The DAO Attack: Understanding What Happened

by
The DAO Attack: Understanding What Happened

Launched on the Ethereum blockchain in spring 2016, the Distributed Autonomous Organization (DAO) was intended to function as an investor-directed venture capital firm that can codify the rules and decision-making arm of the platform and eliminate the need for documents and persons governing the platform. Lauded as great technology, The DAO raised USD 150 million worth of ether (ETH), becoming one of the earliest crowdfunding efforts and high-profile projects developed on the Ethereum blockchain. However, less than three months after its launch, The DAO was hacked, and $60 million of Ether was lost. 

What is a Distributed Autonomous Organization (DAO?)

Following the immense loss, the Ethereum community voted to revert (fork) the state of the network to the one before the hack, returning the stolen funds to investors and shuttering the DAO. However, not all persons in the Ethereum community agreed to the hard fork, resulting in the Ethereum network splitting into two distinct blockchains: Ethereum Classic and Ethereum.

A Distributed Autonomous Organization (DAO) is essentially a blockchain-based organization or cooperative formed by people with a common goal. However, unlike traditional organizations with centralized management structures, the rules governing DAOs are written and executed via code and smart contracts. 

Based on blockchain networks such as Ethereum, DAOs leverages a techno-democratic governance approach wherein investors, or stakeholders vote on critical decisions. The primary role of DAOs is to achieve decentralized control and governance within an organization. 

For a DAO to work effectively, developers write smart contracts that will be responsible for governing and running the platform. Next, an initial funding period is conducted where individuals add funds to the DAO by purchasing tokens via initial coin offerings (ICOs) or crowd sale to provide the necessary resources needed to fund the project. The DAO starts operating once the funding is over, and members of the organization can vote to approve these proposals. 

It’s essential to note that tokens purchased on a DOA are not equity shares. Instead, they are contributions that offer people voting rights rather than ownership. The DAO was a particular Distributed Autonomous Organization (DAO) established and created by Slock.it- A German startup building “smart lock” that allows persons to share their property i.e. apartments, boats, and cars-like a decentralized version of Airbnb.

 A Brief History of The DAO Hack

The idea of ‘The DAO’ was conceived in 2015 by the nascent Ethereum community, which had the idea of coordinating human effort via the execution of verifiable code, i.e. smart contracts and through decentralized decision-making on the community’s protocols. In 2016, close to a year after the Ethereum Mainnet launch, a DAO called “The DAO” was officially created and launched on 30th April 2016. The DAO established a decentralized, community-controlled investment fund for the Ethereum community. 

Following the successful launch, the Ethereum community started purchasing The DAO’s community token by depositing ETH, regarded as the investment funds. The DAO would collect the funds and invest on behalf of the community encompassing token holders. Considering that smart contracts and DAOs were still new, The DAO generated excitement in the Ethereum community and raised close to $150m worth of Ether from 11,000 members. The DAO raised far more money than its creators expected, becoming the largest crowdfunding in Ethereum’s history. 

As The DAO grew big, several users expressed concerns that the code was vulnerable to attack. The concerns became more apparent once the crowdsale was over, with one of The DAO’s creators, Stephan Tual, announcing on 12th June that the platform’s software had been found to have a “recursive call bug” but was not a cause for concern since it didn’t pose considerable risk to the funds. The DAO’s token holders were waiting to vote for over 50 project proposals at that time.    

On June 17th, 2016, exactly 6 days after the recursive call bug announcement, a “blackhat” hacker launched an attack on the DAO platform and started siphoning $150m worth of ETH from The DAO’s smart contract. By 18th June, the hacker had managed to drain more than 3.6m Ether into a “child DAO” with the same structure as The DAO. The hacker went on to claim that his actions were within the laws of legal jurisdiction and no criminal proceedings could be initiated against him since there wasn’t any foul play done by taking advantage of a loophole in a system.

Despite launching the attack, the attacker had to wait 28 days to access Ether in the child DAO. Any attempts to withdraw from the child DAO would raise alarms putting the attacker at risk. 

How the Hacker Launched the Attack on the Platform  

The hacker exploited a loophole in The DAO’s smart contract to his advantage. The hacker launched an attack that came to be known as a “reentrancy” attack. In such an attack, the Fallback functions, which are essentially special constructs in Solidity, are exploited by the reentrancy hack. In the hack, the attacker deploys a smart contract that acts as the “investor” and deposits some Ether in The DAO. 

The hacker then launches the withdraw () function, which receives ETH from the withdraw request causing the fallback function to be triggered. The fallback function may be empty with malicious code but still receives some ETH. 

