📌 First Ever Reentrancy Attack

[nmushegian]

The first reentrency attck was a whitehack attack by me against my first WETH deployment.

https://old.reddit.com/r/ethereum/comments/4nmohu/from_the_maker_dao_slack_today_we_discovered_a/

Here you can see me thank the researcher for pointing out this general class of issues, which made us realize our contract was vulnerable.

I can’t find it now because all the slockit websites have been deleted, but shortly after this post, TheDAO devs made a blog post boasting that their contract was not vulnerable.

It has been a repeated theme for the last 5 years that people take worse versions of what I or some other good-faith inventor come up with, attach a scam token, and try to erase history. Please help preserve this historical record that TheDAO disaster could have been averted, but people who pay to market tokens to retail are more concerned about a quick flip than they are about building sound systems.

[pcaversaccio]

Thank you very much for pointing this out. A few backup links in order to preserve the history:

• Modern Reddit version of WETH white hat attack: https://www.reddit.com/r/ethereum/comments/4nmohu/from_the_maker_dao_slack_today_we_discovered_a/?user_id=360657100019
• Post-mortem of WETH white hat attack: https://github.com/nexusdev/hack-recovery
• Blog slock.it: https://medium.com/slock-it-blog/the-history-of-the-dao-and-lessons-learned-d06740f8cfa5
• Blog Peter Vessenes: https://web.archive.org/web/20170615055530/http://vessenes.com/more-ethereum-attacks-race-to-empty-is-the-real-deal
• DAO forum thread: https://web.archive.org/web/20160703020029/https://forum.daohub.org/t/bug-discovered-in-mkr-token-contract-also-affects-thedao-would-allow-users-to-steal-rewards-from-thedao-by-calling-recursively/4947
• Reentrancy patch PR by @LefterisJP: Protect against recursive withdrawRewardFor attack blockchainsllc/DAO#242
• No DAO funds at risk blog: https://web.archive.org/web/20160617173409/https://blog.slock.it/no-dao-funds-at-risk-following-the-ethereum-smart-contract-recursive-call-bug-discovery-29f482d348b?gi=2c2267d6aa56
• Least Authority audit report from July 2015 on potential reentrancy issues with crowdfunding contracts: https://github.com/LeastAuthority/ethereum-analyses/blob/master/GasEcon.md#case-study-the-crowfunding-contract-example

In your Reddit post, a full post-mortem is mentioned. Can you please share that with me here as a link, thx.

Update: I included this white hat attack in my list with commit 72c2ede.

[LefterisJP]

Hey @pcaversaccio there was indeed a post boasting the DAO is safe, but not by us devs. It was Stephan Tual who wanted to boast how cool the DAO is without asking us. You probably know how problematic his way of communication was. In fact I have had no time in between to look at stuff as I was away a bit in the few days between what Nikolai mentions and the actual DAO hack.

But I believe the class of attacks was indeed mentioned much earlier by Christian Reitwiessner. I don't remember where though. As for if there was a rentrancy attack in the wild by a malicious actor before I am not sure.

[pcaversaccio]

Thanks @LefterisJP for your comments. As you see above, I've compiled a list of archive URLs (e.g. the mentioned blog post from Stephan Tual is also part of this list) in order to preserve history.

@chriseth is there some archive link where you pointed out to Peter Vessenes (probably on GitHub) the reentrancy attack vector? Would be cool to have it here as well.

[chriseth]

There is also the talk I have at devcon 1 in London where I mentioned that when using .send() you have to prepare for callbacks: https://chriseth.github.io/notes/talks/safe_solidity/#/7

Peter might have been talking about this one: https://github.com/ethereum/solidity/pull/617/files# - it does not say more than what I already said in the talk.
But IIRC, we were acutally discussing the issue in more detail on gitter. I'm pretty sure this is archived somewhere.

[pcaversaccio]

awesome @chriseth, thank you! In order to preserve history, here is the Internet Archive link to Chris' talk:

• https://web.archive.org/web/20210506230130/https://chriseth.github.io/notes/talks/safe_solidity/#/7

@vessenes any chance you can point me to the Gitter logs?

[chriseth]

The room is https://gitter.im/ethereum/solidity or https://gitter.im/ethereum/solidity-dev - there should be tools that download the archives from the relevant days / weeks.

[pcaversaccio]

Found the following gist that simulates a reentrancy attack by @vessenes:

• https://gist.github.com/vessenes/9d84df668893c43dcd968ee28a03cd2b

Also, found the following Gitter conversation that discusses the reentrancy attack vector:

• https://gitter.im/ethereum/solidity?at=575a028d1cf76dd64535b913
  

[johnfawole]

Was reading the comments, and I learned a lot from y'all. Legendary devs!

[Mylifechangefast]

Love this, thanks for the insights.

[Mylifechangefast]

That means WETH9 is still vulnerable? How do learn more about it for a better recommendation codebase of the WTH9.

[pcaversaccio]

That means WETH9 is still vulnerable? How do learn more about it for a better recommendation codebase of the WTH9.

No, the original WETH contract was actually called DSEthToken and has nothing to do with WETH9.

[Mylifechangefast]

Okay, can you tell me more about WETH9 please?

[Mylifechangefast]

I w

That means WETH9 is still vulnerable? How do learn more about it for a better recommendation codebase of the WTH9.

No, the original WETH contract was actually called DSEthToken and has nothing to do with WETH9.

I will check what the DSEthToken is all about.

[pcaversaccio]

Okay, can you tell me more about WETH9 please?

https://www.zellic.io/blog/formal-verification-weth/

[Mylifechangefast]

Okay, can you tell me more about WETH9 please?

https://www.zellic.io/blog/formal-verification-weth/

Yeah, I'm on that.

But what I want to know is that the Supply of ETH has to be greater than WETH right?

I mean the whole concept about the invariant lookout in this https://www.zellic.io/blog/formal-verification-weth/, right?

[Mylifechangefast]

Which shouldn't be an issue.

[pcaversaccio]

But what I want to know is that the Supply of ETH has to be greater than WETH right?

Well, the totalSupply is always greater than or equal to the sum of the total number of WETH tokens in existence. But it's harmless since a new user depositing ETH into WETH will always be able to withdraw it later, regardless of what transactions happen to WETH in between. Please read the article I linked for the technicalities.