Ethereum Blog

Security Alert – DoS Vulnerability in the Soft Fork

Introduction

user

Felix Lange


LATEST POSTS

Security

Security Alert – DoS Vulnerability in the Soft Fork

Posted on .

Affected configurations: geth 1.4.8

Likelihood: High

Severity: High

Details:

An attack vector has been identified in the freshly released implementation of the DAO soft fork. The fork enactment code in geth (and other clients) allows execution of EVM code up to the block gas limit without paying for gas. This can slow down mining and prevent inclusion of legitimate transactions.

The soft fork will not be enabled if the gas limit of block 1800000 is above 4000000 gas (i.e. if the community vote to activate the fork fails). The attack cannot be performed in this case.

Effects on expected chain reorganisation depth: None

Proposed temporary workarounds:

  • run geth 1.4.7
  • run geth 1.4.8 without the --dao-soft-fork command line option.

Follow-up action:

Available options are being considered. The community can avoid any negative consequences of the soft fork by voting against it until a better solution has been found. Note that, to the best of our knowledge, no funds can be retrieved from the affected DAOs until July 14th 2016. There is no immediate urgency to block transactions while further proposals are being worked out.

profile

Felix Lange

Comments
user

Author Frantic Bedlamite

Posted at 6:54 pm June 28, 2016.

I’m sure they will figure out new solution soon 🙂

Reply
    user

    Author Jordan

    Posted at 12:47 am June 29, 2016.

    Yeah right. This whole fiasco has been engineered from the beginning.

    Reply
      user

      Author Frantic Bedlamite

      Posted at 3:30 am June 29, 2016.

      Yeah right. Loads of developers have been working on Ethereum for last 2 years in order to sabotage it, so it would not work.
      I recommend you to google:
      “logical reasoning”
      “tinfoil hat”

      Reply
        user

        Author Jordan

        Posted at 3:34 am June 29, 2016.

        Ethereum is R3s response to bitcoin and blockchain research. They want to dominate the cryptocurrency scene, obviously. When I say “the beginning”, in this context, I meant the DAO. Preorder your future wealth with promises that the smart contracts will get better, in 2 weeks. Perhaps you should Google anything about history of any time period.

        Reply
    user

    Author Jordan

    Posted at 12:47 am June 29, 2016.

    Yeah right. This whole fiasco has been engineered from the beginning.

    Reply
    user

    Author Jordan

    Posted at 12:47 am June 29, 2016.

    Yeah right. This whole fiasco has been engineered from the beginning.

    Reply
    user

    Author Jordan

    Posted at 12:47 am June 29, 2016.

    Yeah right. This whole fiasco has been engineered from the beginning.

    Reply
    user

    Author Jordan

    Posted at 12:47 am June 29, 2016.

    Yeah right. This whole fiasco has been engineered from the beginning.

    Reply
    user

    Author Jordan

    Posted at 12:47 am June 29, 2016.

    Yeah right. This whole fiasco has been engineered from the beginning.

    Reply
    user

    Author Jordan

    Posted at 12:47 am June 29, 2016.

    Yeah right. This whole fiasco has been engineered from the beginning.

    Reply
user

Author Mukul Thakur

Posted at 7:19 pm June 28, 2016.

DAO-saster

Reply
    user

    Author player1

    Posted at 9:32 pm June 28, 2016.

    ok can you guys stop trading

    Reply
      user

      Author Mukul Thakur

      Posted at 9:46 pm June 28, 2016.

      once after my eth short gets me a Mustang

      Reply
        user

        Author Patrick Oliveras

        Posted at 1:57 am June 29, 2016.

        Geez… A mustang.

        Reply
        user

        Author Chef

        Posted at 2:07 am June 29, 2016.

        lol Mustang. GT4 friend.

        Reply
user

Author Murat Beşer

Posted at 9:04 pm June 28, 2016.

I could not understand, this is a company who had a hard hit by a bug, yet they could able to hit again by a bug. Okey they have pressure on they back but this is a second market crush.

I’m so sad to see this post.

Reply
    user

    Author Frantic Bedlamite

    Posted at 11:10 pm June 29, 2016.

    What are you talking about?
    Did you actually read the post?

    Reply
user

Author Byron Glenn

Posted at 4:29 am June 29, 2016.

–stop DAO> // >Stop Child:’ run ethereum run ..run geth 1.4.8 without the –dao-soft-fork

ya got 16 days i’m sure u can figure it out, ask Alex….

