Deconstructing theDAO Attack - by Peter Vessenes - A technical look at theDAO attack

in crypto-news •  8 years ago 

A really good read that dives into the code and break down how the DAO attack was performed and the offending code.

http://vessenes.com/deconstructing-thedao-attack-a-brief-code-tour/

Written by Peter Vessenes with thanks to Joey Krug, Dennis Peterson, Nick Johnson, Tim Goddard

Extract:

Root Causes And Lessons Learned

This bug is a confluence of bad programming habits, a (probable) typo, and a complex call stack.

Things that should be done next time:

  • A purely functional language with a rich type system is needed. If we can't have that right now,
  • All calls that send to untrusted address should have a gas limit
  • Balances should be reduced before a send, not after one
  • Events should probably have a Log prepended to their name.
  • The splitDAO function should be mutexed and keep permanent track of the status of each possible splitter, not just through token tracking.

Further, we're still waiting to see what happens with respect to any possible hard fork that might roll these back, but I think there is a risk that theDAO is somewhat borked right now because it's sense of its own tokens is wrong. I will update on this and many other tidbits over the next week.

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

I have heard there non exist such smart-contracts. Where can I download that software to check the exploit?

not sure what you mean, could you re-phase your question?
if you looking for the source code of the DAO you can look here https://github.com/slockit/DAO