Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

📌 First Ever Reentrancy Attack #1

Closed
nmushegian opened this issue Jul 18, 2022 · 17 comments
Closed

📌 First Ever Reentrancy Attack #1

nmushegian opened this issue Jul 18, 2022 · 17 comments
Assignees
Labels
documentation Improvements or additions to documentation enhancement New feature or request

Comments

@nmushegian
Copy link

nmushegian commented Jul 18, 2022

The first reentrency attck was a whitehack attack by me against my first WETH deployment.

https://old.reddit.com/r/ethereum/comments/4nmohu/from_the_maker_dao_slack_today_we_discovered_a/

Here you can see me thank the researcher for pointing out this general class of issues, which made us realize our contract was vulnerable.

I can’t find it now because all the slockit websites have been deleted, but shortly after this post, TheDAO devs made a blog post boasting that their contract was not vulnerable.

It has been a repeated theme for the last 5 years that people take worse versions of what I or some other good-faith inventor come up with, attach a scam token, and try to erase history. Please help preserve this historical record that TheDAO disaster could have been averted, but people who pay to market tokens to retail are more concerned about a quick flip than they are about building sound systems.

@pcaversaccio
Copy link
Owner

pcaversaccio commented Jul 19, 2022

Thank you very much for pointing this out. A few backup links in order to preserve the history:

In your Reddit post, a full post-mortem is mentioned. Can you please share that with me here as a link, thx.

Update: I included this white hat attack in my list with commit 72c2ede.

@LefterisJP
Copy link

Hey @pcaversaccio there was indeed a post boasting the DAO is safe, but not by us devs. It was Stephan Tual who wanted to boast how cool the DAO is without asking us. You probably know how problematic his way of communication was. In fact I have had no time in between to look at stuff as I was away a bit in the few days between what Nikolai mentions and the actual DAO hack.

But I believe the class of attacks was indeed mentioned much earlier by Christian Reitwiessner. I don't remember where though. As for if there was a rentrancy attack in the wild by a malicious actor before I am not sure.

@pcaversaccio
Copy link
Owner

pcaversaccio commented Jul 25, 2022

Thanks @LefterisJP for your comments. As you see above, I've compiled a list of archive URLs (e.g. the mentioned blog post from Stephan Tual is also part of this list) in order to preserve history.

@chriseth is there some archive link where you pointed out to Peter Vessenes (probably on GitHub) the reentrancy attack vector? Would be cool to have it here as well.
image

@chriseth
Copy link

There is also the talk I have at devcon 1 in London where I mentioned that when using .send() you have to prepare for callbacks: https://chriseth.github.io/notes/talks/safe_solidity/#/7

Peter might have been talking about this one: https://github.com/ethereum/solidity/pull/617/files# - it does not say more than what I already said in the talk.
But IIRC, we were acutally discussing the issue in more detail on gitter. I'm pretty sure this is archived somewhere.

@pcaversaccio
Copy link
Owner

pcaversaccio commented Jul 25, 2022

awesome @chriseth, thank you! In order to preserve history, here is the Internet Archive link to Chris' talk:

@vessenes any chance you can point me to the Gitter logs?

@chriseth
Copy link

The room is https://gitter.im/ethereum/solidity or https://gitter.im/ethereum/solidity-dev - there should be tools that download the archives from the relevant days / weeks.

@pcaversaccio
Copy link
Owner

Found the following gist that simulates a reentrancy attack by @vessenes:

Also, found the following Gitter conversation that discusses the reentrancy attack vector:

@johnfawole
Copy link

Was reading the comments, and I learned a lot from y'all. Legendary devs!

@pcaversaccio pcaversaccio changed the title first ever reentrency attack 📌First Ever Reentrancy Attack Feb 3, 2023
@pcaversaccio pcaversaccio added documentation Improvements or additions to documentation enhancement New feature or request labels Feb 3, 2023
@pcaversaccio pcaversaccio self-assigned this Feb 3, 2023
@pcaversaccio pcaversaccio pinned this issue Apr 13, 2023
@Mylifechangefast
Copy link

Love this, thanks for the insights.

@Mylifechangefast
Copy link

That means WETH9 is still vulnerable? How do learn more about it for a better recommendation codebase of the WTH9.

@pcaversaccio
Copy link
Owner

That means WETH9 is still vulnerable? How do learn more about it for a better recommendation codebase of the WTH9.

No, the original WETH contract was actually called DSEthToken and has nothing to do with WETH9.

@Mylifechangefast
Copy link

Okay, can you tell me more about WETH9 please?

@Mylifechangefast
Copy link

I w

That means WETH9 is still vulnerable? How do learn more about it for a better recommendation codebase of the WTH9.

No, the original WETH contract was actually called DSEthToken and has nothing to do with WETH9.

I will check what the DSEthToken is all about.

@pcaversaccio
Copy link
Owner

Okay, can you tell me more about WETH9 please?

https://www.zellic.io/blog/formal-verification-weth/

@Mylifechangefast
Copy link

Okay, can you tell me more about WETH9 please?

https://www.zellic.io/blog/formal-verification-weth/

Yeah, I'm on that.

But what I want to know is that the Supply of ETH has to be greater than WETH right?

I mean the whole concept about the invariant lookout in this https://www.zellic.io/blog/formal-verification-weth/, right?

@Mylifechangefast
Copy link

Which shouldn't be an issue.

@pcaversaccio
Copy link
Owner

But what I want to know is that the Supply of ETH has to be greater than WETH right?

Well, the totalSupply is always greater than or equal to the sum of the total number of WETH tokens in existence. But it's harmless since a new user depositing ETH into WETH will always be able to withdraw it later, regardless of what transactions happen to WETH in between. Please read the article I linked for the technicalities.

@pcaversaccio pcaversaccio changed the title 📌First Ever Reentrancy Attack 📌 First Ever Reentrancy Attack Sep 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
documentation Improvements or additions to documentation enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

6 participants