Original post:
Back on May 15 we posted "Leaderless, Blockchain-Based Venture Capital Fund Raises $100 Million, And Counting" with a short introduction:
There has to be a way to bet against this.Ummm, yes.
'Puters, do your thing....
A twofer to explain. First up Marketwatch:
The value of digital currency Ethereum tanked Friday after hackers stole the equivalent of more than $50 million from an organization that controls large amounts of the cryptocurrency.
Attackers exploited a security weakness to steal more than 3.5 million ether tokens from an organization called the DAO, which presently holds 9.2 million tokens, according to its website, worth about $150 million at the current price.
The stolen tokens were transferred to another Ethereum wallet, but, it will be about 27 days before the coins can be accessed because the entity created by the attackers to store them hasn’t fully matured, according to Vitalik Buterin, the creator of Ethereum and chief scientist at the Ethereum Foundation, who published a statement about the attack on Pastebin.
The Ethereum development community has proposed a solution that could invalidate the transactions, Buterin said.
Ethereum, which recently reached an all-time peak above $21 a coin, fell as low as $13.40 on the news before recovering to $16.70 in recent trade, according to data from CryptoCompare.
“This is an issue that affects the DAO specifically; Ethereum itself is perfectly safe,” Buterin said.And from FT Alphaville:
The person or people responsible for the attack haven’t been identified....MORE
DAO hacking and dispute resolution
The Decentralised Autonomous Organisation (DAO) — the crowdfunded venture fund that invests in executive-free projects and is run on Ethereum’s blockchain — is being attacked, with over 2m ether missing so far....MORE
More information is available here.
We’re not hacking specialists and the story is still evolving, but… a couple of weeks ago we did get wind of an interesting story involving a Korean DAO investor (who goes by the name Patrick) who lost $100,000 worth of ether (7218 ether) due to what he claimed to be a vulnerability in the open-source Mist wallet offered by Ethereum.
“On the day May 12, I tried to buy DAO using Mist wallet. ‘Mist’ is the official smart wallet for Ethereum and DAO. While I was making the transaction to buy DAO I noticed everything just went away to some weird address,” he told us over Skype.
Patrick brought the flaw to the attention of the Ethereum Foundation hoping the developers there — who offer bounties to encourage exploit and flaw reporting — would at least offer him compensation within the context of the bounty programme.
But, says Patrick, rather than acknowledge his security contribution or openly address the problem in forums, Ethereum’s team suggested Patrick’s loss was down to his own incompetence.
Patrick says he works as an IT systems security specialist and has been mining ether since last August. He also points out his losses occurred at the heart of DAO’s fundraising period, which eventually saw them raise $150m.
Patrick wrote up the issue in the forums regardless, deciding to pursue an investigation for the sake of the community. He identified two flaws. One was a two-second vulnerability during which unauthorised transactions could be issued from the Mist wallet. The other was a security code problem connected to passwords.
Ethereum rolled out fixes about the same time Patrick was publicising the issues, but while Patrick admits some of the issues have been fixed, he claims not all have been fixed in their entirety.
Patrick says he feels hard done by, not least because despite being a major Ethereum and DAO fan, the developer teams did little to address his situation directly.
Ethereum’s foundation structure, meanwhile, now makes it difficult for him to seek further compensation through legal routes — even though, in his opinion, the group operates very much like a commercial corporation with respect to its investor responsibilities and liabilities. As he told us:
Since Ethereum’s market cap is over $1bn, a lot of people use the Mist wallet for sure. Even though I got hacked by their insecure software, I figured out the hacker’s attack vector as well as their security flaw and gave all the detailed information to them. Rather than hearing thanks or sorry, they acted differently. At first they totally ignored me. Then they said it was all the user’s fault.Ethereum’s head of external relations George Hallam told us all security matters presented to the foundation are taken seriously without exception. In this case, however, their investigations showed it was the user who was at fault:
…the weaknesses of the system which led to this unfortunate scenario stem from user error, coupled with the underlying nature of all decentralised systems. As with any decentralised system, there is a lot more accountability on the singular user as there is no centralised authority which is going to come in and roll back any erroneous activity, or reset an account because of a mishap – it’s simply not possible due to the way it is designed. This is, really, the whole point of decentralised systems; to remove the potential for any central authority to take control.
Update: "Ethereum Found the $53 Million"