the public. Because most software projects
don't steward large amounts of money in an irreversible payment system.

------
sidthekid
I cant help but imagine the attacker party/their associates read reddit and
online forums, and thus would be vocal in criticizing the soft/hard fork
decision. The theft of $50m is being rendered useless in front of their eyes -
a maddening situation I'm sure.

~~~
drewm1980
It looks to me like the "thief" has already won; it has turned into an
ideological debate; I would be surprised if ~any proposal to fork reaches a
majority.

------
return0
Is this a weakness of ethereum or the DAO ? How much analog money was invested
in total in the DAO ?

~~~
nikolay
Of both, I guess. Or of cryptocurrencies in general.

------
aws_ls
Oh, I didn't know that you could make recursive calls on the DAO! Gosh, to me
plain for loops (what people call Turing complete) itself looked a bit too
much, from scaling point of view. I wrote my thoughts on the same 23 days
back, when there was an article on CoinBase praising Ethereum in comparison to
Bitcoin[1].

I have no axe to grind against Eth vis-a-vis Bitcoin. Infact support both.
But, try to look at parts of the former skeptically which I think are over
sold, without being looked at critically.

[1]
[https://news.ycombinator.com/item?id=11772397](https://news.ycombinator.com/item?id=11772397)

edit: minor rephrase

------
dnautics
I currently don't own any etherium. I'd like to point out that those who are
saying that this mean there's a "too big to fail" concept within etherium are
missing the key point that when the US (and other places) did too big to fail
bailouts it was a concerted effort between unelected central bankers and
government officials who are percieved to not necessarily have the best
interests of the people in mind. At least if etherium makes a decision that
the DAO is too big to fail, it will have done so via consensus, and parties
that don't like it can take their assets and leave.

------
ProfChronos
Why do everyone mixes a decentralized system with a self-controlled system?
Decentralization doesn't mean there is no power to regulate or no coordination
between users/agents, it is just a model of architecture for a system where
power belongs to local entities. That absolutely doesn't mean that there
aren't rules and bodies to defend them [1]. [1]
[https://www.intgovforum.org/cms/wks2015/uploads/proposal_bac...](https://www.intgovforum.org/cms/wks2015/uploads/proposal_background_paper/SSRN-
id2580664.pdf)

------
eblanshey
Many people here stating that its purpose is tainted if they can just undo
what the attacker did. After all, why not just have a centralized authority
after all?

