Investors in a "smart contract" built on the Ethereum blockchain platform may have lost cryptocurrency worth millions of dollars because they missed a loophole in the contract's fine print.
The contract was written in Ethereum's Solidity programming language, and the fine print was the code that set out the rules for investing in, operating, and withdrawing from a crowd-sourced venture capital fund called The DAO (The Distributed Autonomous Organization.) .
Ethereum, like other blockchains, is a distributed public ledger, or record of transactions. Where the bitcoin ledger records bitcoin transactions, the Ethereum blockchain records transfers of a cryptocurrency called Ether. But there's more: Ethereum is also a platform for running smart contracts. Its creator, the Ethereum Foundation, describes smart contracts as "applications that run exactly as programmed without any possibility of downtime, censorship, fraud or third party interference."
In some respects, that's turning out to be true: The contract for The DAO did run exactly as programmed -- although not, perhaps, exactly as intended.
One canny investor appears to have spotted that the contract did not always run exactly as other investors expected. On Friday, that investor used a loophole to divert The DAO's store of Ether to another account, a "child" of The DAO. Under the terms of the contract, it can't be withdrawn from the child account until after a waiting period of 27 days. But after that, in theory, there is no stopping it: On Ethereum, code is law.
The loophole, known as the "recursive call vulnerability" or the "race to empty," had been spotted in a number of Ethereum smart contracts and publicized more than a week earlier. Slock.it, the developer of the framework used to build The DAO, said on June 12 it had patched its code and urged The DAO to adopt the new version -- but also said that other factors prevented the loophole from being exploited in The DAO.
"This is not an issue that is putting any DAO funds at risk today," Slock.it founder Stephen Tual wrote on the company blog.
As it turned out, those other factors did not protect The DAO.
Exploiting the loophole involved recursively calling the code that allows an investor to cash out of the contract. The code would first make the payout but would debit it from the investor's available funds in a later operation. So if the code were called again before the debit operation took place, the same sum could be paid out over and over. It's a bit like asking a bank teller for all the money in an account, taking the cash -- and then asking again for all the money in the account, before the teller gets a chance to update the balance.