It was, at the time, the biggest – and strangest – hack of all. It concerned something few people knew anything about, it was perpetrated through a method few understood, by someone still unidentified, and it stopped for reasons largely unknown. It became famous under a cryptic name: the DAO hack.
The name of the first DAO has become almost synonymous to an entire class of programs, and it’s worth beginning by saying: the DAO hack concerned just one such program. To better make sense of things, let’s dive into history – and begin by stating the difference between “a DAO” and “the DAO”.
What is a DAO?
Russian-Canadian developer Vitalik Buterin famously created Ethereum toward the end of 2013, before he had even turned 20. He announced it in January 2014 and launched it mid-2015. It was designed to be much more than Bitcoin’s blockchain could yield at the time: “a decentralized platform that runs smart contracts: applications that run exactly as programmed without any possibility of downtime, censorship, fraud or third-party interference”, as the Ethereum foundation states.
Since this platform was created to support many types of smart contracts, the applications that are built on top of it are not part of the Ethereum blockchain. This is an important distinction that we can later come back to.
A blockchain startup model
One of these smart contracts was the DAO, thought up by Buterin. As co-founder Christoph Jentzsch explained, it was a form of decentralized venture capital fund in which investors would direct the fund’s spending. First, investors would buy tokens to fund the project in an Initial Coin Offering. If an investor wanted to get out, there was a split function, i.e. a get-out clause, which allowed them to withdraw and have their tokens returned by creating their own Child DAO, waiting 28 days and then 7 more to have the Ether returned.
Once the ICO period is over, investors (token buyers) could see what projects were asking for votes and support or veto project spending.
What was the DAO?
The DAO was launched on April 30, 2016. It was the brainchild of German developer Simon Jentzsch & colleagues, of Slock.it – an innovative startup that aimed to promote the sharing economy. In late 2015, Jentzsch talked his idea up to a London DevCon crowd, explaining that a decentralized autonomous organization was “the blockchain way of creating a company”.
His and his partners’ new company, Slock.it, explored funding their project with an ICO on Ethereum, and then went to work setting things in motion, expecting about $5 million to be raised. Between November 2015 and April 2016, code was written and in April released into the wild when the token sale opened.
At first, things went shockingly well. Instead of the expected $5 million, investors flocked to deliver $150 million in the ICO, at that time the highest crowdfunding sum ever raised. Ether traded first at $12, then rode that high wave to reach $20.
During the 28 days of the ICO, however, a number of vulnerabilities in the DAO code were signaled, and people inside and outside Slock.it drew attention to flawed code, wondering whether the flaws put the funds at risk or they could be corrected along the way. In the meantime, projects accumulated and awaited DAO investors’ vote.
How the hack happened
Since Ethereum is built with a Turing complete language, it is also prone to the inherent mistakes of any such complex programming. The bugs in DAO’s code were visible to all and, as mentioned before, a number of programmers examining the code signaled potential problems. Some even called for a moratorium on the DAO until the bugs were fixed.
One such problem was a reentrancy bug that was signaled both by famed Cornell University professor Emin Gün Sirer, and by Slock.it co-founder Stephan Tual. Both were not overly concerned, however, and pretty much slept on it.
The reentrancy bug allowed a malicious user to drain the funds in an account by registering multiple expenditures for the same transaction. This is a use case where programming logic has to stay ahead of regular logic: if the transaction processing is coded before updating the transaction, the transaction can be conducted several times before any transactions are actually recorded. Therefore, code should make it compulsory to first update the transaction and then actually process it – the opposite of what common sense would dictate.
Early warning signs
Emin Gün Sirer had followed the DAO release out of sheer curiosity. Just before the ICO was launched, he had raised serious concerns and asked investors to hold back until Slock.it could fix their bugs. Obviously, no one quite listened, and he continued to examine the DAO code. On June 13, he found the recursive withdrawal bug at line 666. Since his assistant could not be convinced that it was a hackable exploit, he failed to make the problem public.
