The attack was discovered and exploited. Dao, the attacker is currently in the process of leaking the Ethereum contained in the DAO to the subordinate DAO. The attack is Recursive call vulnerability, Here, the attacker calls a “split” function and then repeatedly calls the split function inside the split to collect ether multiple times in a single transaction.
The leaked ether is in the child DAO. https://etherchain.org/account/0x304a554a310c7e546dfe434669c62820b7d83490; Even if no action is taken, the attacker will not be able to withdraw Ethereum for up to the next 27 days (the period of child DAO creation).. This is an issue that particularly affects DAOs. Ethereum itself is completely secure..
A software fork has been proposed. (NO ROLLBACK used, no transactions or blocks are “reversed”) Perform any transaction that makes a call/call code/delegate call that reduces your account balance by code hash. 0x7278d050619a624f84f51987149ddb439cdaadfba5966f7cfaea7ad44340a4ba (i.e. DAO and its children) Starting from block 1760000 (the exact block number may change by the time the code is released), transactions (as well as calls, transactions) become invalid. Prevents attackers from withdrawing Ether beyond the 27-day period..This will provide sufficient time to discuss potential further steps, including providing token holders with the ability to recover their ether.
Miners and mining pools must resume accepting transactions as normal, wait for the soft fork code, and be ready to download and run the code if they agree to this path for the Ethereum ecosystem. DAO token holders and Ethereum users must remain calm and collected. Exchanges must feel safe to resume ETH trading.
Contract writers should (1) be very careful about recursive call bugs and listen to the advice of the Ethereum contract programming community that will come out next week to mitigate these bugs, and (2) be careful not to create contracts that contain: Values greater than $10 million (e.g. MKR), excluding sub-token contracts and other systems whose value is self-defined by social consensus outside of the Ethereum platform and can be easily “hard forked” through community consensus if bugs arise; At least until the community gains more experience in mitigating bugs and/or better tools are developed.
Developers, cryptographers, and computer scientists should note that any advanced tool that makes it easy to write secure smart contracts on Ethereum (including IDEs, formal verification, debuggers, and symbolic execution) is a prime candidate. DevGrants, Blockchain Lab Grant and String’s Autonomous Financial Grant.
This post will continue to be updated.