TheDAO was attacked today, and the attacker seems to have made off with 3.5mm ether (at time of writing in excess of $45mm). The vulnerability was the Race To Empty or Recursive Call attack.

We'll probably be writing about this for some time, but I wanted to get out there what's known now, and trace out the attack so people can see how this attack looks in the wild.

Thanks for this writeup go to a number of helpful people in Ethereum land: Joey Krug wrote up some initial thoughts and is a source of knowledge and information at all times. Dennis Peterson as usual did a bunch of heavy lifting and code review in the early stages this morning, Nick Johnson did theoretical work and batted around some possible solutions.

Tim Goddard identified the Transfer/transfer confusion through prodigious effort, and led the way figuring out why this exploit was able to turn 258 ether into 3.5mm rather than 'just' 7,500.

Some Background And Where To Look

We'll start with the splitDAO function, for two reasons -- the attacker seems have been creating child DAOs, and this is the only active mechanism for getting coins out; a second step would be to look at the proposal mechanism if this is unsuccessful.

To recap the purpose of this function: a subset of TheDAO token holders have decided they'd like to "split" -- either because they do not agree with a proposal, or (at this stage in theDao's brief but eventful life) because they wish to withdraw funds.

The mechanism for doing so is to create a split proposal. Split proposals take 7 days to 'mature' and get participants in. Any participants voting "yes" in the split will be given the right to call splitDAO.

splitDAO will create the DAO child contract if it doesn't exist, send the ether controlled by the splitters into the childDAO, pay out any accrued 'reward' pro-rata to the splitters, and return. At least, that's the plan.

A complication

Some code review happened on the currently live 'tip' of the master branch of theDAO's code on github. Unfortunately, that is NOT the code that has been deployed at theDAO's main contract address. This caused quite a lot of confusion, and highlights a real issue in these analyses -- is the code I'm looking at the same code that is running?

More on this at a later date, but verification is a problem, and it bit some fairly sophisticated reviewers in a hurry this morning.

The Code

I'm cutting out some of the splitDAO function here to focus on the good bits.

function splitDAO( uint _proposalID, address _newCurator ) noEther onlyTokenholders returns (bool _success) {

Okay, we've got a function. It can't be sent ether. It can only be called by token holders. Let's see what we've got.

[snip]...

A line that says "move ether". Tell me more...

// Move ether and assign new Tokens uint fundsToBeMoved = (balances[msg.sender] * p.splitData[0].splitBalance) / p.splitData[0].totalSupply; if (p.splitData[0].newDAO.createTokenProxy.value(fundsToBeMoved)(msg.sender) == false) throw;

Okay, what's happening here is we're calculating out how much to move for this particular caller, and then calling the createTokenProxy function. Let's remember this bit.

[snip]

// Burn DAO Tokens Transfer(msg.sender, 0, balances[msg.sender]); withdrawRewardFor(msg.sender); // be nice, and get his rewards totalSupply -= balances[msg.sender]; balances[msg.sender] = 0; paidOut[msg.sender] = 0; return true; }

Okay, this looks dubious from the very beginning. The withdrawRewardFor function is getting called, and then the totalSupply, balances and paidOut variables are getting set after the call.

This is an anti-pattern as we've established in the last few weeks. If withdrawRewardFor can be attacked with Race To Empty, it will be called before the balances or paidOut hash tables are updated.

withdrawRewardFor is Vulnerable

Let's see what's happening with withdrawRewardFor .

function withdrawRewardFor(address _account) noEther internal returns (bool _success) { if ((balanceOf(_account) * rewardAccount.accumulatedInput()) / totalSupply < paidOut[_account]) throw; uint reward = (balanceOf(_account) * rewardAccount.accumulatedInput()) / totalSupply - paidOut[_account]; if (!rewardAccount.payOut(_account, reward)) throw; paidOut[_account] += reward; return true; }

The function is short enough I left the whole thing in. But the (bad) magic happens where the reward is set. We can see that the rewardAccount.payOut function is called. let's check out that function.

rewardAccount is a contract of type "ManagedAccount". Here's the relevant code snippet.

function payOut(address _recipient, uint _amount) returns (bool) { if (msg.sender != owner || msg.value > 0 || (payOwnerOnly && _recipient != owner)) throw; if (_recipient.call.value(_amount)()) { PayOut(_recipient, _amount); return true; } else { return false; } }

OK, here we go. _recipient.call.value()() is called without a gas amount. That is easily attackable with an attacking wallet.

Let's Construct Our Attack

Create a wallet contract that has a default function which calls splitDAO a certain number of times, but not too many -- we don't want to drain the entire DAO, hit the per contract gas limit, or the callstack limit. Create a split proposal with the recipient address of our new wallet contract Wait 7 days for the split to finalize call splitDAO.

At that point the call stack will look like this (assuming the wallet only calls twice)

splitDao withdrawRewardFor payOut recipient.call.value()() splitDao withdrawRewardFor payOut recipient.call.value()()

And only then does the call stack resolve. So, boom. There's the nested call stack. Let's talk implications.

