[Cryptography] Code is Cruel -- The DAO
Sidney Markowitz
sidney at sidney.com
Tue Jun 21 22:47:03 EDT 2016
A more detailed technical look at the exploit is here:
http://hackingdistributed.com/2016/06/18/analysis-of-the-dao-exploit/
This is my first look at ethereum and theDAO, so maybe someone more
knowledgeable can weigh in on something that sticks out for me:
It looks like a fundamental flaw that is being exploited is a lack of
mechanism for locking data structures that are being updated. I see people
talking about the hack as an exploit of the use of recursion in theDAO
scripts. A comment in the above linked article mentions that the exploit could
be done without recursion because it really was an exploit of a function that
performed an operation that transfers money, then calls another function that
contained a call to a function controlled by the attacker, and only then
updated the balances that were changed by the transfer.
What that analysis ignores is that it was possible to have a function that
manipulates the balances which in the middle of that manipulation can call
another function that manipulates the balances. Isn't a fundamental
requirement of a system like this that it be possible to grab and release
locks on shared resources?
Sidney
More information about the cryptography
mailing list