The fine print in the user agreement of the Decentralised Autonomous Organisation (DAO), an investment fund that deals in cyber currency, proved to be its undoing as an unknown attacker exploited it and made off with $55 million.
The attacker took 3.6 million “ether”, which is equivalent to $55 million in brick and mortar money.
DAO, like the online currency bitcoin, depends on a “block chain” or a public ledger, which is distributed among its users to record transactions. Unlike bitcoin, which is mainly limited to financial transactions, DAO can run computer code, including “smart contracts” that can self-execute. Investors can set up such contracts that pay out under fixed conditions.
Thus, the heist raised the question of whether it was indeed an attack or not, if the only thing the attacker did was to exploit a glitch in the code that governs the DAO. The attacker apparently siphoned off the money by exploiting a bug in the code that made it process a transaction over and over.
Emin Gun Sirer of Cornell University said that the attacker simply studied the terms and conditions more carefully than DAO users, setting off an avalanche of attacks and counter-attacks.
