Incident & Breach Response , Managed Detection & Response (MDR) , Security Operations
$55 Million in Digital Currency Stolen from Investment FundAttackers Target Decentralized Autonomous Organization
An experimental investment fund based on the digital currency ether, which runs on the ethereum platform, has been hacked, with about $55 million worth of the currency stolen, according to news reports.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
Founders of the $150 million fund, known as the Decentralized Autonomous Organization, have shut it down in the wake of the June 17 hack and are planning for its unwinding, the Wall Street Journal reports.
The attackers stole about 3.6 million ether coins, valued at about $55 million, and moved it to another account, the newspaper reports.
In a June 17 blog post, Vitalik Buterin, a co-founder of ethereum, acknowledges "an attack has been found and exploited in the DAO."
The attackers appeared to have exploited a loophole that essentially allowed a DAO stakeholder to create an identical fund and move money into it, the Wall Street Journal reports. But the code also imposes a waiting period that means the new fund can't move any money for 27 days. The DAO's founders are planning to "fork" the code and effectively void the hacker's transactions, according to Buterin's blog. "DAO token holders and ethereum users should sit tight and remain calm," he says. "Exchanges should feel safe in resuming trading."
The attack didn't target the ethereum network, but only the DAO fund, according to the Wall Street Journal report.
But Philip Daian, a researcher at Cornell University's Initiative for Crytocurrencies & Contracts, contends that ethereum platform itself seems to be flawed, based on the latest developments in the DAO hack, Cryptocoins News reports. "I would lay at least 50 percent of the blame for this exploit squarely at the feet of the design of the Solidity language [used for ethereum]," the professor writes in a blog. "This may bolster the case for certain types of corrective action.
A notice purportedly from the attacker and addressed "to DAO and the ethereum community" was posted on June 18 on PasteBin.
The DAO was set up in May as an experiment in using digital currencies and self-operating digital contracts to create a venture capital fund that could run itself, the Wall Street Journal reports. But it was criticized early on for being poorly constructed, the newspaper reports.
Hackers have targeted several other cryptocurrency-related services, says John Nye, senior penetration tester at the security consulting firm CynergisTek.
"This particular case seems to be very similar to the one that happened in early 2014 to the Mt.Gox bitcoin exchange," he says. "The biggest thing to know in this case is it is not a case of a flaw in the blockchain or other security measures that are used by cryptocurrencies but was caused by a flaw in the security of the Decentralized Autonomous Organization."
The various forms of digital currency are specifically designed to be run in a decentralized manner with anonymity as a core tenant, Nye notes. "This means that organizations like DAO that hope to hold onto large sums of these funds have to take steps far beyond what a typical financial institution may have to take," he says. "These extra steps are needed because they are a very lucrative target for criminals, since if they can bypass the security controls of the organization holding the currency they can transfer it anonymously and there is nothing that the victims can do. This is a big risk for organizations like DAO and Mt.Gox because there is no FDIC or insurance they can employ to guarantee the recovery of funds lost."