Reply
user

Author Learning about this stuff

Posted at 6:45 am June 29, 2016.

I’m not a savvy crypto guy.. but here’s a thought for a solution for this DAO disappointment:

1) Reward the “attacker” for finding a clever way to legitimately take / control the ETH in a way that this DAO was not expecting (In my opinion this DAO developer was super negligent). Maybe offer / negotiate that the community / token holders are okay with the attacker keeping 25% of assets taken but must return the other 75% to shareholders. Let the attacker have their 15 min of fame, receive a healthy reward and not have to deal with compromising the main purpose of the whole smart contract experiment

2) Ask the “attacker” to join forces with the Ethereum team (if not already participating) to develop best practices and / or DAO security reviews / checks because clearly they are good at this type of work. This service can be compensated for a healthy fee / salary paid for by Ethereum donators or maybe a small piece of minor generated ETH. This work will not last forever – once systems / best practices are in place the work is done. Attacker gets major compensation and helps build a more stable environment for new DAOs.

3) If problem happens again, rinse and repeat. I believe this type of thinking can improve DAOs in the future and increase sharing of knowledge / best practices. It’s like saying hey… you got me that was impressive… give it back but keep 25% for showing me what a bozo I am… and join my team and I’ll pay you big time to help prevent this from happening in the future. Clearly the attacker enjoys ethereum so why would they not want to help make this a better system?

I think the whole idea of smart contracts on ethereum is screwed with soft/hard fork thinking. I believe the major concern with this situation is not the ETH that was taken and value it represents to token holders… but the fact that the ETH that was taken can be used to significantly impact and influence ETH prices via controlling a large share of the market. That is why ethereum developers are interfering with what was supposed to be a solid contract.

Bottom line is this DAO developer is negligent and contributors to this DAO must be accountable for risk.

Maybe I don’t know what I’m talking about lol but I think something like this should be considered… maybe it already has been considered. I just found out about ethereum a month ago lol. Peace out!

Reply
    user

    Author sLy5aM

    Posted at 7:10 am June 29, 2016.

    so if someone stole your car, you would be ok he can keep the tires and doors , but return the rest to you? The problem is rewarding a thief is just that. As for DAO , it will always be like leaving the keys in the ignition.

    Reply
      user

      Author Learning about this stuff

      Posted at 7:15 am June 30, 2016.

      Bottom line is this DAO developer is negligent and contributors to this DAO must be accountable for risk.

      Hey sLy5aM,

      I really don’t think that’s a fair analogy. Bottom line is this DAO developer is negligent and contributors to this DAO must be accountable for risk. You know what makes me think ethereum is impressive? Contracts are solid. So if things don’t work out as expected for one party that’s unfortunate but the contract should still remain in full force and effect. It’s a good experience for everyone involved. RE this DA0 – no one is perfect and bravo for the effort! 😉 I’m just learning about this system and it’s exciting stuff!

      Reply
      user

      Author jacob meeder

      Posted at 1:51 am July 1, 2016.

      Well a game developer who gets reports of when a player jumps and crouches in this spot falls through the map is it the player fault for not playing the game as the developer intended? No glitches fall on the delevoper… dao holders should vote on how much is an acceptable loss and work out a deal, I highly doubt when he pressed the enter key it would say jackpot, he was not a attacker sitting outside your house waiting days to break your WPA key it was a glitch that should have never been there, if he won’t make a deal the developer is responsible in which case dao should hire a new one

      Reply
        user

        Author jacob meeder

        Posted at 1:51 am July 1, 2016.

        Forking just doesn’t make since

        Reply
          user

          Author sLy5aM

          Posted at 4:13 am July 1, 2016.

          I have no idea what your getting at to be honest. How about this.. a gamer discovers a glitch that allows him to shoot other players while being concealed in a wall.. nobody else can shoot him but he can shoot everyone and rack up crazy amounts of points. Ok Developer made a mistake. Should that player remain at the top of the chart or should his points be stripped and the game reset with a patch.. whats the difference here .. You seem to miss the whole point about ethics and morality. Another choice this piece of scum had was instead of exploiting the bug, he could have reported it to the developers and had this been done, we wouldn’t be sitting at this point in the DAO problem. More than likely EVERYONE would have benefited from an action like that. Instead this guy decided to take advantage of this problem only for his own game. Reset the game..

          user

          Author jacob meeder

          Posted at 4:53 pm July 1, 2016.

