Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Hack Leads to Plummeting Value of Ethereum Digital Currency

The value of Ethereum, a cryptocurrency somewhat similar to bitcoin, has plummeted following a hack on The DAO’s Ethereum holdings. The DAO is a decentralized and virtual organization designed to provide funds for new projects. Those funds are held and dispersed as Ether. The DAO itself is the single largest holder of Ether; in excess of 9.2 million prior to the hack.

The value of Ethereum, a cryptocurrency somewhat similar to bitcoin, has plummeted following a hack on The DAO’s Ethereum holdings. The DAO is a decentralized and virtual organization designed to provide funds for new projects. Those funds are held and dispersed as Ether. The DAO itself is the single largest holder of Ether; in excess of 9.2 million prior to the hack.

The hack seems to be the exploitation of a known vulnerability. Vitalik Buterin, the founder of Ethereum, announced in a Pastebin post today, “An attack has been found and exploited in the DAO, and the attacker is currently in the process of draining the ether contained in the DAO into a child DAO. The attack is a recursive calling vulnerability, where an attacker called the ‘split’ function, and then calls the split function recursively inside of the split, thereby collecting ether many times over in a single transaction.”

What happened next shows both the weakness and strength of current cryptocurrencies. One weakness is its volatility. As soon as holders heard of a hack on The DAO, they panicked and started selling their holding. Trading spiked, but value plummeted. At the time of writing, the value has recovered to $16.77, but during three hours early this morning it tumbled from $21.16 to a low of $14.66.

The strength, however, is that the stolen ether is not actually lost – certainly not yet, at least. Put simply, it is known where it is: https://etherchain.org/account/0x304a554a310c7e546dfe434669c62820b7d83490#txreceived. The etherchain shows transactions being received up to eight hours prior this report. There is even an online commentary attached to the address:

“This is the DAO thief’s address?”

“It would appear so.”

But not only can the transactions be seen (although this gives no indication of who ‘owns’ the stolen ether) it is effectively stuck there for the next 27 days. “The leaked ether is in a child DAO… even if no action is taken, the attacker will not be able to withdraw any ether at least for another ~27 days (the creation window for the child DAO),” wrote Buterin. “This is an issue that affects the DAO specifically; Ethereum itself is perfectly safe.”

But not only is the ether not lost, it can be recovered. The Ethereum community has proposed a solution comprising an initial ‘soft fork’ that will simply invalidate any attempt to move ether out of the child DAO account after the 27-day period, and then follow this with a ‘hard fork’ “which will give token holders the ability to recover their ether.”

“This was on the cards,” Charles Hayter, the CEO and founder of CryptoCompare told SecurityWeek. “What has been impressive is the speed of community reaction – solutions from Slock.it and the Ethereum Foundation. With experiments of this nature where money is involved – the 1,000 eyes looking to build it will see many more looking to exploit it.”

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Cybercrime

Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack

Cybercrime

Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.