Slashdot Mirror

← Back to Stories (view on slashdot.org)

Digital Currency Ethereum Is Cratering Amid Claims Of a $50 Million Hack (businessinsider.com)

Posted by msmash on from the security-woes dept.

Digital currency Ethereum's value has dropped amid a hack on DAO (Decentralised Autonomous Organisation), an organisation with huge holdings of Ethereum (Wikipedia page). Its value is now below $15, down from more than $21 a few minutes ago. It is believed that as much as $50 million of the digital currency has been stolen. From a blog post on DAO: An attack has been found and exploited in the DAO, and the attacker is currently in the process of draining the ether contained in the DAO into a child DAO. The attack is a recursive calling vulnerability, where an attacker called the "split" function, and then calls the split function recursively inside of the split, thereby collecting ether many times over in a single transaction.From a Quartz report: It's no surprise that cryptocurrency markets are in a panic. Funds invested in the DAO represents more than 10% of all the ether in circulation ($81.8 million worth). A massive hack on the DAO's holdings would be roughly equivalent to a successful heist at a major financial institution.

73 of 116 comments (clear)

  1. Ethereal value by penguinoid · · Score: 1

    So you're saying Ethereum's value has become ethereal?

    --
    Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
    1. Re:Ethereal value by Aaden42 · · Score: 1

      More like some Wireshark ate it all.

    2. Re:Ethereal value by arglebargle_xiv · · Score: 1

      My tulip bulbs! My tulip bulbs! Oh the tulipanity!

    3. Re: Ethereal value by arglebargle_xiv · · Score: 1

      Oh come on, it's at least slightly funny, even if it's mostly schadenfreude.

  2. Re:Suckers by xxxJonBoyxxx · · Score: 1

    "You may have been a good smuggler, but now you're Bantha fodder. "

          -- Jabba the Hutt, Star Trek V ("Jedi Reloaded"), in her throne room on Arrakis

  3. A successful heist? by jtownatpunk.net · · Score: 3, Insightful

    Doesn't sound very successful if the thing you're stealing becomes worthless because you successfully stole it. Unless you have significant holdings in other crypto-currencies which will increase in value due to their better security.

    1. Re:A successful heist? by Anonymous Coward · · Score: 1

      A real currency would not become worthless simply because it was stolen. However it is obtained, the value should remain the same.

    2. Re:A successful heist? by ceoyoyo · · Score: 1

      Yeah right. Try stealing a significant supply of any particular currency and watch what happens to it's value.

    3. Re:A successful heist? by phantomfive · · Score: 1

      If you were able to steal 10% of all the US dollars in circulation, it would cause the value of the currency to drop sharply.

      Why? Wouldn't removing the dollars from circulation cause deflation? (Or if you spent them, to cause them to remain in circulation, of course)

      --
      "First they came for the slanderers and i said nothing."
    4. Re:A successful heist? by Nunya666 · · Score: 1

      Conventional currencies certainly could. If you were able to steal 10% of all the US dollars in circulation, it would cause the value of the currency to drop sharply.

      Only if you try to cash in the stolen currency in another country, which considers the value of the US Dollar against the value of the local currency.

      Businesses don't raise their prices just because the international value of the local currency changes.

    5. Re:A successful heist? by PRMan · · Score: 1

      When they seize it, it becomes worthless to you.

      --
      Peter predicted that you would "deliberately forget" creation 2000 years ago...
    6. Re:A successful heist? by radarskiy · · Score: 1

      Was anyone willing to sell a credit default swap against DAO?

    7. Re:A successful heist? by dwye · · Score: 1

      If you were able to steal 10% of all the US dollars in circulation, it would cause the value of the currency to drop sharply.

      Nonsense.

      Firstly, 10% of all US currency is a small fraction of all dollar-denominated accounts.

      Secondly, the value would rise, since a finite and now smaller quantity of dollars was chasing the same sized pool of value.

      Perhaps you were thinking of the case of 10% of US currency being counterfeited (aka Gresham's Law)?

  4. Silver lining by Nidi62 · · Score: 1

    On the bright side, as the value of the currency drops, the amount stolen would drop as well. So given a roughly 30% drop in value that $50 million is now only worth about $35 million!

