[kator]

> Another decision he made when he had no idea of the bug shows how quirky and unforgiving code can be. “If the capital ‘T’ in line 666 had been a small ‘t,’ that would also have prevented the hack,” he says.

Can someone familiar with this explain how something financially based can have a capitalization flaw? I would expect a smart contract language to have very strict type and variable linking. Humans make many mistakes in coding but most of the time it doesn't cost $55m. A transaction language should be very strict so either the smart contract language is flawed or the author of this article is overstating something for dramatic effect.

EDIT: Found this: https://github.com/slockit/DAO/blob/v1.0/DAO.sol#L666

on a deeper dive: http://hackingdistributed.com/2016/06/18/analysis-of-the-dao...

[kefka]

That's primarily because Ethereum is pure amateur hour. When Bitcoin had built in checksums on addresses, Eth Dev's just said "watch where you send money". They ended up having to later add in a capitalization scheme to serve as a hash.

I have no clue how they managed to fool so many people with poor and shoddy work. But they have so far. And they've fooled everyone that this is a 'hack' even after saying time and again "The code is the contract, and the contract is the code"... Unless lead devs lose money.

[NicolaiS]

The 't' vs 'T' has _nothing_ to do with checksums.

`Transfer` and `transfer` are two different functions, one creating an "event" (think a signal on the blockchain) and the other actually transfering tokens.

The true flaw lies in the reentrant attack on `.send()`

[kefka]

My comment on checksums was a overall comment of shoddy and embarrassing hacked crap they call Ethereum.

They claimed again and again that the code is the contract and vice versa. That was proven not true by the VIP() function.

And seriously, if this protocol was given proper due diligence, there would be no reentrant attack on this. But that points back to amateur hour. And a lot of people here have money in ETH and can't come to understand this due to the extreme cognitive dissonance.

(The premise of Ethereum really is amazing. Too bad it wasn't given the same diligence as Satoshi gave it.)

[Laaas]

jesus christ, who the fuck would make two identical symbols differentiated by only capitalisation? (Other than these guys obviously)

[pjc50]

It's surprising that most languages will happily let you do this. Lots of C programs have 'FOO' and 'foo'; not so many will have 'Foo' as well but it's probably more common than you think.

[Laaas]

IMO this is only a problem if they both are the same type, e.g. both are a function, both are a type, both are a variable, both are a special keyword, things like that, because then it's hard to mix them up. If however you can substitute one for the other in code and still have it compile, that would be terrible.

[codedokode]

It is humans' fault that they cannot choose good name for function, not languages'.

[lproven]

What, you mean apart from every Unix ever?

(All right, all right, excluding Mac OS X. But it's weird.)

[jchw]

That's filesystems, not the OS. There are some extremely good reasons to treat filenames as bags of bytes, which is why Apple got rid of case folding in APFS. Think performance, locale issues, etc.

(And before someone says it, yes, of course performance matters for filenames. Every single stat shouldn't need to worry about case folding.)

[kbody]

There's a big difference between being and actually making use of such anti-patterns. Especially on such a scale.

[0x0]

You can have macOS use case sensitive filesystems (like case sensitive HFS+), and you can have linux use a case insensitive file system (like FAT32)

[kerkeslager]

I believe you, but this doesn't persuade me that Ethereum isn't "pure amateur hour".

[bpicolo]

To be fair, bad naming choice

[runeks]

> When Bitcoin had built in checksums on addresses [..]

There are no address checksums in the Bitcoin blockchain; all contracts/scripts on the blockchain reference raw hashes. Only at the application level -- e.g. sending an address to a friend in an email -- does Bitcoin make use of checksums, since blockchain space is fairly precious/expensive.

[pmorici]

Their greatest skill is marketing.

[pjc50]

Actually, could someone post a link to the source so we can all see?

[kator]

See https://github.com/slockit/DAO/blob/v1.0/DAO.sol#L666

[bayonetz]

On that note, could someone familiar with this code explain what the problem is?