Why The Stalker attack is a non issue
##Introduction Lately in the slack and also in reddit there has been a lot of talk about the stalker attack. It’s a very high-risk attack for the attacker to the point that it makes no sense as an attack. Perhaps if someone has too much money and wants to annoy other people he can attempt that but still he has nothing to gain as this section attempts to show.
The scenario is as follows. A malicious Dao Token Holder (DTH) will make bots that will vote in all split proposals where the amount of tokens at stake is less than the amount of tokens the attacker is comfortable playing with.
After the split debate period, if a victim calls splitDAO(), the attacker will also call it and essentially they will both end up in the same child DAO with the victim being the curator but not having the majority of tokens.
From this point on both the victim and the attacker are locked. The attacker will need the victim to add him to the whitelist so he can be the recipient of anything, and the victim will need the attacker to not downvote him in any proposal.
The only thing that can happen now is that the attacker can blackmail the victim promising them to allow them to get 70% (for example) of their money out while the other 30% would be the profit the attacker makes.
The problem with any such attack is that the victim should trust the attacker. And that is not going to happen since you have absolutely no guarantees from the attacker. So in essence the attacker would achieve nothing, apart from locking someone else with him in a DAO where they can both do nothing.
The prevention of the attack is quite straightforward. Before calling splitDAO() make sure that none else apart from you has voted in this proposal. If someone else did, then don’t call splitDAO(). The UI that will be offered by us for voting will actually include a warning for that, by checking if you are trying to split and if other people will follow you in the split.
There are two main ways to address this attack. We will detail them here one by one.
One way to make sure that nobody will follow you to the new DAO is to wait until the very last minute to split. Say that both you and the attacker have voted for the split proposal. The attacker’s bot would be waiting until you call splitDAO() so that after that he can call it himself and join you.
There is a period after which you can no longer call this function. That period is splitDebatePeriod + splitExecutionPeriod. With the average block time being 15 seconds that gives you about that much time to make the splitDAO() and make sure it goes in the very last block before the splitExecutionPeriod expires.
The attacker would need to wait for this block to be mined in order to see that you actually called splitDAO() and then he will try to do the same to join you. Only he won’t be allowed to do so, since we would be after the period where calling this function would be allowed.
So as a result you would safely be split alone in your own solo DAO.
If both you and the attacker are in the new child DAO then you can repeatedly call [halveMinQuorum()] (https://github.com/slockit/DAO/blob/master/DAO.sol#L833) so that you can pass any proposal you want with as little tokens as possible.
After that you need to separate your tokens into 2 different accounts. One with as little tokens as required to pass a proposal (remember you can halveMinQuorum() as much as you want, you are the curator) and the other with the rest of your tokens.
Subsequently you can add yourself to the whitelist, make a proposal to send all money to yourself, with proposal debate period ranging from 35 to 56 days and vote on it with the account holding the least tokens. This proposal is checkmate for the attacker.
If he does not downvote it he will lose all of his money. So let’s assume he does that. The minute the attacker downvotes the proposal his tokens will be blocked and he won’t be able to execute any subsequent splitDAO().
To end it all then you make a new split proposal with minSplitDebate period of 1 week and vote on it. This would give the attacker 34 days to try and join you in your new split attempt. Unfortunately for him even if he votes for the split proposal, he would not be able to call splitDAO() in time because he would be blocked by our other proposal to transfer all of the money to yourself.
The final result of this would be:
- The attacker’s money is stuck alone in a DAO where he is not the curator. All his money is lost.
- The attacker can no longer get rewards from the parent DAO.
- The “victim” has most of his/her money out safely in a 3rd DAO from where he/she can forward them wherever he/she wants.
- The “victim” also has enough tokens back in the 2nd DAO to make the attacker’s life miserable so that he/she can make more proposals and keep trying to steal all of the attacker’s money and since he/she is still the curator of the 2nd DAO can also claim rewards of the original DAO as soon as the attacker is dealt with.
The stalker attack, though sounds terrifying is a non-issue since it makes zero-sense for the attacker as we have shown above. That point aside, the very conversation around the topic proves that one of the first features a DAO 2.0 should have is a “solo split” option.
- Table of Contents
- Wiki Home
- View The DAO on the Ethereum Wallet
- DAO v1.0 Verification and JSON
- DAO Deployment
- The DAO Accounting
- Proposal Creation
- Token Creation and Transfer
- Proposal Voting and Executing
- DAO Splits
- Why Stalking Solo Splitters Makes No Sense
- Turn the Ethereum Wallet into a Mist Browser to Vote
- Proposal Framework Explanation
- PFOffer Workflow
- DAO-Improvement-Requests