[Cryptography] Code is Cruel -- The DAO

Ray Dillinger bear at sonic.net
Thu Jun 23 18:14:42 EDT 2016

On 06/21/2016 07:47 PM, Sidney Markowitz wrote:
> A more detailed technical look at the exploit is here:
> http://hackingdistributed.com/2016/06/18/analysis-of-the-dao-exploit/

> What that analysis ignores is that it was possible to have a function that
> manipulates the balances which in the middle of that manipulation can call
> another function that manipulates the balances. Isn't a fundamental
> requirement of a system like this that it be possible to grab and release
> locks on shared resources?

Yes.  Among other things, locking is one of the points that Hal Abelson
cited when he and Satoshi were deciding which opcodes should be allowed
in the Bitcoin scripting language.  IIRC, Satoshi wanted to enable more
programmability but Hal demonstrated some ways that recursion and/or
looping operators could be used to attack the system - or enable legit-
looking scripts that could be attacked later, as apparently happened
with ETH.  In the end they wound up removing all the potentially
backward-branching control structures.

IOW, every "later" instruction executed in a Bitcoin script is also a
"subsequent" instruction in the serialization of that script; control
can jump-over sections but can't jump backward to execute anything
more than once, nor call anything that might be called from more than
one place.  ETH didn't have the same structural constraints.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160623/0760c691/attachment.sig>

More information about the cryptography mailing list