Affected configurations: geth 1.4.8

Likelihood: High

Severity: High

Details:

An attack vector has been identified in the freshly released implementation of the DAO soft fork. The fork enactment code in geth (and other clients) allows execution of EVM code up to the block gas limit without paying for gas. This can slow down mining and prevent inclusion of legitimate transactions.

The soft fork will not be enabled if the gas limit of block 1800000 is above 4000000 gas (i.e. if the community vote to activate the fork fails). The attack cannot be performed in this case.

Effects on expected chain reorganisation depth: None

Proposed temporary workarounds:

  • run geth 1.4.7
  • run geth 1.4.8 without the --dao-soft-fork command line option.

Follow-up action:

Available options are being considered. The community can avoid any negative consequences of the soft fork by voting against it until a better solution has been found. Note that, to the best of our knowledge, no funds can be retrieved from the affected DAOs until July 14th 2016. There is no immediate urgency to block transactions while further proposals are being worked out.