Bug discovered in MKR token contract also affects theDAO - would allow users to steal rewards from theDAO by calling recursively

eththrowa 2016-06-12 00:00:06 UTC #1

This bug:
https://www.reddit.com/r/ethereum/comments/4nmohu/from_the_maker_dao_slack_today_we_discovered_a/
Is also present in theDAO code - specifically here in the withdrawRewardFor function DAO.sol:

if (!rewardAccount.payOut(_account, reward))
    throw;
paidOut[_account] += reward;
return true;

and here in managedAccount.sol

function payOut(address _recipient, uint _amount) returns (bool) {
        if (msg.sender != owner || msg.value > 0 || (payOwnerOnly && _recipient != owner))
            throw;
        if (_recipient.call.value(_amount)()) {
            PayOut(_recipient, _amount);
            return true;
        } else {
            return false;
        }
    }

This would allow a user to drain many times his entitlement by calling the contract recursively. Oddly enough the slockit team spotted this bug here in the proposal section:

// we are setting this here before the CALL() value transfer to
// assure that in the case of a malicious recipient contract trying
// to call executeProposal() recursively money can't be transferred
// multiple times out of the DAO
p.proposalPassed = true;

but missed it in the reward section.Obviously there are not yet any rewards in theDAO so this is not an issue that could cost money today.

GriffGreen 2016-06-12 09:55:07 UTC #2

Wow Great catch!!

Ursium 2016-06-12 10:17:43 UTC #3

Interesting. We're currently looking into it.

Ursium 2016-06-12 10:24:18 UTC #4

And here's the fix for DAO 1.1... https://github.com/slockit/DAO/pull/242

We're looking into how to mitigate this in the current codebase - stay tuned.

Lefteris 2016-06-12 10:24:53 UTC #5

@eththrowa

Hello! This is Lefteris from slock.it

First and foremost a very big thank you for seeing this. We were indeed aware of the bug but only spotted and fixed it in the executeProposal() function. A fix which by the way is not included in the deployed DAO version, but does not make the DAO vulverable since the recipients of proposal's code is reviewed so we would see the recursive attack upon review of the recipient's proposal.

It's important to point out that this vulnerability does not set the DAO's balance in danger. Only when money goes to the reward account for people to call withdrawRewardFor() can this be exploited. We are already working on a fix of the issue which is going to be deployed with the next DAO code.

We are going to have a discussion also internally in slock.it in how this should be handled further. Stay tuned for updates. And again, sincerely thank you for bringing this to our attention.

Ursium 2016-06-12 12:47:24 UTC #6

Our statement:

https://blog.slock.it/no-dao-funds-at-risk-following-the-ethereum-smart-contract-recursive-call-bug-discovery-29f482d348b#.uo10quefa

Again, thank you @eththrowa

Very well spotted.

Ursium 2016-06-13 14:31:11 UTC #7

DAO Framework 1.1: https://blog.slock.it/announcing-dao-framework-1-1-35249e2e001#.5a75iq3fu

Step by Step upgrade: https://blog.slock.it/upgrading-the-dao-to-framework-1-1-a-step-by-step-guide-547a58e00137#.fkuofzvxl

perry 2016-06-13 14:37:27 UTC #8

Wow thanks for keeping communication so open and transparent.

auryn_macmillan 2016-06-13 14:56:07 UTC #9

Discussion here: https://forum.daohub.org/t/upgrading-the-dao-to-framework-1-1-a-step-by-step-guide/5009

himalayanguru 2016-06-18 02:04:00 UTC #10

@Ursium
We knew this was coming and yet we did nothing about it. What a shame. Not on you particularly, but the system that didn't enable instant adoption.