And so, a few days later, the community started to notice that funds were being drained out of DAO. The DAO team had also noticed it: within six hours, the hacker had stolen one third of DAO’s almost 12 million Ether. They watched the attack unfold and scrambled to act. But how?
What followed: The hard fork
Once the attack became obvious, the DAO team (basically Jentzsch, Griff Green and Alex van de Sande) thought up a rescue plan that was even stranger than the attack: to save the remaining Ether, they would conduct a supervised drain. In other words, they would hack the DAO themselves. They even announced it on the network and told the community not to panic. Then – they failed to conduct the supervised drain because of poor internet connectivity.
However, the strangeness of this saga doesn’t stop here. The attacker stopped. Whether because the goal had been accomplished or a couple of failed attempts discouraged him, he (or they) just stopped.
That meant very little in the grand scheme of things. The equivalent of $50 million had been stolen in hours. Because of smart contract protocols, it was lying in wait and the hacker could not touch it for 28 days. What could be done?
Buterin steps in
All eyes had turned to Vitalik Buterin. Although it hadn’t been the fault of the Ethereum code itself, he felt compelled to step in. Because of blockchain structure, a 51% attack could be orchestrated to revert a transaction by rejecting the problematic block and restarting the chain in a different direction. That is exactly what Buterin suggested: deliberately orchestrating such an attack to cause a soft fork, disabling the block that contained the transactions into the malicious account.
89% of the nodes voted for the fork on block 192,000, and the DAO hack transactions in that block were rolled back. However, there was intense disagreement over this move, since many argued it compromised the very principles of blockchain ideology.
Instead of block 192,000 becoming a dead end, in fact it was kept alive by those who had not voted for the fork and chained back to by new blocks. The soft fork became a hard fork, and two blockchains grew out of that: Ethereum Classic (ETC) and Ethereum (ETH), sharing the same blockchain just up to block 192,000, after which they diverge completely.
What followed: The immediate aftermath
One side issue born out of the hack was that the United States Securities and Exchange Commission (SEC) suddenly became interested not just in the DAO, but in ICOs in general, making a first principled report on how tokens were actually securities and “therefore subject to the federal securities laws.” The battle has raged on since.
Another side issue of the fork, this time, was that, because on the Ethereum Classic blockchain the attack had indeed happened, the attacker now owned about 3.6 million ETC, while the DAO team which had attempted to drain the funds now owned almost 9 million ETC in a blockchain with whose creation they had presumably disagreed.
What happened to the money?
The attack was conducted by retrieving the equivalent of $4,000 in Ether into the attacker’s accounts. It was a concerted effort and the attackers knew what they were doing, using ShapeShift and conducting recurrent transactions of relatively small amounts so that it took hours before anyone noticed.
The attacker is still unknown, though Bloomberg claims an internal report by a crypto exchange identified the DAO attacks as coming from a group in Switzerland. On the other hand, the attackers’ motives are equally obscure.
Some claim they just wanted to short Ether, which they may well have gotten away with in the aftermath of the attack. Other say the attackers may have actually intended to cause a hard fork. Either way, most of the money is apparently still untouched, though a set of transactions through ShapeShift allowed them to convert about 100,000 ETC into Bitcoin worth about $100,000. About 3.5 million ETC are still out there, ready to be laundered anytime.
Lessons of the DAO hack
Just a few things stood out in the immediate aftermath:
- Code vulnerabilities became a major issue. Smart contracts learned to use bug bounties, open-source repositories and audits to prevent major fails.
- ICOs became a target for the SEC, which had been preparing an avenue of attack.
- Hark forks deliberately rolled out on the blockchain can be conducted upon request of perceived blockchain authorities. Many think this makes the tenet of blockchain decentralization hard to maintain.
- Though they add great innovative functionality, smart contracts also add a layer of insecurity to the Ethereum blockchain.