The value of the digital currency Ethereum has dropped dramatically amid an apparent huge attack targeting an organisation with huge holdings of the currency.
The price per unit dropped to $15 from record highs of $21.50 in hours, with millions of units of the digital currency worth as much as $50 million stolen at post-theft valuations.
At a pre-theft valuation, it works out as a staggering $79.6 million.
Ethereum developers have proposed a fix that they hope will neutralise the attacker and prevent the stolen funds from being spent.
The core Ethereum codebase does not appear to be compromised.
Ethereum is a decentralised currency like bitcoin, but it is built in such a way that it also allows for decentralised organisations to be built on top of its blockchain (the public ledger of transactions) and for smart contracts that can execute themselves automatically if certain conditions are met.
One of these organisations is the DAO, the Decentralised Autonomous Organisation, which controls tens of millions of dollars’ worth of the digital currency. (The bitcoin news site CoinDesk has a good feature explaining more about how the DAO operates.) The DAO is sitting on 7.9 million units, known as ether, of the currency worth $132.7 million
Early Friday morning, it appears to have been hit with a devastating attack, with unidentified attackers appearing to exploit a software vulnerability and draining drain millions of ether — with a theoretical value in the tens of millions of dollars.
One ether wallet identified by community members as a recipient of the apparently stolen funds holds more than 3.5 million ether. At an exchange rate of about $14 a unit, that works out at $47 million. At $21.50, the value of ether before the hack, it’s significantly more — $79.6 million.
The price may well drop further as the US wakes up and news of the hack spreads.
The community has been working to come up with a solution to the theft, which has continued over a period of hours. One solution proposed was to “roll back” Ethereum several hours to before the attack — essentially restoring a backup of the digital currency and erasing any recent payments. But there is significant resistance to this idea.
“You can’t rollback and drag the whole of Ethereum into this mess,” one community member said in Slack. “The fault is entirely with The DAO and not Ethereum, let the DAO sink and have done with it. Ethereum will recover, there’s nothing wrong with Ethereum.”
Vitalik Buterin, the founder of Ethereum, is proposing a “soft fork” that will prevent the attacker from being able to make valid transactions, effectively freezing the funds. The stolen funds are locked in a “Child DAO” and are unable to be moved for another 27 days, Buterin says — giving the community time to debate and adopt a potential solution. “This will later be followed up by a hard fork which will give token holders the ability to recover their ether,” Buterin writes. (This solution would not involve any “rollback” or negating any transactions.)
The decentralised nature of the DAO — and of Ethereum and digital currencies more generally — means there is no central authority that can simply flip a switch and make changes. Decisions have to be reached by community consensus.
The Ethereum Foundation, a nonprofit that helps guide the digital currency, is calling on digital exchanges to temporarily halt withdrawals in light of the attack. Kraken has complied, writing on its website: “This does not appear to affect Kraken but, out of an abundance of caution, and at the request of the Foundation, we have temporarily paused withdrawals in order to prevent any ether stolen from The DAO from flowing through Kraken.”
The value of Ethereum relative to the US dollar has plummeted over the past few hours, according to data from CryptoCompare. At the same time, the volume of transactions in Ethereum has spiked, indicating panic selling.
The news comes after a recent boom for Ethereum (as well as its sister digital currency bitcoin). It only recently passed $20 an ether in a first for the network.
The apparent exploit used by the attackers was documented earlier this month. “Your smart contract is probably vulnerable to being emptied if you keep track of any sort of user balances and were not very, very careful,” Peter Vessenes wrote in a blog post on June 9. It looks as if we’re now seeing this in action.
There is no indication as to who is behind the attack.