DAO Wars: Your voice on the soft-fork dilemma

The last week was quite hectic for all of us in the Ethereum ecosystem. The DAO has shown us that it takes much more effort to write smart contracts than we originally anticipated; but also that it takes a surprising amount of debate to reach a consensus on issues of this scale. Everybody in our community was very vocal and forthcoming about how the problem should be fixed in his/her opinion, or whether there’s even a problem to fix in the first place.... [Read More]

Security Alert – Smart Contract Wallets created in frontier are vulnerable to phishing attacks

Affected configurations: All smart contract wallets created using Ethereum Wallet  Frontier, version 0.4.0 (Beta 7) or earlier. Wallets created with Ethereum Wallet 0.5.0 and all later versions released after March 3, 2016, are not affected. Likelihood: Low Severity: High Summary: Do not use wallet contracts or owner accounts of those wallets that were created by the Ethereum Wallet 0.4.0 or earlier. If you send to (or interact with) a malicious contract it could take ownership of your wallet contract. Create... [Read More]

Thinking About Smart Contract Security

Over the last day with the community’s help we have crowdsourced a list of all of the major bugs with smart contracts on Ethereum so far, including both the DAO as well as various smaller 100-10000 ETH thefts and losses in games and token contracts. This list (original source here) is as follows: The DAO (obviously) The "payout index without the underscore" ponzi ("FirePonzi") The casino with a public RNG seed Governmental (1100 ETH stuck because payout exceeds gas limit) 5800 ETH swiped... [Read More]


An attack has been found and exploited in the DAO, and the attacker is currently in the process of draining the ether contained in the DAO into a child DAO. The attack is a recursive calling vulnerability, where an attacker called the “split” function, and then calls the split function recursively inside of the split, thereby collecting ether many times over in a single transaction. The leaked ether is in a child DAO at https://etherchain.org/account/0x304a554a310c7e546dfe434669c62820b7d83490; even if no action is... [Read More]

The Ethereum Foundation welcomes Microsoft as the Premiere Sponsor of Devcon2, Shanghai 19-21 September, 2016

London, United Kingdom, June 14, 2016 – The Ethereum Foundation is pleased to announce Microsoft as the Premiere Sponsor of Devcon2, the Ethereum developer conference in Shanghai, 19-21 September, 2016. Devcon2, which will showcase the most up-to-date research and development work supported by the Foundation, also represents the most comprehensive Ethereum-focused developer’s conference to date. The Ethereum Foundation’s Chief Scientist, Vitalik Buterin, notes that “We are very happy to have Microsoft’s sponsorship for Devcon2 and highly appreciate their continued support... [Read More]

Smart Contract Security

Solidity was started in October 2014 when neither the Ethereum network nor the virtual machine had any real-world testing, the gas costs at that time were even drastically different from what they are now. Furthermore, some of the early design decisions were taken over from Serpent. During the last couple of months, examples and patterns that were initially considered best-practice were exposed to reality and some of them actually turned out to be anti-patterns. Due to that, we recently updated... [Read More]

Security Alert – cpp-ethereum’s account unlocking problem not yet fixed [Now fixed]

Affected configurations: cpp-ethereum (eth, AlethZero, …) version 1.2.0 up to 1.2.6 Note: Neither “geth” nor “Mist” nor the “Ethereum Wallet” (unless explicitly used together with cpp-ethereum) are affected by this, they lock accounts correctly again. This is just a quick head’s up that cpp-ethereum’s security issue around account security is not yet properly fixed. The fix that is part of cpp-ethereum version 1.2.6 did not decrease the security, but it also did not fix the bug completely. We will work... [Read More]

Go Ethereum’s JIT-EVM

The Ethereum Virtual machine is kind of different than most other Virtual Machines out there. In my previous post I already explained how it’s used and described some of its characteristics. The Ethereum Virtual Machine (EVM) is a simple but powerful, Turing complete 256bit Virtual Machine that allows anyone to execute arbitrary EVM Byte Code.</blockquote> The go-ethereum project contains two implementations of the EVM. A simple and straightforward byte-code VM and a more sophisticated JIT-VM. In this post I’m going to explain some of the differences... [Read More]

Security Alert – cpp-ethereum keeps accounts unlocked

Affected configurations: cpp-ethereum (eth, AlethZero, …) version 1.2.0 up to 1.2.5 (fixed in 1.2.6) Note: Neither “geth” nor “Mist” nor the “Ethereum Wallet” (unless explicitly used together with cpp-ethereum) are affected by this, they lock accounts correctly again.</section><section class="postbody"></section><section class="postbody">Severity: High</section><section class="postbody"></section><section class="postbody">Possible Attacks: Attackers can spend funds from previously used accounts if they have access to the local machine or to an exposed json-rpc interface.</section><section class="postbody"></section><section class="postbody">Details: Due to a bug in cpp-ethereum, accounts stay unlocked once their password... [Read More]

Security Alert – Geth suffers from a very low probable DoS attack vector – Update immediately

Affected configurations: All Go client versions  Likelihood: Very low Severity: High Details: A bug in Geth (and potentially other clients) may suffer from a DoS attack and allows remote attackers to stall synchronisation process almost indefinitely by supplying a valid, lighter chain. More information will be given out a later time including the report that was submitted through the bug bounty program. Effects on expected chain reorganisation depth: None Proposed temporary workaround: None Remedial action taken by Ethereum: Provision of hotfixes as below: If you’re using Mist:... [Read More]