          My point being this whole thing is blown out of proportion it was not a theft, jumping into forking is not the right thing to do, just because some miners and developers have a conflict of interest does not make it the right decision ethereum is going to break itself over a glitch. Everyone who thinks the miners should decide to fork is not thinking clearly, Everytime something in ethereum has a problem it means fork? I just don’t understand. After other things start using it there will be problems but glitches in dapps SHOULD NOT fall on the miners there will just be way to many forks, test your software before having so much money sitting g there and don’t invest so much in something that might not be full proof and if you take a risk understand that your taking a risk, and also I don’t know if he knew the bug was there until the payout came, you know like office space…?

          user

          Author jacob meeder

          Posted at 7:33 pm July 1, 2016.

          Deleting my comments? Well ethereum forks should be reserved for ethereum dapps should be responsible for their mistakes, miners are not, should never be fico insurance for dapps and if that is the goal there will be a vast amount of hard forks due to glitches on dapps that were released too early and not properly tested

          user

          Author Marek Smoliński‮

          Posted at 3:30 pm July 13, 2016.

          Guys.. Ethereum is not a game. A game has central authority (it’s developer), and Ethereum is not supposed to have one. If there is an elite of people (Ethereum creators), that can strongly influence the community, and the community itself is strongly weighted (CPU power counts), then it doesn’t seem that Ethereum is decentralised.

          I don’t get the community argument, because in normal national banks there’s also the community – which votes every 4 or 5 years or so.

    user

    Author Light_Tweeter

    Posted at 8:55 pm July 1, 2016.

    Yes you don’t really understand what it means the word contract. Integrity and equity are required. means a dispute mechanism/remedy/policing mechanism is required. You have the percentage correct 25% however this need to go potentially to a bounty integrity defense fund that rewards those who would protect those would be victims. Please see https://www.facebook.com/blockchaincontractbreechbounty and let me know what your thought on this concept in process.

    Reply
user

Author Gilles Champollion

Posted at 1:31 pm June 29, 2016.

“Ethereum 2.0 is a decentralized platform that runs smart contracts: applications that run more or less as programmed with possibility of downtime, censorship, fraud or third party interference.”

Reply
user

Author Frantic Bedlamite

Posted at 7:40 pm June 30, 2016.

I will just express my point of view about hard fork.
I’m for hard fork if there is no solution to work out unbugged soft fork.
Tohard fork or not to hard fork, is NOT a centralised decision as it is
decided by consensus of community. Technology (such as smart contracts)
should work for people in sustainable way. It means that technology
(with help of community) should be taking into account potential,
socially detrimental activities (such as this malicious and greedy DAO
code exploit), which have no consideration towards well being of humans.
Smart contract (code) should be only an ultimate law, as long as it
supports activities which are beneficial for betterment of humanity. If
someone tries to exploit the smart contract for selfish reasons, then
community should have the right to intervene in the contract. Such
technology is pointless if it does not include adaptation to human and
environmental factors and works like god with ultimate, unquestionable
rules which do not improve quality of our lives.

To add, in order for community to reach an intelligent, coherent and logical consensus about
any voting, (democracy), it requires keeping every single participant
of voting to, as informed and educated as it is possible, about the
topic of voting. Democracy will never work, if voters make decisions
individually instead of arriving at decisions together. Making decisions
comes from ignorance. Arriving at decisions comes from knowledge.
That’s the difference between making decisions and arriving at
decisions. Difference between illusion of democracy and realistic
democracy.

Reply
user

Author Light_Tweeter

Posted at 8:49 pm July 1, 2016.

What is the possibility of creating a self-policing mechanism whereby victims on the blockchain can dispute transactions and release/reserve 1/4 the value of the disputed breech/theft by consensus for a self policing mechanism to uphold integrity and reward those who uphold transparency and integrity in the contract ledger. Please see https://www.facebook.com/blockchaincontractbreechbounty This might be more of dumb contract than smart however..

Reply
user

Author Light_Tweeter

Posted at 8:59 pm July 1, 2016.

Bounty contracts are the only thing that make sense. This would deter crime, provide remedy (with a perpetual bounty on the perps head) while providing a penal and reward system focused on justice and integrity distributed self-policing efforts on any blockchain.

Reply

Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

View Comments (32) ...
Navigation