Security Experts:

Hack Leads to Plummeting Value of Ethereum Digital Currency

The value of Ethereum, a cryptocurrency somewhat similar to bitcoin, has plummeted following a hack on The DAO's Ethereum holdings. The DAO is a decentralized and virtual organization designed to provide funds for new projects. Those funds are held and dispersed as Ether. The DAO itself is the single largest holder of Ether; in excess of 9.2 million prior to the hack.

The hack seems to be the exploitation of a known vulnerability. Vitalik Buterin, the founder of Ethereum, announced in a Pastebin post today, "An attack has been found and exploited in the DAO, and the attacker is currently in the process of draining the ether contained in the DAO into a child DAO. The attack is a recursive calling vulnerability, where an attacker called the 'split' function, and then calls the split function recursively inside of the split, thereby collecting ether many times over in a single transaction."

What happened next shows both the weakness and strength of current cryptocurrencies. One weakness is its volatility. As soon as holders heard of a hack on The DAO, they panicked and started selling their holding. Trading spiked, but value plummeted. At the time of writing, the value has recovered to $16.77, but during three hours early this morning it tumbled from $21.16 to a low of $14.66.

The strength, however, is that the stolen ether is not actually lost - certainly not yet, at least. Put simply, it is known where it is: The etherchain shows transactions being received up to eight hours prior this report. There is even an online commentary attached to the address:

"This is the DAO thief's address?"

"It would appear so."

But not only can the transactions be seen (although this gives no indication of who 'owns' the stolen ether) it is effectively stuck there for the next 27 days. "The leaked ether is in a child DAO... even if no action is taken, the attacker will not be able to withdraw any ether at least for another ~27 days (the creation window for the child DAO)," wrote Buterin. "This is an issue that affects the DAO specifically; Ethereum itself is perfectly safe."

But not only is the ether not lost, it can be recovered. The Ethereum community has proposed a solution comprising an initial 'soft fork' that will simply invalidate any attempt to move ether out of the child DAO account after the 27-day period, and then follow this with a 'hard fork' "which will give token holders the ability to recover their ether."

"This was on the cards," Charles Hayter, the CEO and founder of CryptoCompare told SecurityWeek. "What has been impressive is the speed of community reaction - solutions from and the Ethereum Foundation. With experiments of this nature where money is involved - the 1,000 eyes looking to build it will see many more looking to exploit it."

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.