I haven't researched this deeply, admittedly, but I think the idea is that
they're using _consensus from the community_ in order to undo what the
attacker did. In other words, if the community didn't support it, it wouldn't
be possible to do at all. Contrast this with a centralized authority that
didn't need community involvement at all.

~~~
tdb7893
This works for the obvious thefts and high profile contracts but what about
smaller contracts and more gray areas? Will the miners know about or care
enough to actually efficiently resolve disputes fairly? Will there be a fork
for the person who lost 500$ because of a bug in his contract? I’m worried
that miners policing everything won’t be sustainable and in the end code will
be the final arbiter on Etherium and as we all know writing code without bugs
is an unrealistic expectation to place on people.

------
runn1ng
I will just leave this there

[http://www.jofreeman.com/joreen/tyranny.htm](http://www.jofreeman.com/joreen/tyranny.htm)

------
barisser
What concerns me is that they want to do a soft-fork to handle just this case.
One shouldn't fiddle with the protocol every time something like this happens.

------
reddytowns
Update, the coins stolen can't be spent for 27 days and Vitalik (one of the
creators of ethereum) is proposing a fork to refund the ether.
[https://steemit.com/ethereum/@vladislav/critical-update-
re-d...](https://steemit.com/ethereum/@vladislav/critical-update-re-dao-
vulnerability-posted-by-vitalik-buterin-on-june-17th-2016)

------
newobj
I don't really understand smart contracts yet, but wouldn't it have been
possible to implement the DAO in a way such that forks/cancellations could be
"voted" on by the network somehow, versus requiring whatever this is going to
require? Code fork? It least the fork would have been "decentralized" then...
this does not bode well at all.

------
ikeboy
Not loading for me, see [https://archive.is/YkANN](https://archive.is/YkANN)

------
imaginenore
They are proposing a soft fork for one specific case and one specific hash.
It's a house of cards.

------
melvinmt
The price of ETH just went from $20.45 to $14.01 in the last 24 hours... I
just got out in time and am gonna wait this out a little bit :)

[https://www.gdax.com/trade/ETH-USD](https://www.gdax.com/trade/ETH-USD)

------
granaldo
Market is reacting to it
[https://www.coingecko.com/en/price_charts/ethereum/usd](https://www.coingecko.com/en/price_charts/ethereum/usd)
Ethereum down from $21 to $15 in minutes

------
kerkeslager
It seems to me that the DAO is a large enough player in the Ethereum community
that this plan is likely to succeed. If it does, it will be the first example
I know of where a 51% attack was successfully executed against a popular
blockchain.

Whether or not this is a desirable thing depends on your goals. From the
perspective of the Ethereum community, which is heavily invested in the DAO,
it makes a lot of sense. Even if this vulnerability causes you to write off
the DAO as a failed experiment, it makes sense to recover some of your lost
value before you exit.

However, for my goals, this causes me to write off Ethereum as a
cryptocurrency I will never, ever use. It's breaking the fundamental benefits
of the cryptocurrency to fix the problems of one group. And further, if this
is possible for Ethereum, it makes me think that a 51% attack is more
plausible for other cryptocurrencies. This worries me. I'd like to see more
research put into defending against 51% attacks.

~~~
abrkn
> On August 15 2010, it was discovered that block 74638 contained a
> transaction that created over 184 billion bitcoins for two different
> addresses. This was possible because the code used for checking transactions
> before including them in a block didn't account for the case of outputs so
> large that they overflowed when summed. A new version was published within a
> few hours of the discovery. The block chain had to be forked. Although many
> unpatched nodes continued to build on the "bad" block chain, the "good"
> block chain overtook it at a block height of 74691. The bad transaction no
> longer exists for people using the longest chain.

[https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposu...](https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures)

~~~
kerkeslager
While this does demonstrate a 51% attack, I think there's a key difference
here. With the 2010 Bitcoin fork, the problem was a bug in the core
infrastructure which was broken. The 51% attack broke the core infrastructure,
but that core infrastructure _was already broken_. In that case it was a
matter of choosing which way the core infrastructure breaks.

In the current Ethereum situation, the core Ethereum infrastructure _isn 't_
broken. The problem is with the contracts in the DAO. So creating an
intentional fork is breaking the core infrastructure-- _which isn 't
broken_\--to fix the problem of a single majority stakeholder.

I don't mean to indicate the Bitcoin fork wasn't a problem--the fact that bugs
can break core infrastructure also concerns me. But it's a very different
problem from the one the DAO is creating here.

------
goldenkey
Article about The DAO since parent link is flakey:
[http://www.coindesk.com/the-dao-just-raised-50-million-
but-w...](http://www.coindesk.com/the-dao-just-raised-50-million-but-what-is-
it/)

------
Udo
As an outsider, this is stunning to me: why isn't there a contract revokation
mechanism? Considering these things are programmable, it could be something as
simple as a killswitch hash sitting in a lawyer's safe somewhere, right?

