Out of the Ether. Matthew Leising

Чтение книги онлайн.

СКАЧАТЬ contract can do, as the stalker can be evil and vote against proposals such as getting the money out. This is bad. It essentially freezes money in the DAO and encourages blackmail and ransom, the three researchers wrote.

      While there was a healthy public debate over what to do about the DAO, no moratorium was implemented. Many people I've spoken to feel that there was just too much momentum behind the DAO for anyone or anything to stop it. Ethereum users wanted the DAO to work. They'd all put their money in. It would work.

      The DAO went live on May 28, meaning people could now make funding proposals. Gün continued to watch its progress.

      A year earlier, Gün had become a father, and sometime in mid-June his one-year-old son passed on a different kind of bug to him. On the evening of Monday, June 13, 2016, he lay in bed with his laptop on his chest in the second-floor bedroom of his house in Ithaca. His eyes were watering and used Kleenex surrounded him. As sick as he was, he couldn't tear himself away from the DAO. He thought he'd found another flaw.

      On the other end of an email chat with Gün was his soon-to-be graduate student Phil Daian. He's skinny and dark haired, not one for a suntan, and possesses an almost preternatural understanding of distributed systems. In his 20s when the DAO attack occurred, Phil seemed to me to be the type of guy who peaks in his mid-50s – so look out. But on this night in June 2016, he sat on a ratty couch in the apartment he shared with friends from college in Champaign, Illinois. He should have been working for the software testing startup he'd joined; they had a deadline approaching. But Gün can be incredibly persistent and had been looking at the DAO code for weeks at that point.

      Both Phil and Gün were aware of what Peter Vessenes and a few others had published about the reentrancy bug. This is how it works: imagine there is a line of 20 bank tellers, and you go to the first and ask to withdraw $100. But before you get the money, you go to the second teller and ask for $100. And so on, down the line until all 20 have been visited. Normally you'd need $2,000 in your account to cover all the withdrawals. The reentrancy bug in the DAO, however, didn't allow the code to work that way. If you knew where to focus your attack, you could run the bank-teller trick, asking for more and then more and then more until the DAO had given you millions of dollars even though you only had a few thousand in your account.

But where? Where, exactly, was that vulnerability in the code? The day before, a user on the DAOhub message board named eththrowa had identified a bug. It was encoded in the function that would pay out DAO token holders if they had earned income from their investment. So if you voted for a project that got funded, and that project made money, you got a cut through this payout feature. It's known in the code as the “withdrawRewardFor” function. It came on line 772 of the DAO code. This was a bug, yet it wasn't the bug. (Interestingly, eththrowa was never heard from again, he/she popped up once and then disappeared five days before the DAO attack.)

      The bug in the DAO code responsible for the $55 million hack, the one Gün stared at on his laptop that evening, lived in a different location.

      “Isn't it possible to get multiples of one's RewardTokens and DAOPaidOuts by targeting recursion on Line 666?” Gün wrote in an email to Phil.

      I'm not making that up. The bug is on line 666. The absolute ridiculousness of this detail has in fact driven some to believe it was an inside job: certainly someone at slock.it is fucking with us, right? I don't believe this for a second, but as a reporter I became physically stimulated when I first learned this detail in 2017. The devil is in the details, as they say.

      It was 7:30 p.m. in Ithaca as Gün wrote to Phil. He wanted to talk about what he'd found. Phil couldn't get on the phone, but wrote back a few hours later that he didn't think what Gün had found was an issue. “We might be up the creek ; ),” Phil wrote.

      Gün couldn't be sure either. He felt miserable and really wanted to get some sleep.

      They'd found the DAO bug – many others came close but Gün had it exactly right. The problem? They didn't tell anyone. Four days before the hack, Gün and Phil went to sleep that Monday night and momentarily forgot all about the DAO.

      Конец ознакомительного фрагмента.

      Текст предоставлен ООО «ЛитРес».

      Прочитайте эту книгу целиком, купив полную легальную версию на ЛитРес.

      Безопасно оплатить книгу можно банковской картой Visa, MasterCard, Maestro, со счета мобильного телефона, с платежного терминала, в салоне МТС или Связной, через PayPal, WebMoney, Яндекс.Деньги, QIWI Кошелек, бонусными картами или другим удобным Вам способом.

/9j/4AAQSkZJRgABAQEBLAEsAAD/7RxQUGhvdG9zaG9wIDMuMAA4QklNBAQAAAAAAA8cAVoAAxsl RxwCAAACAAAAOEJJTQQlAAAAAAAQzc/6fajHvgkFcHaurwXDTjhCSU0EOgAAAAABIQAAABAAAAAB AAAAAAALcHJpbnRPdXRwdXQAAAAFAAAAAFBzdFNib29sAQAAAABJbnRlZW51bQAAAABJbnRlAAAA AENscm0AAAAPcHJpbnRTaXh0ZWVuQml0Ym9vbAAAAAALcHJpbnRlck5hbWVURVhUAAAAHwBIAFAA IABMAGEAcwBlAHIASgBlAHQAIABQAHIAbwBmAGUAcwBzAGkAbwBuAGEAbAAgAFAAMQAxADAAOAAA AAAAD3ByaW50UHJvb2ZTZXR1cE9iamMAAAAMAFAAcgBvAG8AZgAgAFMAZQB0AHUAcAAAAAAACnBy b29mU2V0dXAAAAABAAAAAEJsdG5lbnVtAAAADGJ1aWx0aW5Qcm9vZgAAAAlwcm9vZkNNWUsAOEJJ TQQ7AAAAAAItAAAAEAAAAAEAAAAAABJwcmludE91dHB1dE9wdGlvbnMAAAAXAAAAAENwdG5ib29s AAAAAABDbGJyYm9vbAAAAAAAUmdzTWJvb2wAAAAAAENybkNib29sAAAAAABDbnRDYm9vbAAAAAAA TGJsc2Jvb2wAAAAAAE5ndHZib29sAAAAAABFbWxEYm9vbAAAAAAASW50cmJvb2wAAAAAAEJja2dP YmpjAAAAAQAAAAAAAFJHQkMAAAADAAAAAFJkICBkb3ViQG/gAAAAAAAAAAAAR3JuIGRvdWJAb+AA AAAAAAAAAABCbCAgZG91YkBv4AAAAAAAAAAAAEJyZFRVbnRGI1JsdAAAAAAAAAAAAAAAAEJsZCBV bnRGI1JsdAAAAAAAAAAAAAAAAFJzbHRVbnRGI1B4bEBywAAAAAAAAAAACnZlY3RvckRhdGFib29s AQAAAABQZ1BzZW51bQAAAABQZ1BzAAAAAFBnUEMAAAAATGVmdFVudEYjUmx0AAAAAAAAAAAAAAAA VG9wIFVudEYjUmx0AAAAAAAAAAAAAAAAU2NsIFVudEYjUHJjQFkAAAAAAAAAAAAQY3JvcFdoZW5Q cmludGluZ2Jvb2wAAAAADmNyb3BSZWN0Qm90dG9tbG9uZwAAAAAAAAAMY3JvcFJlY3RMZWZ0bG9u ZwAAAAAAAAANY3JvcFJlY3RSaWdodGxvbmcAAAAAAAAAC2Nyb3BSZWN0VG9wbG9uZwAAAAAAOEJJ TQPtAAAAAAAQASwAAAABAAEBLAAAAAEAAThCSU0EJgAAAAAADgAAAAAAAAAAAAA/gAAAOEJJTQ

СКАЧАТЬ