    --
    The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
  5. Say it ain't so... by __aaclcg7560 · · Score: 1

    Another digital currency in the bit bucket.

    1. Re:Say it ain't so... by Yvan256 · · Score: 1

      Mooncoin will rise again, you'll see! To the moon!

      Also, does anyone want to buy one million Flappycoins?

    2. Re:Say it ain't so... by __aaclcg7560 · · Score: 1

      Also, does anyone want to buy one million Flappycoins?

      Do you take continental dollars? :P

    3. Re:Say it ain't so... by Gr8Apes · · Score: 1

      Mooncoin will rise again, you'll see! To the moon!

      Also, does anyone want to buy one million Flappycoins?

      I've got a $500 bill from Life....

      --
      The cesspool just got a check and balance.
    4. Re:Say it ain't so... by dwye · · Score: 1

      Hey! Continentals were convertible to gold-backed dollars after the Constitution went into effect, at par. Granted, in the years before that they were often sold at pennies on the dollar, but that is the mistake of those who sold them so low.

  6. Re:Suckers by el+cisne · · Score: 2

    Luke, I am your fodder.

  7. Maybe I'm showing my age but... by bazmail · · Score: 3, Insightful
    ...that is all complete fucking jibberish.

    An attack has been found and exploited in the DAO, and the attacker is currently in the process of draining the ether contained in the DAO into a child DAO. The attack is a recursive calling vulnerability, where an attacker called the "split" function, and then calls the split function recursively inside of the split, thereby collecting ether many times over in a single transaction.

    1. Re:Maybe I'm showing my age but... by Anonymous Coward · · Score: 1

      An attack has been found and exploited ...

      ...that is all complete fucking jibberish.

      It's a Fork Bomb with money.

      In other words, tying value to a bit doesn't work so well after a .... bit. ;-) But don't worry, it's the next big thing since the stock market. Invest now before you lose out!

      It's "gibberish", old man.

      Yeah, give us a break, our memory's not quite what it used ... what was i saying?

  8. The ever topical Nelson Muntz by smooth+wombat · · Score: 1

    Ha ha!

    --
    We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
  9. Re:This panic is the equivalent of by bazmail · · Score: 2

    You either suck at reading or suck at metaphors.

  10. This Summary Is FUD by Anonymous Coward · · Score: 1, Funny

    The fact that this bug occurred is a black mark on DAO and an utter embarrassment, but nothing has actually been "stolen". As the DAO blog post says, a community effort is underway to fork and lock out the attacker. They have a month to make it happen. No money will be lost.

    Basically, this system is based on programming contracts (think legal contracts, usually written by lawyers and reviewed by judges). Someone left a bug in the contract, and because this is a programmed contract, not a written one, no one could enforce the "spirit" of the contract over the exact (erroneous) content of the contract.

    This huge community panic and fork undermines the idea of these "programmed" contracts, and thus the system itself.

    1. Re:This Summary Is FUD by Anonymous Coward · · Score: 1

      Programmed contracts undermine the idea of programmed contracts. There will always be some shifty motherfucker who is smarter than you think you are. How can you enter a trust relationship when you can't trust anyone?

      Law is in the hands of humans because we understand the idea of unforeseen circumstances. Real contracts require real, legal good faith action on both parties.

      Ethereum always strikes me as the place where the real frightening and intelligent sociopaths when after they wrung all they could out of BTC.
      Smart contracts are particularly creepy - At the heart of every libertarian is a kid that watched a lot of cartoons growing up. Remember in kids shows how contracts are always presented as having some kind of magic, indelible force as strong as the universe itself? Sign a contract and no matter what it was law. (Of course this trope was just lazy writing)

      Remember the contract in The Little Mermaid? Remember how even the king (Who was an analog for the god Poseidon) could not annul it with all his power?

      Ethereum is an effort to make that real - Magic contracts.

    2. Re:This Summary Is FUD by ameline · · Score: 1

      The value of Etherium will rebound, but the underlying problem is that the contracts are written in a Turing-complete language -- it is impossible to prove with an algorithm (reducible to the halting problem) any non trivial assertions about the behavior of such contracts.