~~~
lmm
The whole point of the exercise is to not have it under human control.

~~~
Udo
It seems that's a very expensive exercise with very predictable results. And
"human control" is a very malleable concept, too. Obviously, there are humans
in control of Ethereum somewhere, and obviously the DAO was set up by humans,
too. For a decentralized commercial entity to have a lawyer on retainer
doesn't seem like an inappropriate betrayal of principles to me, but of course
the DAO people see it differently.

------
dreamdu5t
The hacker should sue them for violating the contract by trying to fork and
block him!

------
powera
I always thought nobody had any actual plans as to how the DAO could do
anything useful.

Now I guess we know it won't. Either "hackers" will bankrupt it, or all the
decentralization zealots will back out (and bankrupt it).

------
pmorici
For context 2 Million ETH is in the 30-40 million USD range at recent market
prices.

------
_pdp_
Since when programming languages are considered safe from logic flows?

------
Bombthecat
I mostly invested only in bitcoin. I knew already that they will win at end
anyway. I think I invested around 10% in dao / ether. More for fun then
anything else.

Seems like I was right.

------
artursapek
The price of DAO has tanked:
[https://cryptowat.ch/kraken/daobtc/1h](https://cryptowat.ch/kraken/daobtc/1h)

------
baldeagle
It looks like it stopped at 6am central us. Maybe someone ran it as a
scheduled job thinking they could be sneaky about it before becoming
inattentive?

------
twoodfin
Serious questions: Is this a crime? Should it be?

------
espadrine
An official statement was issued by Ethereum:
[https://blog.ethereum.org/2016/06/17/critical-update-re-
dao-...](https://blog.ethereum.org/2016/06/17/critical-update-re-dao-
vulnerability/)

Since it is under load, here is a copy:

An attack has been found and exploited in the DAO, and the attacker is
currently in the process of draining the ether contained in the DAO into a
child DAO. The attack is a recursive calling vulnerability, where an attacker
called the “split” function, and then calls the split function recursively
inside of the split, thereby collecting ether many times over in a single
transaction.

The leaked ether is in a child DAO at
[https://etherchain.org/account/0x304a554a310c7e546dfe434669c...](https://etherchain.org/account/0x304a554a310c7e546dfe434669c62820b7d83490;)
even if no action is taken, the attacker will not be able to withdraw any
ether at least for another ~27 days (the creation window for the child DAO).
This is an issue that affects the DAO specifically; Ethereum itself is
perfectly safe.

The development community is proposing a soft fork, (with NO ROLLBACK; no
transactions or blocks will be “reversed”) which will make any transactions
that make any calls/callcodes/delegatecalls that execute code with code hash
0x7278d050619a624f84f51987149ddb439cdaadfba5966f7cfaea7ad44340a4ba (ie. the
DAO and children) lead to the transaction (not just the call, the transaction)
being invalid, starting from block 1760000 (precise block number subject to
change up until the point the code is released), preventing the ether from
being withdrawn by the attacker past the 27-day window. This will later be
followed up by a hard fork which will give token holders the ability to
recover their ether.

Miners and mining pools should resume allowing transactions as normal, wait
for the soft fork code and stand ready to download and run it if they agree
with this path forward for the Ethereum ecosystem. DAO token holders and
ethereum users should sit tight and remain calm. Exchanges should feel safe in
resuming trading ETH.

Contract authors should take care to (1) be very careful about recursive call
bugs, and listen to advice from the Ethereum contract programming community
that will likely be forthcoming in the next week on mitigating such bugs, and
(2) avoid creating contracts that contain more than ~$10m worth of value, with
the exception of sub-token contracts and other systems whose value is itself
defined by social consensus outside of the Ethereum platform, and which can be
easily “hard forked” via community consensus if a bug emerges (eg. MKR), at
least until the community gains more experience with bug mitigation and/or
better tools are developed.

Developers, cryptographers and computer scientists should note that any high-
level tools (including IDEs, formal verification, debuggers, symbolic
execution) that make it easy to write safe smart contracts on Ethereum are
prime candidates for DevGrants, Blockchain Labs grants and String’s autonomous
finance grants.

— Vitalik Buterin

------
fovc
If the attacker is just moving funds into a child DAO, could someone else
attack the attacker? A digital Robin Hood?

------
__jal
One thing I'll say for Ethereal - the problems they have read like the flavor
text from a Vernor Vinge novel.

~~~
Animats
Time to reread "Mirrorshades".

