[Cryptography] Code is Cruel -- The DAO

Sidney Markowitz sidney at sidney.com
Tue Jun 21 22:47:03 EDT 2016

A more detailed technical look at the exploit is here:


This is my first look at ethereum and theDAO, so maybe someone more
knowledgeable can weigh in on something that sticks out for me:

It looks like a fundamental flaw that is being exploited is a lack of
mechanism for locking data structures that are being updated. I see people
talking about the hack as an exploit of the use of recursion in theDAO
scripts. A comment in the above linked article mentions that the exploit could
be done without recursion because it really was an exploit of a function that
performed an operation that transfers money, then calls another function that
contained a call to a function controlled by the attacker, and only then
updated the balances that were changed by the transfer.

What that analysis ignores is that it was possible to have a function that
manipulates the balances which in the middle of that manipulation can call
another function that manipulates the balances. Isn't a fundamental
requirement of a system like this that it be possible to grab and release
locks on shared resources?


More information about the cryptography mailing list