Yesterday, community member Eththrowa found that the “Recursive call” vulnerability affecting all Solidity smart contracts was indeed present in the DAO Framework 1.0 rewardAccount contract.

As The DAO has not approved any Proposals that generate rewards yet, there is no ether whatsoever in the DAO’s rewardAccount contract. Therefore, this issue is not putting any DAO funds at risk, nor does it affect DAO Token trading, which continues uninterrupted.

A fix can be found as part of the DAO Framework 1.1 development branch, on which we’ve already been working for over a month. Because we expect The DAO’s community to want to upgrade as soon as possible, we intend to enter the review period immediately in order to make it available for deployment as soon as possible.

As part of this 1.1 release, the DAO Framework will include the following changes:

* Fix for the “Recursive call” vulnerability in the rewardAccount contract

* Implementation of a straightforward withdraw() function (AKA “solo-split”)

* Prevention of “game theoretical attacks” including:

Ambush/Sniping of votes (by requiring a majority support a certain time period before the proposal deadline)

Yes Bias (no doesn’t count in the quorum anymore and by adding a time period for no-voters to split after the voting deadline but before a proposal may get executed)

Stalking (by adding the withdrawal() method)

ExtraBalance-related inconveniences (by removing the extraBalance)

So-called ‘Risk-free-voting’ (by blocking tokens until the proposal is closed)

The changes have already been implemented in the form of pull requests, which can already be reviewed on github. Note that we chose to only address security fixes in order to limit feature creep as much as possible. All major feature updates will be kept in store for a DAO Framework 2.0.

Remember this is a completely open source project: starting today and during the course of a two week review period, everyone including Curators are encouraged to review and participate in the release. To suggest changes, please use the newly created DIR, or DAO Improvement Process.

In my next post, I’ll cover the steps by which The DAO can upgrade itself from version 1.0 of the Framework to version 1.1.