Anticipating the next moves of the DAO attacker

The attacker of Ethereum’s The DAO stands to make off with nearly $50 million worth of ether if he can get away with his attack.

The first countermeasure to stop him from doing this is the soft fork, which, if and when it comes into effect, will see miners blacklist transactions from The DAO and child DAOs thereby preventing him from withdrawing his ether from that “Dark” DAO. After that, a hard fork threatens to take those funds away altogether.

We shouldn’t expect this attacker to just take this all lying down. He has already sent a message by proxy and signed it cryptographically with one of the addresses of the White Hat DAO that is presumed to belong to him*, saying he won’t let the money in the “White” DAO out, as he is able to continuously exploit the same bug and features with which he joined that DAO originally.

First Move: Wait and see how the soft fork proceeds.

For now, the attacker does nothing. He waits to see if the soft fork succeeds in activating (that the gas limit is below 4 million on block 1,800,000). If it does not activate, he gets to take all of the money he drained into his Dark DAO.

If it does activate, it still needs a majority of miners to run the activated soft fork. For miners who do not run the soft fork, as soon as he spends money out of his Dark DAO and they process those transactions, the Ethereum chain will split, leaving the shorter chain orphaned by all the non-mining nodes. This is where the attacker might then strike:

Second move: After the soft fork activates:

After the soft fork activates, the attacker is like a desperate caged animal. He has everything to lose and nothing to gain by letting the black listing of his account stand. And the people with the key to the cage he is in are the miners.

One attack vector, a simple, guaranteed bribe, could be to submit and vote in favour of a proposal for his DAO to pay $10,000,ooo or even $20,000,000 or $30,000,000 to the addresses of the top miners (all of their payouts and receiving wallets are clearly visible on the blockchain every time they mine a block or whenever the pools distribute their earnings) and the remainder to a number of addresses of his own.

At that moment, the miners listed in the proposal would know with certainty that if enough of them turn off their soft fork implementation, by rolling back to a previous, yet otherwise fully compatible version of the mining software, they will automatically receive the bribe amount at the same time the hacker gets the remaining money.

With so many miners being anonymous/pseudonymous, there might be enough who leap at a bribe of tens of thousands to hundreds of thousands of dollars. Those that are tempted have nothing to lose, knowing they can easily generate a new address for mining afterwards and abandon their tainted address, thereby keeping their participation in this sordid affair a secret. It takes only 51% of mining power to erase the efficacy of the soft fork and cause the chain to split and the chain containing transactions from the black listed addresses to become the longest and therefore valid chain.

An interesting note with this attack would be that miners who kept mining the soft fork logic would see another chain in which they had received their bribes, and they would know that simply changing one parameter on their mining algorithm would have them receive that ether. If enough of them take the bait, the others will in fact be forced to, because their is no point in mining on a shorter chain. They will in a sense be forced to take the bribe.

Should this happen, some miners may out of a sense of moral duty, donate that bribe, but others may keep it. And more importantly, the portion of the Dark DAO that wasn’t used for bribes will end up in the hands of the attacker.

While all this could wreak havok on the ethereum network it is of little concern to the hacker, who is in an all-or-nothing bid to get something out of his efforts.

A second (but nearly impossible) attack vector: the Attacker mining.

The attacker has a lot to gain by acquiring as much hashing power as possible and trying to prevent the enabling of the soft fork. How much he can get (or has already gotten) is hard to know. His greatest incentive is to get it quickly, within the next few days, to prevent the soft fork from activating. However, this strategy is especially expensive if he fails, and he is unlikely to have access to enough money now to pull it off.

A third attack: Finding other havoc to wreak and breaking the community’s will to proceed

It has been revealed that the bug the attacker exploited is potentially present in many smart contracts. The attacker may be preparing to attack as many of those as possible, as soon as possible.

Why? Because it is impractical for miners to police the blockchain this way if such attacks are common and they can’t justify protecting one contract’s investors while simultaneously ignoring others. Miners may have to give on being policemen on the grounds that the authors of contracts have to write better code and that the miners cannot continuously black list addresses and fork out balances.

Countermeasures to these attacks

At the moment, I cannot think of what effective countermeasures are should the attacker be able to pull off any one or more of the above attacks. They may be improbable, but so was the idea of draining the DAOs funds. Once the attacker gets funds out of the DAO contract, he can mix and sell his coins and be gone like a thief in the night.

* Correction: I had originally stated the signed message came from the Dark DAO account, but a reader has pointed out to me that it was signed with the address from the White Hat DAO account that is presumed to belong to the attacker, since that address followed the white hats into that DAO and is the only one whose identity is not known by them.