More than two years after the collapse of The DAO thrust the Ethereum community into civil war, one of the bugs that caused that caused that black swan event continues to lurk in many smart contracts, waiting to be exploited by hackers.
That’s according to Emin Gün Sirer, a computer science professor at Cornell and the co-director of cryptocurrency research initiative IC3, who said that he has seen a variety of smart contracts that may be vulnerable to a “reentrancy” attack that allows a malicious user to drain ETH from a payment channel.
“BTW, I’ve seen other contracts like this one that implicitly trust the erc-20 tokens issued on top of their platform to not perform reentrant calls. I’m sure this isn’t the last episode of this bug,” he wrote on Twitter.
Sirer was commenting on the news that SpankChain, an adult entertainment startup whose platform runs partially on Ethereum smart contracts, had been hacked for nearly $40,000 worth of cryptocurrency over the weekend.
As CCN reported, the company said that the hacker used a reentrancy attack to siphon 1165.38 ETH out of the smart contract over a series of transactions. In short, the attacker used a malicious smart contract to trick the SpankChain contract into believing that the attacker could withdraw funds from the payment channel.
The firm explained:
“The attacker created a malicious contract masquerading as an ERC20 token, where the ‘transfer’ function called back into the payment channel contract multiple times, draining some ETH each time.”
As both Spankchain and Sirer noted, the attack was similar to the one that crippled The DAO, a decentralized venture capital fund that long held the record for most funds raised by an initial coin offering (ICO).
Worth as much as $150 million at a time when the total market cap of ethereum was still far below $2 billion, The DAO held nearly 15 percent of the total ETH supply on June 17, 2016, when an attacker stole 3.6 million ETH — today worth nearly $815 million — by exploiting its vulnerable smart contract.
We all know what happened next: a series of futile attempts to recover the funds, the infamous chat room conversation, and the contentious hard fork that resulted in the creation of Ethereum Classic.
Now, more than two years later, Ethereum has largely put The DAO hack in its rearview mirror. The ethereum price, which plunged as low as $6 in the months following the hack, now stands at $230. Hundreds of blockchain startups have used Ethereum to raise billions of dollars through ICOs, and thousands of developers are building decentralized applications (dApps) that run on the platform.
However, though the consequences may not always be quite as serious as they were on that infamous morning in June 2016, the bug that permanently altered the cryptocurrency landscape appears determined to continue to rear its ugly head.
Images from Shutterstock