I read this alarming account, A Hacking of More Than $50 Million Dashes Hopes in the World of Virtual Currency, in the New York Times, published on June 17, 2016. Here are three excerpts from the longer article that is well worth reading:
A hacker on Friday siphoned more than $50 million of digital money away from an experimental virtual currency project that had been billed as the most successful crowdfunding venture ever — taking with him not just a third of the venture’s money but also the hopes and dreams of thousands of participants who wanted to prove the safety and security of digital currency. …
But just before the project stopped raising money in late May, computer scientists pointed out several vulnerabilities in its underlying code — effectively warning that what happened to the experimental consortium would be possible or even likely. …
The specific mechanism the hackers used is known as a recursive call vulnerability, — essentially a malicious transaction that moves money away from the D.A.O. into a side fund in an endlessly repeating loop.
I followed a link in the New York Times account, Flaws in Venture Fund Based On Virtual Money, which is also worth reading.
This is a start up firm that gathers funds into a pool. Using an automated system, people are able to propose uses for these funds, discuss the various proposals, and then vote to disburse funds to the various projects. The pool is formed from a specific virtual currency, similar to but not Bitcoin. That is, if you wish to invest in the pool, you purchase the virtual currency, and place your funds into the pool. Investing decisions based upon votes are, supposedly, the result of a completely automated algorithm, which was supposed to make the system fair, open, and secure. Evidently, the recursive whatever it is flaw allows someone to manipulate votes to win approval for sending funds to themselves.
Also, in the New York Times account, there was a link to a problem in Bitcoin itself that I had not heard of before. This is from a few years ago, so I’m not up on this.
As I think about these things, engineers may make errors as they develop an algorithm or design, and they may make errors in implementation. It appears that the DAO case involves the programmers properly coding the algorithm, but that plan contains a subtle operating mode, the recursive call, that allows the manipulation. But the people behind DAO state that the code itself is the contract between itself and investors, so they are not in a position to object to this unexpected use of the code.
You are expert in these issues, and we have discussed at length how to get the software to do what it is supposed to do. I look forward to your comments.