The biggest hack that crypto has ever seen

While cryptography and blockchains boast about the security of their frameworks, many times, there is a lot of false confidence in those statements.

Blockchains have moved on from providing basic transactions to running complex state-managed code right on the blockchain. A big pioneer in this movement has been Ethereum and its programming language solidity. Ethereum launched as a blockchain that can do more than write down transactions, but instead allow you to store, edit and call functions on the blockchain.

Adding such features is obviously going to add more complexity and more reasons for things to go wrong. In the past, solidity has fared fairly well, but in 2019, this story changed. A new vulnerability was found in smart contracts that allowed hackers to access funds stored inside these contracts. 

Mayhem broke through and people started panicking, and millions of dollars worth of assets were lost overnight.

The Attack – The DAO

In July 2016, A very famous DAO (decentralized Autonomous Organization), called The DAO became a popular investment fund. It had over 150 million dollars. Unfortunately, the smart contract had not been secured for this vulnerability.

Over 70 million dollars were lost in this hack, as hackers siphoned off the stored ether. A grim day for the DAO and it was one of the most valuable assets for the Ethereum ecosystem.

In order to stop the mayhem, Ethereum hard-forked the blockchain from a previous state, where the DAO still had its funds. It essentially created two blockchains at the moment of fork. The older blockchain still survives and is called an Ethereum classic.

How it works

This attack works based on a siphon contract. When the unprotected smart contract tries to payout funds to its user base, a malicious player inputs a contract address instead of a regular address.

This address links to the siphon address. Upon receiving the first payment, the siphon contract again calls the withdraw function on the unprotected contract. As the details have not been updated due to the first function not reaching completion, the unprotected contract allows the function to be called again by the malicious contract.

This starts a chain reaction or a “Siphon” of transferring funds to the malicious contract. All of the money stored in the protected contract is now compromised.

Here is a diagram showing how it works —

In this way, over 70 million dollars were lost by The DAO.

How to prevent it?

As the issue was such a large-scale problem, many solutions have been proposed and implemented. Fundamentally all of the approaches work in a similar way, where the smart contract stores a state variable through the course of function. After completing all steps in a function, it updated this state, allowing it to be called again. This way, the contract does not allow the function to be called before it completes all of its steps.

You can easily add this security measure to your code with Open Zeppelin's contracts. The most important factor about this issue is realizing such an attack is possible, and you must defend against it.

import"@openzeppelin/contracts/utils/escrow/Escrow.sol";

contract SecureContract is ReentrancyGuard{

function SafeFunction() public nonReentrant {

      //does something  }

}

Conclusion 

Cryptocurrencies. And blockchain technologies are still in their infancy. You must keep yourself updated about hacks and vulnerabilities like these. 

There is always a chance for things to go wrong, so make sure your smart contracts are audited to prevent these issues. Especially if you are dealing with payments. (Of tokens or native coins)