The DAO Hack that Changed Ethereum's Destiny
There's always a silver lining.
While Ethereum may seem entirely secure today, it wasn’t always. In 2016, a hack brought the network to its knees, placing a whopping 15% of Ethereum’s supply at risk. This was known as The DAO Hack, an attack that happened when Ethereum was only 11 months old. This is the story of Ethereum’s biggest compromise, the biggest crowdfund in history, and the birth of a new blockchain. Enjoy.
Sections
Setting the Mood
What was The DAO?
How was The DAO Formed?
How was The DAO Attacked?
What Happened in Response?
The Aftermath
Closing Thoughts
My Other Writings!
Setting the Mood
Ethereum went live on July 30th, 2015. The network promised applications built on top of blockchain, but for a while very few actual applications emerged. Many recognized Ethereum had potential, but applying that potential was more difficult. Few applications existed, some of which were Gnosis which started as a prediction market (place to make bets), another was by a team called Slock.it who made tech that allows physical things to be rented by interfacing physical locks with smart contracts.
Applications were basic, but teams had ambition. Slock.it, the team behind using smart contracts for physical rentals, wanted to do something big; create something that could fund their project, and then other projects too. This application was, infamously, The DAO. Since it was the first of its kind, that’s the name it took.
What was The DAO?
The DAO would be a VC fund that invested in projects - in a decentralized way. The idea was that all members of The DAO could vote on projects that may need funding, deciding whether or not they should be given money from The DAO. If a minimum number voted yes (not a majority), then the project would get funding and the returns from the investment would go back to The DAO.
As The DAO invested in more projects, everyone involved would make increasing returns - that was the plan at least. Even the non-active members who didn’t vote made money, letting others vote for what to do instead. Nonetheless, a way out was given for these folks, a way to disagree with funds being released for a specific purpose. That disagreement would happen through “splitting” into a Child DAO where they controlled the funds, ensuring they didn’t go towards the undesired purpose.
How was The DAO Formed?
Anyone on Ethereum in May of 2016 was able to join The DAO, and since it was the first application of such a large size, many who were around did exactly that. On April 30th, 2016, a crowdsale was launched for The DAO’s governance token, wherein 1 ETH would be worth 1 DAO Token. When the crowdsale ended 28 days later, The DAO controlled almost 15% of Ethereum’s supply, or 11.5 million ETH.
This may have already seemed like a recipe for a disaster; having all that ETH in one place was too attractive a target. To put numbers into perspective, the amount of ETH raised by The DAO was equivalent to about $160 million. At that time, this crowdfund was the biggest in history! Mainstream media was beginning to recognize the still-young Ethereum. Meanwhile, all that ETH sat in a single smart contract until disaster struck in June, the following month.
How was The DAO Attacked?
On June 17th, 2016, an attacker launched their plan to take The DAO’s ETH. The plan was simple enough, they had found a bug in the smart contract’s code that made launching the attack pretty easy. It’s called a re-entrancy attack, and it happens when you withdraw money from a smart contract, but prevent it from updating its own balance afterwards. The contract just releases money without realizing it has less of it.
In The DAO’s case, the ability to “split” into a Child DAO set the stage for the attack. The attacker split his (very small) piece of The DAO, representing his own funds, but then prevented The DAO’s smart contract from realizing it had sent that ETH. Then he repeated the process again, and again, until he’d drained millions upon millions of ETH.
The way The DAO’s contracts were written made this possible. The smart contract would first send the money to a contract, then update its own balance. This flaw made a re-enmtrancy attack possible. If those two lines of code were switched, this whole disaster may have been prevented. The attacker realized this bug as an opportunity to attack, specifically because of how fallback functions work.
In a smart contract, a fallback function is like a Plan B for a contract to execute when they’re not told exactly what to do. If they receive ETH with no instructions, they execute the fallback function. The attacker set up a smart contract to receive the money from The DAO that had a fallback function: it would stop The DAO smart contract from updating it’s balance, causing it too loop.
What Happened in Response?
Very quickly after the attack began, a group of “white hat hackers” got involved, using the same method to drain funds to keep them safe from the attacker. When the dust settled, the attacker had about 3.5 million ETH, and the white hats had the remaining 8 million. There was one asterisk though, the attacker couldn’t take the funds out of the Child DAO until 27 days after the split had passed, and neither could the white hats.
In those 27 days, the Ethereum community debated several responses. The discussions were extremely controversial, and landed on 3 major options:
Do nothing. The attacker read the contract carefully and discovered a way to take those funds. Code is law, and the attacker did not steal; he took something available to him.
Prevent the attacker from withdrawing the funds. Ethereum could launch a soft fork which would prevent any ETH from being withdrawn from the attacker’s contract, locking away the 3.5 million ETH from everyone.
Change blockchain history. The attacker stole money that wasn’t theirs, and that money should be returned to it’s rightful owners; the attack should be undone by changing the balances on the blockchain directly, using a hard fork to take the money from the attacker.
Deciding on which route to take was one of the greatest challenges Ethereum has ever faced. The attacker made claims that if a hard fork ever happened, he would bribe miners that voted for him and would sue those that voted against him. His case was that the money was rightfully his.
A vote was offered to ETH holders, where 1 ETH was equivalent to 1 vote, and two options were offered: do nothing or do a hard fork. The community gathered and voted, and the decision was made to perform a hard fork and return the funds to their rightful owners. Many still believed in “code is law,” and were on the other side of the hard fork. The blockchain that became is the one today called Ethereum Classic.
The Aftermath
Although a disaster at the time, there are some silver linings that make The DAO hack actually a good thing for Ethereum in some ways. First, the network developed an ability to prioritize ethics over history. There was plenty of concern back then that a hard fork to change balances would be a slippery slope, and doing it once would make it more likely to happen again in the future. Ever since then though, no funds have ever been updated through a hard fork, despite even attacks on specific projects that resulted in hundreds of millions of dollars more lost than was at risk in 2016.
Second, an SEC crackdown was averted. Ethereum’s main project being an investment vehicle raised eyebrows at the SEC, and there was significant threat that the SEC would clamp down on The DAO as having launched an unregistered security. The funds being returned to the original holders likely prevented years of ugly court proceedings that could have gripped Ethereum.
Third, security became a prime a focus for Ethereum. The attack showed what could happen if even two lines of codes were placed in the wrong sequence, raising awareness for the importance of secure contracts. Many companies were formed in the wake of the incident, offering security audits and services, and forming best practices for how things should be done safely. Smart contract security may not be where it is today had it not been for The DAO hack.
Closing Thoughts
Ethereum’s had a crazy history, hosting the biggest crowdfund in history for a project that launched only 11 months into Ethereum’s lifespan. The resulting hack on The DAO could have been the end of the network, but Ethereum built itself to be stronger. Silver linings show that even among great catastrophes, good things can emerge.
My Other Writings!
Here you’ll find the other articles I’ve written since my last write-up. Check them out for more blockchain content!
60,000 people wait in line for a Bitcoin token – what it means for you - w/ Cryptonary
Ethereum gets epic upgrades in a bit: here’s why you should care - w/ Cryptonary
TradFi’s crypto takeover begins with Blackrock - w/ Cryptonary
Ethereum’s DeFi rivalry: Hooks, slams, jabs, and everything in between - w/ Cryptonary
Thank You & Additional Reading!
Thank you for reading! Here are some more resources if you'd like to dive deeper.
[Video] The DAO Hack: Story of Ethereum Classic by Junion
Subscribe below if you haven’t. If you already have, thank you! Please consider sharing this write-up with others below.
Stay kind. Stay curious.