DAO security issues published one day before funding closed

May 29, 2016 16:00 GMT  ·  By

Three cryptocurrency experts published on Friday, May 27, a scientific paper detailing seven attacks that can be carried out to influence the way the Decentralized Autonomous Organization (DAO) allocates Ether funds.

The DAO is a crowdfunded project that works on the Ethereum network, a new crypto-currency network that deals with crypto-currency named Ether, which many experts say is better than Bitcoin's blockchain.

The DAO is a new version of Wall Street, but for crypto-currencies

While people can exchange Ether as they wish, just like Bitcoin, the DAO works as a separate entity on the Ethereum network, a combination between Kickstarter and Wall Street.

The DAO was set up to allow users to place Ether in a joint fund and buy voting rights. Each person who buys these voting rights receives tokens and can then decide how the DAO uses their assets to make investment deals via applications called "smart contracts."

Investors can then submit funding proposals, on which the DAO users vote by submitting some of their tokens and a YES/NO vote. In the end, based on the tokens and YES/NO votes, the DAO's computer program decides on the investment request's outcome.

The DAO venture capital fund has raised over $130 million

Since its announcement, investors and crypto-currency afficionados have flocked to the service, buying 12,07 million Ethers, which also drove the price of Ether up, and as of today, the entire DAO investment fund is worth $132.32 million (€119.04 million).

DAO has been taking investments for the past month, and on Saturday morning, 09:00 AM GMT, the funding closed, but not before taking a big hit on Friday, when the researchers released their study. Before the paper was published, the total value of the DAO was around $150 million.

The three researchers are Dino Mark, Founder of Smartwallet, Emin Gün Sirer, a professor at Cornell University, and Vlad Zamfir, a researcher with the Ethereum Foundation himself.

  We just released the first draft of a research paper that analyzed The DAO and its voting mechanism. This paper identifies problems with The DAO's mechanism design that incentivize investors to behave strategically; that is, at odds with truthful voting on their preferences. We then outline potential attacks against The DAO made possible by these behaviors.  

The researchers detail in their paper seven attack types, described in short below:

The Affirmative Bias, and the Disincentive to Vote No - The researchers argue that the DAO has a mechanism that values a YES vote more than a NO vote, breaking the 50%-50% balance.

The Stalking Attack - Investors who leave the DAO will receive their funds back via the public blockchain. The researchers detailed a method through which an attacker could track or even block an investor from withdrawing their funds from the DAO.

The Ambush Attack - This attack uses the Affirmative Bias attack. An investor could submit a large amount of approved investment funds into a funding proposal at the last minute with the YES vote to tip the scale towards a favorable decision.

The Token-Value Attack - This method uses the Staling Attack to watch when an investor leaves the DAO. Using social engineering, they can then create a panic among investors or create fictitious entities that drive the down price for TDTs (The Dao Tokens, voting rights), allowing them to buy a large stake in the fund.

The extraBalance Attack - This is another vote rigging method that makes it financially unfeasible to vote NO on investment proposals.

The Split Majority Takeover Attack - Researchers point out that while the DAO has taken steps against individual vote rigging attempts, the organization can't detect similar attacks carried out by a group of attackers, acting separately.

The Concurrent Tie-Down Attack - Because voters who have submitted funds to a proposed investment have their funds trapped in the proposal until it ends, attackers can create counter-proposals with a shorter voting period. This way, an attacker can launch competitive business proposals, to which the other investors cannot react with a vote because they have their funds trapped in the first proposal.

Besides just describing their attacks, the researchers also proposed a series of mitigations in their paper, which the DAO developers could implement.

You can read the first draft of the research paper below, but the always up-to-date version is available on this Google Docs page.