Why The Stalker attack is a non issue

Christoph Jentzsch edited this page May 30, 2016 · 25 revisions

##Introduction

The "Stalker Attack" has been discussed for several weeks now. It’s a very high-risk attack for the person conducting it,it requires the attacker to put their ETH in a child-DAO where they are attacking the new Curator. The only reward guarenteed by this attack is the slight annoyance of the person they are "Stalking."

##Description

The "attack" is as follows. A malicious DAO Token Holder will vote "yes" in any split proposals where the amount of tokens at stake is less than the amount of tokens the malicious DAO Token Holder is comfortable losing.

Splitting is a multi-step process. First the "victim" must create a proposal for a new Curator and vote for it. In most cases, the victim will set themselves as the new Curator. After the debate period ends the victim can see who voted yes on their proposal, only these DAO Token Holders can burn their DAO Tokens to join the newDAO. If only the "victim" voted for the proposal (as expected) or if the "victim" has a more than 50% of the vote, then the stalker attack cannot occur.

If the victim does not have a majority of the votes and calls `splitDAO()' to create their new DAO anyway, a malicious attacker can also call it and they will both end up in the same child DAO with the victim being the Curator but not having the majority of NewDAO tokens.

From this point on both the victim and the attacker are locked in a stalemate. The attacker will need the victim to add them to the whitelist so they can get ETH out of the DAO, and the victim will need the attacker to fail to vote on their proposal so they can get their ETH out of The DAO (the assumed purpose of splitting in the first place).

The attacker can only get something out of this if he can blackmail their victim by promising them a portion of the original ETH they were supposed to receive while keeping their own funds and a portion of the victim's ETH.

A problem with any such proposal is that the victim has no reason to trust the attacker. The attacker would likely achieve nothing, apart from locking up their own funds along with their victim's funds in the new DAO. Furthermore the attacker must constantly check new proposals and vote them down to ensure the user does not try to split again to get their tokens out or pass a proposal that can rob the attacker.

##Prevention

The prevention of the attack is quite straightforward. Before calling splitDAO() make sure that none else apart from you has voted in this proposal. If someone else did, then make another new Curator proposal and see if they follow you there. If they do then don’t call splitDAO(). Otherwise, do so in the last block where it is possible.

Solution

A way to Guarantee you get your ETH

  1. Add an account of yours to the whitelist.
  2. Make 10 accounts and send a very tiny amount of DAO tokens to each one, and keep the rest in your main account.
  3. Make 10 different new Curator proposals to split the DAO.
  4. Use the 10 accounts to vote for the new Curator Proposals.
  5. Assuming the attacker also voted yes in all of the new Curator Proposals, in the last possible block move the DAO tokens from you main account to one of the 10 other accounts (choose a random one) and call splitDAO().

At this point the attacker cannot follow you, they do not know which Proposal you will have chosen. They could have a script, which is scanning the network for all pending transactions and try to follow you in the same block, but due to the fast block times and the way the Ethereum protocol works, this is not guaranteed to work. With some luck, they may manage to do it once, maybe twice but the one time there is a short block the attacker will fail.

Robbing The Attacker

If you do end up in a stalker attack situation in your new child-DAO there are many ways to counter-attack. Remember you have the advantage, you are the Curator and you can make Proposals and add them to the whitelist. So you can blackmail him too :-).

##Conclusion The stalker attack, though sounds terrifying is a non-issue since it makes zero-sense for the attacker as we have shown above. That point aside, the very conversation around the topic proves that one of the first features a DAO 1.1 should have is a “solo split” option.

Clone this wiki locally
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.