-
Notifications
You must be signed in to change notification settings - Fork 151
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
📌 First Ever Reentrancy Attack #1
Comments
Hey @pcaversaccio there was indeed a post boasting the DAO is safe, but not by us devs. It was Stephan Tual who wanted to boast how cool the DAO is without asking us. You probably know how problematic his way of communication was. In fact I have had no time in between to look at stuff as I was away a bit in the few days between what Nikolai mentions and the actual DAO hack. But I believe the class of attacks was indeed mentioned much earlier by Christian Reitwiessner. I don't remember where though. As for if there was a rentrancy attack in the wild by a malicious actor before I am not sure. |
Thanks @LefterisJP for your comments. As you see above, I've compiled a list of archive URLs (e.g. the mentioned blog post from Stephan Tual is also part of this list) in order to preserve history. @chriseth is there some archive link where you pointed out to Peter Vessenes (probably on GitHub) the reentrancy attack vector? Would be cool to have it here as well. |
There is also the talk I have at devcon 1 in London where I mentioned that when using Peter might have been talking about this one: https://github.com/ethereum/solidity/pull/617/files# - it does not say more than what I already said in the talk. |
The room is https://gitter.im/ethereum/solidity or https://gitter.im/ethereum/solidity-dev - there should be tools that download the archives from the relevant days / weeks. |
Found the following gist that simulates a reentrancy attack by @vessenes: Also, found the following Gitter conversation that discusses the reentrancy attack vector: |
Was reading the comments, and I learned a lot from y'all. Legendary devs! |
Love this, thanks for the insights. |
That means WETH9 is still vulnerable? How do learn more about it for a better recommendation codebase of the WTH9. |
No, the original WETH contract was actually called |
Okay, can you tell me more about WETH9 please? |
I w
I will check what the |
|
Yeah, I'm on that. But what I want to know is that the Supply of ETH has to be greater than WETH right? I mean the whole concept about the invariant lookout in this https://www.zellic.io/blog/formal-verification-weth/, right? |
Which shouldn't be an issue. |
Well, the |
The first reentrency attck was a whitehack attack by me against my first WETH deployment.
https://old.reddit.com/r/ethereum/comments/4nmohu/from_the_maker_dao_slack_today_we_discovered_a/
Here you can see me thank the researcher for pointing out this general class of issues, which made us realize our contract was vulnerable.
I can’t find it now because all the slockit websites have been deleted, but shortly after this post, TheDAO devs made a blog post boasting that their contract was not vulnerable.
It has been a repeated theme for the last 5 years that people take worse versions of what I or some other good-faith inventor come up with, attach a scam token, and try to erase history. Please help preserve this historical record that TheDAO disaster could have been averted, but people who pay to market tokens to retail are more concerned about a quick flip than they are about building sound systems.
The text was updated successfully, but these errors were encountered: