The DigixDAO crowdsale smart contract had a vulnerability with high severity, but low impact as “only” 4162.2647 DGDs belonging to 35 addresses were affected according to a statement by Digix.
The vulnerability was discovered by Gustav Simonsson, an ethereum developer, who informed Digix on the 23rd of July.
“A bug in the DigixDAO Crowdsale Contract allowed an attacker to receive unclaimed DGD tokens,” Anthony Eufemio, Digix’s CTO, said before proceeding to provide the technical details.
Their analysis showed the bug was used to claim more than 4,000 DGDs, currently worth some $260,000, but they all will be reimbursed, DGD says, with the bug now fixed.
“Lesson learned,” Eufemio says before adding “we now have a new convention to avoid this mistake by avoiding the use of msg.sender and instead setting the variables at the head of each function. The assignment costs extra gas, but it will help avoid this issue in the future.”
Digix announced an audit of their smart contract back in May that was to end around June, but that was for dgx 2.0, Kai Chng, Digix’s co-founder, told trustnodes.
However, “we did not have an audit for the crowdsale contract,” Chng says, so the bug has seemingly slipped in and remained undiscovered until last week.
Which just goes to show how careful one has to be when writing code that directly controls assets. Especially when the total assets in question have a marketcap of some $125 million with each valued at nearly $63.
Their price fell slightly today, but has halved since last month, seemingly following ethereum’s price movements during the same time period.
Digix was one of the first ICOs and ethereum based project, raising around 550,000 eth back in March 2016, worth at the time $5.5 million, with the aim of creating a gold backed stable currency as DGD token holders are given part of the transaction fees in DGX, which is 1:1 with gold.
But DGX isn’t traded anywhere, while price action shows DGD has hardly been stable, with it seemingly closely following eth’s movements both up and down. Probably because it attracts interest primarily from speculators.
So their promise to ICO investors of a “stable store of value” has seemingly not yet materialized, but they are soon to launch a marketplace which might perhaps take the idea further.