On June 17, 2016, an entity known as The DAO (The Decentralized Autonomous Organization) lost about 60 million USD (3.6 million ether) in an unprecedented attack, which raised many concerns about security on the blockchain. This attack became known as the “Re-entrancy attack.” The DAO was the realization of the dream of many blockchain maxis. This organization can raise funds, allocate funds to carry out business activities, and split profits on the blockchain without the need for human interaction or interference. However, like all forms of innovative development, it attracted those with ill intentions.
What are Re-Entrancy Attacks?
After raising over 150 million USD, The DAO wallet lost about 60 million USD in a Re-entrancy hack. The Re-entrancy attack occurs when an entity takes advantage of vulnerabilities in a smart contract to withdraw funds from it.
The blockchain is a technology with one of its main selling points being security, and for a breach of this level to occur, trust in the blockchain was undoubtedly shaken. It seems like the blockchain is not as secure as advertised. However, this is not true. The blockchain is secure and immutable, meaning any transaction recorded cannot be altered or changed.
If the blockchain is as secure as we say, how were hackers able to steal funds from The DAO?
Re-entrancy attack was possible due to poorly written code or perhaps the ingenuity of the hackers. They took advantage of how the smart contracts handled transactions; the vulnerable contract first checks the balance, sends the funds, and updates its balance, which leaves a window for an entity to call for a withdrawal again before the smart contract has time to update its balance.
To put it simply: Contract A sends funds to Contract B; however, before Contract A can update balances, Contract B requests for a withdrawal again. This cycle repeats until the funds in Contract A get depleted or Contract A sends the funds to a more secure address.
How to Prevent a Re-Entrancy Attack
Since re-entrancy attacks are possible due to vulnerabilities in a smart contract, it stands to reason that you properly examine your code and implement sound logic. Sound logic prevents most exploitations and attacks written code is subject to.
A failsafe called Mutex can also be implemented to prevent a re-entrancy. A Mutex creates a lock, which prevents funds from being moved without the contract owner’s consent. However, a Mutex must be implemented with caution; the contract owner must have a way of releasing the lock, or the funds might remain trapped forever in the contract without a way to retrieve them.
Smart contract auditing is also a method of finding vulnerabilities and exploitation in your smart contracts. An auditor takes your smart contract, examines each line of code, and notes how it interacts with the blockchain to find errors, exploits, and security vulnerabilities.