      --
      Ian Ameline
    3. Re:This Summary Is FUD by Anonymous Coward · · Score: 1

      It's a very childish, literal, techno-centric way of thinking but it rears its ugly head over and over. "If I can prove X is effectively the same as Y (whatever 'effectively' means to the speaker), and X is legal, then the courts and lawyers and whole rest of the world will automagically see my way and make Y legal". Ask Aereo how well that worked out for them.

    4. Re:This Summary Is FUD by ceoyoyo · · Score: 1

      The halting problem says it is impossible to prove [blah blah] for every program.

      It's quite possible to prove whatever you like about many, many programs. It might be quite difficult for non-trivial ones though.

    5. Re:This Summary Is FUD by Anonymous Coward · · Score: 1

      This is a good point. You can formally prove code, but it's incredibly labor intensive academic process. .. Not really in line with the cowboy coding you typically associate with the cryptocoin community.

    6. Re:This Summary Is FUD by mbkennel · · Score: 1

      | Someone left a bug in the contract, and because this is a programmed contract, not a written one, no one could enforce the "spirit" of the contract over the exact (erroneous) content of the contract.

      A perfect instantiation of a naive (is there any other kind?) libertarian's dream and everybody else's nightmare.

      http://www.startrek.com/database_article/landru

    7. Re:This Summary Is FUD by rickb928 · · Score: 1

      "Someone left a bug in the contract"

      Seems like a feature to me. Solution? Beyond hard forking and a reset of the DAO, perhaps not allowing recursive splits.

      This is debugging in 'real'-life. How many online games have you played where you bought in-game swag and it was stolen/destroyed? Yeah, I don't either. Right.

      --
      deleting the extra space after periods so i can stay relevant, yeah.
    8. Re:This Summary Is FUD by sexconker · · Score: 1

      It's not a problem. An instruction count limit and a valid input range solve it.

    9. Re:This Summary Is FUD by Jeremi · · Score: 1

      the contracts are written in a Turing-complete language -- it is impossible to prove with an algorithm (reducible to the halting problem) any non trivial assertions about the behavior of such contracts.

      True... but isn't that also true of just about every other piece of software in use today? And yet the world continues to turn, and people continue to use software to get things done (knock on wood), modulo the occasional catastrophic bug...

      --


      I don't care if it's 90,000 hectares. That lake was not my doing.
  11. Federal Reserve by captaindomon · · Score: 4, Insightful

    Except if this happened at a "major financial institution", the Federal Reserve would step in and stop a panic by insuring the funds. That's why we *have* a federal reserve. See the Panic of 1907 for an example.

    --
    Just because I can hook a shark from a boat, I do no offer to wrestle it in the water.
    1. Re:Federal Reserve by mbkennel · · Score: 1

      | The "Federal" Reserve is a *private* bank whose purpose is entirely self-serving.

      It's not a private bank. Its creation and operations are detailed in U.S. Federal Code, its top management is chosen and confirmed by elected government officials, it regulates private banks with force of law, and its profits are turned over to the U.S. Treasury. It does not have the same motives and behavior as a private bank. Intentionally, the Fed is not a direct part of the political cabinet departments and is more of an independent agency, similar to NASA, CIA and EPA, and not similar to Treasury, whose chief serves at the discretion of the President and is a member of the cabinet.

      The Fed does, as part of its very nature, interact heavily with private banks.

      The US or Fed do not pay interest on Federal Reserve notes. The U.S. does pay interest on Treasury bills, notes and bonds.

      The FDIC is an agency which is created by Congress, the same way as the Federal Reserve. The FDIC's protection of depositors is guaranteed by law, but the Federal Reserve's bailout of institutions is discretionary.

    2. Re:Federal Reserve by magarity · · Score: 1

      Lol. Not even close.

      The "Federal" Reserve is a *private* bank whose purpose is entirely self-serving

      A common misconception. The Federal Reserve is an independent entity of the federal government, similar to the USPS: See "Who owns the Fed": http://www.federalreserve.gov/...