The street finds its own uses for everything.

------
8ig8
Cached version:

[http://archive.is/YkANN](http://archive.is/YkANN)

------
infodroid
This is what happens when you are the first cryptocurrency with a Turing
complete scripting language.

------
hathym
better link: [https://steemit.com/thedao/@xeroc/ongoing-attack-on-
thedao--...](https://steemit.com/thedao/@xeroc/ongoing-attack-on-thedao---eth-
draining-from-the-pot)

------
fabled_giraffe
I suggest putting money into the stock market instead. It's much more
consistent, e.g.
[http://finance.yahoo.com/echarts?s=%5EGSPC+Interactive#symbo...](http://finance.yahoo.com/echarts?s=%5EGSPC+Interactive#symbol=%5EGSPC;range=my)

------
yoloswag1
Anyone know how to short ETH?

~~~
ultramancool
BTC-e and Poloniex offer margin trading including short selling.

------
cia48621793
Will Bitcoin/Litecoin/*.?coin ever met the same problem?

------
dolguldur
Poor Ethereum now gets the bad press for TheDAO's hasty mistakes.

------
Animats
Etherium just had its busiest day of trading ever and is down 25%.

------
Annatar
_EtherScan is a Block Explorer and Analytics Platform for Ethereum, which is a
decentralized platform that runs smart contracts._

What is this platform??? What is "DAO"??? What are "Uncles"??? What is
"Ethereum"???

~~~
deftnerd
With all due respect, this wasn't very constructive. HN is full of new and
strange acronyms. Most of us either skip the article about it if we're not
interested or simply google the term.

Ethereum is a blockchain based cryptocurrency that also lets you submit
programs to the blockchain that nodes around the world run in exchange for a
small fee.

I don't know what Uncles are, other than the brother of your father.

The DAO is a smart contract, basically a program, that runs on the Ethereum
network. It's a bit of a venture capital fund that was open for 30 days to new
investors. People submit investment proposals to TheDAO, and the investors
decide if the investment proposal should receive funding. If it does, profits
are sent back to TheDAO and distributed to the investors

EtherScan is a block explorer for Ethereum.

~~~
Annatar
Well I mean the topic just assumes one knows everything there is to know about
the subject, and to me, that's just wrong. I had no idea what any of that
stuff meant, so I went to research it, and came back even more confused than I
was when I started.

Nevertheless, I thank you kindly for taking the time to explain.

~~~
forbiddenlake
Context-free headlines are a pattern on HN, and apparently are acceptable.
Examples include this submission and things like "Buffer layoffs" which was
not about staggering layoffs, but about a company named Buffer. Who knew?

------
arisAlexis
So the attacker can buy very cheap eth/dao right now, then somehow
stop/reverse the attack/send money back/claim it was white hacking and
effectively launder all the money he gained legitimately.

------
akulbe
Please forgive my ignorance here, but what _is_ "The DAO"? The link to
Ethereum doesn't help much. What is a "smart contract"?

~~~
akulbe
That was a legitimate question. Why the downvote?

------
pmorici
This can't be good for the price of ETH.

------
homakov
Isn't it race condition?

------
newobj
"Put a fork in it"

------
koolba
What else did people expect would happen if you give them an arsenal of loaded
foot guns?

~~~
Bromskloss
Still an outstandingly exciting adventure!

------
howfun
Site don't open.

~~~
johncolanduoni
I'm curious how much of Hacker News' kiss of death is trying to access the
page in the browser, and how much is following that up when it doesn't
immediately work with pinging, "curl -I -v", etc.

------
y04nn
That sounds pretty bad

------
specialist
_" The "hacker" simply used the DAO as it was meant to be used ... and
deserves the funds."_

Exactly. DAO is CoreWar meets Nomic.

[https://en.wikipedia.org/wiki/Core_War](https://en.wikipedia.org/wiki/Core_War)

[https://en.wikipedia.org/wiki/Nomic](https://en.wikipedia.org/wiki/Nomic)

Designers of rulesets (laws, board games, markets, control systems) ignoring
Gödel's incompleteness theorems should themselves be ignored. Just like we
ignore inventors of perpetual motion machines who ignore the laws of
thermodynamics.

[https://en.wikipedia.org/wiki/Gödel%27s_incompleteness_theor...](https://en.wikipedia.org/wiki/Gödel%27s_incompleteness_theorems)

