Ethereum Blog

Security Alert – DoS Vulnerability in the Soft Fork

Introduction

user

Felix Lange


LATEST POSTS

Security

Security Alert – DoS Vulnerability in the Soft Fork

Posted on .

Affected configurations: geth 1.4.8

Likelihood: High

Severity: High

Details:

An attack vector has been identified in the freshly released implementation of the DAO soft fork. The fork enactment code in geth (and other clients) allows execution of EVM code up to the block gas limit without paying for gas. This can slow down mining and prevent inclusion of legitimate transactions.

The soft fork will not be enabled if the gas limit of block 1800000 is above 4000000 gas (i.e. if the community vote to activate the fork fails). The attack cannot be performed in this case.

Effects on expected chain reorganisation depth: None

Proposed temporary workarounds:

  • run geth 1.4.7
  • run geth 1.4.8 without the --dao-soft-fork command line option.

Follow-up action:

Available options are being considered. The community can avoid any negative consequences of the soft fork by voting against it until a better solution has been found. Note that, to the best of our knowledge, no funds can be retrieved from the affected DAOs until July 14th 2016. There is no immediate urgency to block transactions while further proposals are being worked out.

profile

Felix Lange

  • I’m sure they will figure out new solution soon 🙂

    • Jordan

      Yeah right. This whole fiasco has been engineered from the beginning.

      • Yeah right. Loads of developers have been working on Ethereum for last 2 years in order to sabotage it, so it would not work.
        I recommend you to google:
        “logical reasoning”
        “tinfoil hat”

        • Jordan

          Ethereum is R3s response to bitcoin and blockchain research. They want to dominate the cryptocurrency scene, obviously. When I say “the beginning”, in this context, I meant the DAO. Preorder your future wealth with promises that the smart contracts will get better, in 2 weeks. Perhaps you should Google anything about history of any time period.

    • Jordan

      Yeah right. This whole fiasco has been engineered from the beginning.

    • Jordan

      Yeah right. This whole fiasco has been engineered from the beginning.

    • Jordan

      Yeah right. This whole fiasco has been engineered from the beginning.

    • Jordan

      Yeah right. This whole fiasco has been engineered from the beginning.

    • Jordan

      Yeah right. This whole fiasco has been engineered from the beginning.

    • Jordan

      Yeah right. This whole fiasco has been engineered from the beginning.

  • Mukul Thakur

    DAO-saster

    • player1

      ok can you guys stop trading

      • Mukul Thakur

        once after my eth short gets me a Mustang

        • Patrick Oliveras

          Geez… A mustang.

        • Chef

          lol Mustang. GT4 friend.

  • Murat Beşer

    I could not understand, this is a company who had a hard hit by a bug, yet they could able to hit again by a bug. Okey they have pressure on they back but this is a second market crush.

    I’m so sad to see this post.

  • Byron Glenn

    –stop DAO> // >Stop Child:’ run ethereum run ..run geth 1.4.8 without the –dao-soft-fork

    ya got 16 days i’m sure u can figure it out, ask Alex….

  • Learning about this stuff

    I’m not a savvy crypto guy.. but here’s a thought for a solution for this DAO disappointment:

    1) Reward the “attacker” for finding a clever way to legitimately take / control the ETH in a way that this DAO was not expecting (In my opinion this DAO developer was super negligent). Maybe offer / negotiate that the community / token holders are okay with the attacker keeping 25% of assets taken but must return the other 75% to shareholders. Let the attacker have their 15 min of fame, receive a healthy reward and not have to deal with compromising the main purpose of the whole smart contract experiment

    2) Ask the “attacker” to join forces with the Ethereum team (if not already participating) to develop best practices and / or DAO security reviews / checks because clearly they are good at this type of work. This service can be compensated for a healthy fee / salary paid for by Ethereum donators or maybe a small piece of minor generated ETH. This work will not last forever – once systems / best practices are in place the work is done. Attacker gets major compensation and helps build a more stable environment for new DAOs.

    3) If problem happens again, rinse and repeat. I believe this type of thinking can improve DAOs in the future and increase sharing of knowledge / best practices. It’s like saying hey… you got me that was impressive… give it back but keep 25% for showing me what a bozo I am… and join my team and I’ll pay you big time to help prevent this from happening in the future. Clearly the attacker enjoys ethereum so why would they not want to help make this a better system?

    I think the whole idea of smart contracts on ethereum is screwed with soft/hard fork thinking. I believe the major concern with this situation is not the ETH that was taken and value it represents to token holders… but the fact that the ETH that was taken can be used to significantly impact and influence ETH prices via controlling a large share of the market. That is why ethereum developers are interfering with what was supposed to be a solid contract.

    Bottom line is this DAO developer is negligent and contributors to this DAO must be accountable for risk.

    Maybe I don’t know what I’m talking about lol but I think something like this should be considered… maybe it already has been considered. I just found out about ethereum a month ago lol. Peace out!

    • sLy5aM

      so if someone stole your car, you would be ok he can keep the tires and doors , but return the rest to you? The problem is rewarding a thief is just that. As for DAO , it will always be like leaving the keys in the ignition.

View Comments (19) ...
Navigation