    3. Re:Federal Reserve by Anonymous Coward · · Score: 1

      No, no, no. You're not listening to the facts- any gold bug or libertarian can tell you, as did the parent post, that the Federal Reserve does nothing useful for anyone anywhere except themselves. That whole bit where they shored up Bank of America, Citigroup, and others, by merely preparing to take equity positions, was all just a ruse to collect termination fees. They absolutely don't operate as any kind of insurance. And that money to AIG? It was cool how they bypassed the Treasury entirely and loaned those Federal Reserve Notes directly to AIG. Of course, they still collected the interest that the Treasury would otherwise have paid. Neat trick, considering they even duped Congress into passing legislation authorizing that, given that no authorization was necessary at all since they're a private bank.

    4. Re:Federal Reserve by lgw · · Score: 1

      The US or Fed do not pay interest on Federal Reserve notes. The U.S. does pay interest on Treasury bills, notes and bonds.

      The Fed does, however, pay above-market-rate interest on bank money deposited with the Fed. It's relatively new program, and really quite odd. The Fed pays banks better interest than you or I can get from buying T-bills.

      While it's done wonders to keep the money supply from growing while QE was printing a couple trillion new dollars, it hardly seems fair.

      --
      Socialism: a lie told by totalitarians and believed by fools.
  12. Re:Would using the Rust prog lang have avoided thi by Anonymous Coward · · Score: 1, Informative

    Good practice makes safe programs. Not programming languages.

    If magic bullet programming techniques were the cure we'd all be running microkernel operating systems programmed in lisp.

  13. I don't get it by slashmydots · · Score: 1

    I sort of looked into Etherium, and I'm an expert on bitcoins, and their website's marketing fluff bullshit sounded an awful lot like it's bitcoin but run by 1 giant central company and they're downplaying that fact and outright lying about it. Does that accurately sum it up or am I missing something?

    1. Re:I don't get it by Anonymous Coward · · Score: 1

      No, that's pretty much all wrong. Ethereum does provide significant functionality over BTC by allowing arbitrary "smart contracts", though people are in the process of bringing that to BTC as well. Ethereum isn't centrally run any more than other cryptocurrencies are (that is, the developers have some informal clout but it's ultimately up to the network what the blockchain looks like).

    2. Re:I don't get it by sexconker · · Score: 1

      To implement a contract in Bitcoin you just sign messages. People have been doing it for ages.

  14. There's a few surprises here by thegarbz · · Score: 1

    1. An unknown currency has such value?
    2. Someone bothers attacking an unknown currency?
    3. The attacker has a facility to convert a large portion of the digital currency into something tangible without it instantly being worthless?
    4. Slashdot assumes we know WTF the summary is talking about?

  15. No it is not. by MartinG · · Score: 3, Informative

    "this is an issue that affects the DAO specifically; Ethereum itself is perfectly safe."

    Source: https://blog.ethereum.org/2016...

    --
    -- MartinG To mail me: echo kewyjlcxyzvjfxbqwh | tr bcefhjklqvwxyz .@adgimnoprstu
  16. You tell us by tomhath · · Score: 2

    Since you seem to be an expert. Rather than just listing vague claims about a language, describe how the features you listed are pertinent to this attack.

  17. More specifically, Rice's theorem applies... by ameline · · Score: 1

    https://en.wikipedia.org/wiki/...

    "there exists no automatic method that decides with generality non-trivial questions on the behavior of computer programs."

    --
    Ian Ameline
    1. Re:More specifically, Rice's theorem applies... by ceoyoyo · · Score: 1

      "with generality" Key words.

    2. Re:More specifically, Rice's theorem applies... by ameline · · Score: 1

      Indeed they are key -- what they mean is that even if you can come up with an algorithm to prove a property for *all* existing programs, it is possible (and in practice usually *trivial*) to construct a program where that algorithm will provably fail. Remember hackers need only find one hole to siphon off your ether.

      This system (or any currency for that matter) needs a mechanism for defining, detecting and reversing fraud, and unmasking those perpetrating it. You have to assume it's only a matter of "when", not "if" fraud will take place.