~~~
rspeer
Not sure where you're saying Gödel's incompleteness theorems come in, but I
agree that DAO is a game of Nomic.

Now... the ability to hard-fork is kind of in the rules as well. So it's a
Nomic with a complicated endgame. Some guy just won the Nomic, but now he's
finding that not only do you want to win, you want to win _subtly_ , or else a
majority can vote to undo your win.

But anyone who still thinks DAO is an investment vehicle is missing the fact
that it's a high-stakes game, and cleverer people than them are going to win
it.

~~~
rsync
"Not sure where you're saying Gödel's incompleteness theorems come in, but I
agree that DAO is a game of Nomic."

I know what he means - he's suggesting that you can't ever get a bulletproof
or watertight set of rules or guidelines for a system because ... blah blah
... Gödel's incompleteness theorem.

This is a very tempting idea and I myself have given it a lot of thought over
the years.

The problem is, Gödel's incompleteness theorem applies to a _system that
contains the complexity of the set of all real numbers_. But there are plenty
of systems that do not have that much complexity and there are plenty of
rulesets we could create and implement that would also not have anywhere near
that amount of complexity.

So the analogy sort of falls apart there. It's still worth thinking about,
though - the more complex your system of rules/laws/regulations/etc. becomes,
the closer you are to a system that is _mathematically guaranteed_ not to be
airtight.

Good luck explaining that to lawmakers.

EDIT: YES, CORRECT, SORRY - I did mean to say the set of natural numbers, not
the set of real numbers. Mea culpa.

~~~
Sniffnoy
Godel's theorem applies to systems that model the _natural_ numbers
(specifically, Robinson arithmetic), not real numbers. The first-order theory
of the real numbers _is_ decidable. (The second-order theory is not, since you
can define the natural numbers in that, and then Godel's theorem applies.)

Your general point, of course, that Godel's theorem means a specific thing,
and people should stop abusing it as if it means "everything has loopholes!",
remains correct.

------
janan11
They are returned to the wallet they were sent from. It would then be up to
the exchange to manually refund the ETH

------
jeanduluoz
Looks like security agencies are placing extra guards at important national
security sites like the statue of liberty, NSA, and Best Buy:
[http://i.imgur.com/5c9H6DO.gif](http://i.imgur.com/5c9H6DO.gif)

~~~
dang
Please don't do this here. We detached this comment from
[https://news.ycombinator.com/item?id=11922131](https://news.ycombinator.com/item?id=11922131)
and marked it off-topic.

------
gwbas1c
Hahaha! Let me go refill my popcorn!

------
varav
In case anybody is wondering how this happened, it looks like the attack is
exploiting the "recursive call via default function" vulnerability [1].

[1]: [http://vessenes.com/more-ethereum-attacks-race-to-empty-
is-t...](http://vessenes.com/more-ethereum-attacks-race-to-empty-is-the-real-
deal/)

------
6d6b73
Hm, I wonder why people are panicking over virtual money and acting like
they've lost something tangible. It's like crying over Monopoly dollars. :)

~~~
simondelacourt
It does not matter if the money is virtual or not. It matters whether it is
regarded as valuable. If a large group of people trust a certain currency to
hold a certain value it becomes relevant to those people. They might invest
other forms of money or energy in to that currency. If something happens with
that money or currency people do panic, because something they have invested
in is under attack.

And even with Monopoly, during that game the virtual monopoly dollars hold
value. Just during the timespan of the game. They give you certain privileges
during that game.

