New hacking news seems to be rising in which hackers has makes off an estimate of $60 million in Ethereum’s digital money or Ether.
The Hacker has done so by exploiting vulnerabilities in the DAO or Decentralized Autonomous Organization which is an investment collective. Actually the DAO uses a ‘smart contracts’ which is code based program to administrate the pay or funds for goods and services. The raider has taken the advantages of a bug left open to a recursive calling flaw. Due to of this vulnerability, hacker has initiated the transfer process for payments several times only in a single contract. And so the hacker scooped up Ethereum’s digital money several times in a single pass.
After the news flashed out about the stealing of $60 million by hackers, Ethers markets drops below $13 in trading on the cryptocurrency exchange Poloniex. Currently the ether is trading about at the rate of $17.50 per coin.
According to the co-founder of Ethereum, Vitalik Buterin – Ethereum is absolutely safe and in-fact this issue specifically affects to the DAO. The hackers has found and exploited in the DAO and is currently draining out the ether into a child DAO. He says, even they doesn’t take any actions against this issue then the hackers can’t withdraw any ether for at least another 27 days. He reassured the users stating that miners and mining pools can be resumed allowing normal transactions. Users can feel safe in exchanges and resuming the trading with ETH.
Further he said about proposal of a software fork that will prevent the hackers to use the stolen funds and explained that efforts are made to reclaim it. There will be no transactions, no rollblock or blocks will be revered. And balance of accounts with code hash will be reduced by making transactions that make any callcodes/calls/delegatecalls. That means the DAO and children lead to transaction being invalid which starts from block 1760000. he has discussed this in more detail and said that it will prevent ether from being taken out by hackers past 27-day window. Additionally with this achievement they will get a lot of time to discuss about further concrete steps. This includes providing capabilities to token holders to recover their ether.
In his words he explained this as,
Later on he also urged to the contract authors to be careful of such bugs from going further. He said,
1. Suggested to be extra careful with such recursive call bugs, and get updated from the Ethereum contract programming community which expectedly explains next week on mitigating these kinds of bugs.
2. Secondly he suggested to avoid making contracts that have more than approximately $10 million worth value, at least until the community learns more about how to deal with bug reduction and/or some more reliable tools are developed.
Lastly he added, for Developers, computer scientists and cryptographers to note that any high level tools such as symbolic execution, formal verification, IDEs, debuggers although makes it easy to write safe smart contracts on Ethereum. But its the prime condidates for DevGrants, String’s autonomous finance grants and Blockchain Labs grants.
No doubt the bug that allowed the theft by the attackers to make off with such a huge amount of cryptocurrency was not a zer-day. In fact it has to be known from some time.
On a blog post published in 12th June by Ethereum’s former CCO Stephen Tual assured that the problem had been now identified and will be fixed at earliest. He writes, this is actually not the issues that put any DAO funds at risk today. In another post he reaffirmed following the attack that he has faith on community would come together to fight this Ether theft. And finally he assured that the attackers will be traced soon and prosecuted.