      Computability theory is *fun* :-)
      https://en.wikipedia.org/wiki/...

      --
      Ian Ameline
    3. Re:More specifically, Rice's theorem applies... by sexconker · · Score: 1

      The system does have that, It's called forking.

      Further, your link to Rice's theorem showed you have no idea what you're talking about. ceoyoyo called you out. Your next post was asinine drivel with another link to Wikipedia about something you don't understand.

      Your other post, including this gem, really drives it home:

      it is impossible to prove with an algorithm (reducible to the halting problem) any non trivial assertions about the behavior of such contracts.

      That's only true in the general case, so change "such contracts" to "such contracts in general" or "all contracts".
      It's also just as true if you remove "with an algorithm (reducible to the halting problem) ".

      it is impossible to prove any non trivial assertions about the behavior of all contracts.

      Your statement is functionally equivalent to "It is impossible to prove everything about everything.".

    4. Re:More specifically, Rice's theorem applies... by ceoyoyo · · Score: 1

      It wouldn't be difficult at all to require that any valid algorithm must be provably correct. The halting problem in particular is trivially easy to deal with. As another poster suggested, simply require that any algorithm run in X time otherwise it is considered invalid.

    5. Re:More specifically, Rice's theorem applies... by ultranova · · Score: 1

      It wouldn't be difficult at all to require that any valid algorithm must be provably correct.

      The problem is, "correct" here means "what the user intended", so your validator would need to read thoughts - and if it cold do that, there'd be no need to write contracts by hand in the first place.

      But why make your contract language Turing complete in the first place? It would seem that propositional logic would be both perfectly sufficient and easier to write and understand. Do you really need your payment processor to be potentially sapient?

      --

      Forget magic. Any technology distinguishable from divine power is insufficiently advanced.

    6. Re:More specifically, Rice's theorem applies... by St.Creed · · Score: 1

      Do you really need your payment processor to be potentially sapient?

      Well... yes, yes I do.

      --
      Therefore, by the (faulty) logic you're using, you're just a cow with a keyboard - osu-neko (2604)
  18. "Worthless" is relative. by Anonymous Coward · · Score: 1

    If I steal $1,000,000 worth of foobarcurrency from you, and it's value drops to $1,000, I'm still ahead $1,000. You're screwed but I don't really have to care.

  19. Re:Would using the Rust prog lang have avoided thi by ameline · · Score: 1

    Mod parent up.

    So long as the contract language used by Etherium is Turing-complete, they're pretty much doomed to having this sort of thing repeating. To their credit, they have mechanisms to, through community consensus, block and reverse these thefts.
    (A good currency design should be tolerant of fraud -- assume it will happen, and have in place mechanisms for detecting and reversing it.)

    In support, I give you Rice's Theorem;
    https://en.wikipedia.org/wiki/...

    "there exists no automatic method that decides with generality non-trivial questions on the behavior of computer programs."

    --
    Ian Ameline
  20. Re:Suckers by PCM2 · · Score: 1

    Whoosh was from The Flash...

    --
    Breakfast served all day!
  21. Someone got clowned by PCM2 · · Score: 1

    I sense this attack was mostly about embarrassing the company. From the Etherium website:

    Ethereum is a decentralized platform that runs smart contracts: applications that run exactly as programmed without any possibility of downtime, censorship, fraud or third party interference.

    (emphasis mine)

    --
    Breakfast served all day!
    1. Re:Someone got clowned by lindseyp · · Score: 1

      For certain definitions of fraud. The key here is that the DAO contract was badly written. Not Ethereum itself. The 'attacker's open letter on the subject outlines a perfectly good argument. His actions were enforced by the very contract in question, hence there is no fraud.

      --
      j'ai découvert une démonstration vraiment admirable (de ce théorème général) que cette si
  22. Re:"heist at a major financial institution" by alexgieg · · Score: 1

    Except you don't have to find a sucker who will give you real goods and services for your printed paper currency first.

    FTFY.

