New Vulnerability May Prevent Ethereum Soft Fork

One possible solution to the attack that led to the draining of funds from The DAO is now believed to include an exploit of its own.

AccessTimeIconJun 28, 2016 at 9:00 p.m. UTC
Updated Sep 11, 2021 at 12:21 p.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global hub for everything crypto, blockchain and Web3.Register Now

The number of options available to the ethereum development community as it searches for a way to recover investor funds lost when The DAO was compromised is dwindling with news that a vulnerability in one of the more prominent solutions has been discovered.

As it turns out, a soft fork that would have sought to blacklist the ether address that holds the confiscated funds, preventing it from conducting any transactions, actually exposes a previously undetected attack vector.

In a post on the Ethereum Foundation blog, developer Felix Lange explains that the exploit would slow down mining and prevent the completion of legitimate transactions.

Lange wrote:

"Available options are being considered. The community can avoid any negative consequences of the soft fork by voting against it until a better solution has been found."

Launched earlier this year, The DAO was the first large-scale distributed autonomous organization (DAO) designed with a leaderless governance structure and with the intent to distribute ether donated by contributors to new ethereum projects.

After raising more than $150m worth of ether, a flaw in the software was exploited, letting a malicious member move a portion of the funds into another DAO under their control.

Due to the way The DAO was coded, it is widely believed that the siphoned funds won’t be accessible to the perpetrator until 14th July. But in Lange’s post today, he added that "there is no immediate urgency to block transactions while further proposals are being worked out".

The development comes as ethereum miners, or those validating transactions and competing to create blocks on the platform, have until this Thursday to vote for the soft fork patch, thus implementing the soft fork.

The fork in the road

While Lange proposed two temporary workarounds to the vulernabilty, lead distributed application developer at ethereum, Fabian Vogelsteller, was less optimistic on Twitter.

Vogelsteller wrote:

"With the soft fork being vulnerable there are two options left: a hardfork only affecting The DAOs, or doing nothing."

The hard fork option, which would essentially roll back the ethereum blockchain to erase the transactions, has been controversial to some members of the community who worry it might undermine future faith in the reliability of the network.

Doing nothing has also been controversial, as it would give the person who used The DAO’s code to move funds to a separate account the ability to profit at the expense of the 23,000 token-holding members of the organization.

Bent fork image via Shutterstock

Correction: This article has been updated to correct a misspelled surname. 

Disclosure

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.


Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.


Read more about