Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Protect against recursive withdrawRewardFor attack #242

Merged
merged 1 commit into from
Jun 13, 2016
Merged

Protect against recursive withdrawRewardFor attack #242

merged 1 commit into from
Jun 13, 2016

Conversation

LefterisJP
Copy link
Contributor

@LefterisJP LefterisJP commented Jun 12, 2016
edited
Loading

The DAO code is vulnerable to the recursive call attack in the withdrawRewardFor() function. This fix should handle it for the next deployment of the DAO code.

A very big thank you to eththrowa from the daohub forums for spotting this.

@LefterisJP LefterisJP added this to the DAO v1.1 milestone Jun 12, 2016
@CJentzsch CJentzsch merged commit a188e9e into blockchainsllc:master Jun 13, 2016
@glesaint
Copy link

So the issue was identified, the solution developed, but no one could implement it. How to setup DAOs to allow security hot-fixes?

@ktorn
Copy link

ktorn commented Jun 21, 2016

Any comments on why this didn't get deployed urgently?
Especially taking into account that the attacker had already initiated his attack preparation 7 days in advance with the split proposal.

@LefterisJP
Copy link
Contributor Author

@ktorn The fix for the actual attack that happened is not yet in the v1.1 repo.
The reason that the fix in this PR or ... any of the v1.1 fixes did not make it into the DAO is simple. The DAO is a completely decentralized entity out of anyone's control.

The upgrade mechanism is slow and involves a vote of the token holders which would take at least 2 weeks.

ithinuel
ithinuel reviewed Jun 23, 2016
View reviewed changes
DAO.sol
@@ -744,9 +744,10 @@ contract DAO is DAOInterface, Token, TokenCreation {

reward = rewardAccount.balance < reward ? rewardAccount.balance : reward;

paidOut[_account] += reward;
if (!rewardAccount.payOut(_account, reward))
throw;
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the payOut failed, should'nt it be removed from paidOut[_account] ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If it failed, the transaction would throw, so this would be as if it never happened.

@philsong
Copy link

回顾一下,像看大片惊心动魄。

@pcaversaccio pcaversaccio mentioned this pull request Jul 19, 2022
Closed
lucadonnoh
lucadonnoh reviewed Nov 11, 2022
View reviewed changes
Copy link

@lucadonnoh lucadonnoh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lucadonnoh lucadonnoh lucadonnoh left review comments

Assignees
No one assigned
Labels
Please Review
Projects
None yet
Milestone
DAO v1.1
Development

Successfully merging this pull request may close these issues.

None yet
10 participants
@LefterisJP @glesaint @ktorn @philsong @craigcalef @nukec @ithinuel @StrongerXi @lucadonnoh @CJentzsch