    --
    Conservatism: (n.) love of the existing evils. Liberalism: (n.) desire to substitute new evils for the existing ones.
  23. Re: "heist at a major financial institution" by chill · · Score: 1

    Yeah, that problem was solved centuries ago. Considering I'm posting from inside a restaurant who is doing just that, after stopping at a gas station who did the same, the challenge of finding people to accept paper currency AND purely digital bits via a debit card is trivial.

    --
    Learning HOW to think is more important than learning WHAT to think.
  24. "And nothing of value wa..." by GlennC · · Score: 1

    oops, I guess something of value WAS lost here.

    Carry on....

    --
    Go on, citizen, stamp the vote card. R or D, your choice.
  25. Re:Would using the Rust prog lang have avoided thi by mmell · · Score: 1

    A good currency design should be tolerant of fraud

    So the US economy is great!

  26. Re:Suckers by sexconker · · Score: 1

    The line is "No, I am your fodder.".

  27. Re:I'm almost glad by sexconker · · Score: 2

    You keep reading that because the clown behind Ethereum is a known charlatan who has been shouting about how his shit is better than Bitcoin non stop for the past 3 years. Anyone who knows anything about Bitcoin knew that Ethereum was horse shit. I wouldn't be surprised if said clown was behind this, or at least on the take. But I don't care enough to find out. I wasn't dumb enough to drop money into Ethereum and I got out of the Bitcoin game years ago (wish I hadn't though).

  28. How much? by wonkey_monkey · · Score: 1

    a $50 Million Hack

    Wait, no, $5 million hack.

    Oop, now it's $5,000.

    --
    systemd is Roko's Basilisk.
  29. Re:Would using the Rust prog lang have avoided thi by dow · · Score: 1

    EthCore's Ethereum implementation is written in Rust anyway, I believe.

  30. Re: I'm almost glad by Coren22 · · Score: 1

    You shit is worth more than $760? What are you the golden goose?

    --
    APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
  31. A DAO by any other name by bestweasel · · Score: 1

    "DAO (Decentralised Autonomous Organisation), an organisation with huge holdings of Ethereum"

    Might want to work on the Decentralised bit.

  32. "Volatile cryptocurrency displays volatility" by Phlogiston+4+Lyfe · · Score: 1

    As of eight minutes ago, the price was at roughly $13.21, which looks bad compared to the $21 value that the original article talks about, but only if you don't pay attention to the numbers from further than five days back. If you look back beyond 6/13, it's been hovering anywhere from $11-$13 since 5/20.

  33. Re:I'm almost glad by pantaril · · Score: 1

    You keep reading that because the clown behind Ethereum is a known charlatan

    Could you provide some links to back up your claim, that Vitalik Buterin is "known charlatan"?

  34. Re:Would using the Rust prog lang have avoided thi by St.Creed · · Score: 1

    Existing fiat currency systems are surprisingly robust in the face of many problems, of which fraud is a minor one - and much more so than gold standards or bitcoin, IMO.

    --
    Therefore, by the (faulty) logic you're using, you're just a cow with a keyboard - osu-neko (2604)
  35. Re:I'm almost glad by sexconker · · Score: 1

    Vitalik Buterin is a puppet they fly around to do interviews while claiming he's the developer.
    He's not. It's developed by a farm of Indian's working, ultimately, for Goldman Sachs.

    Ethereum is an IPO alt-coin (meaning it's a scam). The initial volume was fake (pre-arranged) in order to pump up value, as per usual.

    I get that you see someone making a claim on the internet and your instinct is to assume it's bullshit. But what I don't get is why you spent time to Google "Ethereum" so you can throw out a challenge using "Vitalik Buterin" and not also spend the time to actually read about it.

    If you had, you'd know that the clown behind Ethereum is Anthony Di Iorio - https://www.linkedin.com/in/an... .

    If you actually care, so a search for his name or read this thread https://bitcointalk.org/index.... .

  36. Re:Would using the Rust prog lang have avoided thi by peawormsworth · · Score: 1

    To their credit, they have mechanisms to, through community consensus, block and reverse these thefts.

    Reversing the "thefts" would be the quickest way to drive the value of Ethereum to zero.

    It is my opinion that the primary value in Blockchain currencies the decentralization. Reversing these funds would prove it is centralized and requires trust from authority figures.