Edit As Martin Köppelmann noted, the attacker actually just joined an existing split with a new wallet contract two days ago. There was no need to wait 7 days, any available split contract would do.

Implication 1: The DAO is Now Confused

Let's recall the last few lines of the split function:

withdrawRewardFor(msg.sender); // be nice, and get his rewards totalSupply -= balances[msg.sender]; balances[msg.sender] = 0; paidOut[msg.sender] = 0;

Here's what happens at the end of the second call to splitDAO:

The totalSupply goes down by the sender balance. (In this case about 258 ether). Sender's balance is set to zero Sender's paidOut balance is set to zero

Here's what happens at the end of the top call to splitDAO:

The totalSupply goes down by the sender balance, which is now 0. Sender balance re-set to zero. paidOut balance is re-set to zero.

So, theDao thinks it has 258 more coins than it has.

Right now, as of writing, theDAO thinks it has 3.5mm more coins than it has. There's some discussion as to what this means, but almost certainly it means other splits and reward calculations are going to be incorrect.

Implication 2: A Child DAO Has $45mm More Than It Should

So, what else happened during that nested call? Mostly the Child DAO was funded.

Here's the salient bit.

// Move ether and assign new Tokens uint fundsToBeMoved = (balances[msg.sender] * p.splitData[0].splitBalance) / p.splitData[0].totalSupply; if (p.splitData[0].newDAO.createTokenProxy.value(fundsToBeMoved)(msg.sender) == false) throw;

Tokens are moved into the newDAO, whatever the user's pro-rata portion of theDAO's total ether / token ratio. I'm going to skip digging in, but in brief, tokens are created in the subDAO, and a ManagedAccount tied to the msg.sender is sent fundsToBeMoved ether.

The attacker was able to do this 30x per call with their attacking wallet.

30 * 258 != 3,500,000, Also the Worst Single Letter Typo of The Year

UPDATE:: The current statements from @LefterisJP are that this was not a typo, just a missing call at worst. I've left this paragraph in for reference, but updated incorrect statements

A 30x attack would have pulled out about 7,500 ether. How did this turn into a much larger attack? Tim Goddard found this terrible, terrible bug in the code, either a typo, a malicious attack, or a refactoring error.

Let's look back at the withdrawRewardFor lines. Note that I have left all code indented as it is published at etherscan's verification section.

// Burn DAO Tokens Transfer(msg.sender, 0, balances[msg.sender]); withdrawRewardFor(msg.sender); // be nice, and get his reward

It's typical in solidity contracts to capitalize event logging functions. I assumed on my first read-through that this is the purpose of Transfer. And, in fact, if you read Transfer's code, you see the following:

event Transfer(address indexed _from, address indexed _to, uint256 _amount);

Looks legit to me. I moved on. Tim is a more persistent person, and asked the salient question: how do the DAO tokens get burnt here? Is this just a bad comment?

It would be a true comment IF the function called was transfer -- note the lower case t. Here's that lower-case-t transfer function.

function transfer(address _to, uint256 _amount) noEther returns (bool success) { if (balances[msg.sender] >= _amount && _amount > 0) { balances[msg.sender] -= _amount; balances[_to] += _amount; Transfer(msg.sender, _to, _amount); return true; } else { return false; } }

This function will reduce user balances, before the vulnerable withdraw function is called. So, instead of the logging function, we should have:

if (!transfer(0 , balances[msg.sender])) { throw; }

This would keep the recursive call attacks from functioning, but also reduce the tokens available to the user later on.

NOTE This has been confirmed as wild speculation; TheDAO devs did not typo this into being. The difficulties around token accounting remain, however. Read on.

How Did The Attacker Get To Call This Multiple Times?

Most recursive call attacks we've discussed resolve, and then they are not vulnerable to a further exploit; balances are set to zero at the end of the call and that's that.

The attacker here was able to execute this attack many times; at least 50. What's different?

It's that missing call to transfer . At the bottom of the call stack, the attacking wallet is moving its tokens to another address. We can't see this code, because it's in the attacking wallet, but with those tokens moved away, he is able to let the contract resolve. TheDAO doesn't know anything has gone wrong.

In the next step, he sends the tokens back (check out the transfers here) and can restart the attack -- he has all the things needed -- an address in a split that has voted yes, and unspent tokens.

Root Causes And Lessons Learned

This bug is a confluence of bad programming habits, a (probable) typo, and a complex call stack.

Things that should be done next time:

A purely functional language with a rich type system is needed. If we can't have that right now, All calls that send to untrusted address should have a gas limit Balances should be reduced before a send, not after one Events should probably have a Log prepended to their name. The splitDAO function should be mutexed and keep permanent track of the status of each possible splitter, not just through token tracking.

Further, we're still waiting to see what happens with respect to any possible hard fork that might roll these back, but I think there is a risk that theDAO is somewhat borked right now because it's sense of its own tokens is wrong. I will update on this and many other tidbits over the next week.

As always, contact me for audit and other solidity-related work - others who worked on this may be available as well; the best place to contact them is on gitter. Also, I'm told Tim works for Aura Security.