-
Notifications
You must be signed in to change notification settings - Fork 488
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Protect against recursive withdrawRewardFor attack #242
Protect against recursive withdrawRewardFor attack #242
Conversation
So the issue was identified, the solution developed, but no one could implement it. How to setup DAOs to allow security hot-fixes? |
Any comments on why this didn't get deployed urgently? |
@ktorn The fix for the actual attack that happened is not yet in the v1.1 repo. The upgrade mechanism is slow and involves a vote of the token holders which would take at least 2 weeks. |
@@ -744,9 +744,10 @@ contract DAO is DAOInterface, Token, TokenCreation { | |||
|
|||
reward = rewardAccount.balance < reward ? rewardAccount.balance : reward; | |||
|
|||
paidOut[_account] += reward; | |||
if (!rewardAccount.payOut(_account, reward)) | |||
throw; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the payOut failed, should'nt it be removed from paidOut[_account]
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If it failed, the transaction would throw, so this would be as if it never happened.
回顾一下,像看大片惊心动魄。 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
The DAO code is vulnerable to the recursive call attack in the
withdrawRewardFor()
function. This fix should handle it for the next deployment of the DAO code.A very big thank you to eththrowa from the daohub forums for spotting this.