The execution of the Fallback function initiates The DAO’s smart contract’s withdraw () function again, creating a loop of calls between the hacker contract and The DAO’s smart contract. Every time the withdraw () function is called, The DAO’s smart contract sends the hacker an amount of ETH equivalent to the hacker’s deposit. However, the smart contract fails to update the hacker’s balance until the ETH-sending transaction is complete. 

The ETH-sending transaction cannot finish until the hacker’s fallback function finishes executing. Therefore, the DAO’s contract keeps sending more and more ETH to the hacker’s DAO without decreasing the hacker’s balance-thus draining The DAO’s funds. 

Response to The DAO Hack 

Following reports of the attack, The DAO investors were thrown into a state of disarray as they watched their funds being drained from the platform helplessly. The hack was a serious violation of the DAO’s investor trust as well as the credibility of the Ethereum blockchain network. The DAO stakeholders debated extensively on how best to respond to the attack. 

A “whitehat” hacker team was formed to try and stop the attack and rescue investor funds that were still being drained from the platform. The team proposed to use a similar attack- the reentrancy exploits- to attempt to drain The DAO faster than the attacker. Investors had also started exiting the platform through “escape pods, ” enabling them to retain their investments before they were siphoned out. 

The DAO and the Ethereum Foundation deliberated on ways to stop the attack and make the Ethereum blockchain network and smart contracts safe for other platforms, such as dApps and DAOs built on the network. Several proposals were made as outlined below: 

The Soft-Fork Proposal 

On 17th June 2016, Ethereum’s founder Vitalik Buterin proposed a soft fork of the Ethereum network. In his statement, Vitalik acknowledged that The DAO was under attack and that he had worked out a solution that involved initiating a software fork but with no rollback or transaction/blocks to be “reversed”. 

The software folk would introduce a snippet of code in the basic Ethereum code to blacklist the attacker and prevent them from moving any Ether from The DAO or its children. The folk would essentially freeze the millions of funds obtained by the attacker. 

On learning about the soft-fork proposal, the attacker anonymously wrote an open letter to The DAO and Ethereum community, claiming that the reward was legal as per the smart contract. He also threatened legal action against anyone trying to invalidate his work by seizing the stolen Ether. 

The alleged attacker also claimed via an intermediary on The DAO Slack channel that they would attempt to hinder any soft fork by bribing Ethereum miners up to one million ETH and 100 BTC not to comply and split the Ethereum network. The claims heightened the situation and presented technical challenges to its implementation. 

However, before the Ethereum community could proceed with the soft fork, a bug was discovered in the update’s code, making it vulnerable to attack. This led to the hard-fork proposal. 

The Hard-Fork Proposal 

Following the failure of the soft fork, the Ethereum developers proposed a hard fork that could alter the history of the Ethereum blockchain. While Ethereum developers had the capability of implementing the hard fork alone, they lacked the unilateral power to implement the change.

Exchanges, miners, and node operators had to vote for the implementation of the hard fork. After heated debates in public forums, the Ethereum hard fork was implemented on July 20, 2016, at block 192,000. The hard fork essentially reverted the Ethereum network’s history to before The DAO attack and reallocated the DAO’s Ether to a different smart contract so investors could withdraw their funds. 

Responses to the Hard Fork 

The Ethereum hard fork was faced with criticisms across the crypto space and was extremely controversial, considering that all blockchains are supposed to be censorship-resistant and immutable. Those who were against the hard fork claimed that the Ethereum foundation should not be involved in The DAO since it’s supposed to be the foundational infrastructure upon which a flurry of projects and experiments are supposed to blossom. 

Numerous antagonists of the hard fork claimed that the hard fork compromises the decentralization and integrity of the Ethereum blockchain. It also signalled that projects like The DAO could influence the underlying foundation of the Ethereum blockchain. 

The hard fork implementation resulted in two Ethereum factions with separate Ethereum blockchains. Those who supported the hard fork formed the present Ethereum Blockchain, while those who were against the hard fork established Ethereum Classic (ETC).

While investors were refunded their funds after the hard fork, the attacker didn’t lose out entirely. The stolen funds remained under their possession on the Ethereum Classic chain and were worth around $8.5 million in ETC in months following the attack. 

Closing Words 

The DAO attack teaches valuable lessons, such as the importance of establishing secure blockchain platforms. The attack was largely due to flaws in The DAO smart contract and not really due to a problem on the Ethereum blockchain. The DAO had kept all the funds in a single Ethereum address, plus the code had a loophole that a brainy hacker exploited. Blockchain startups can also derive vital lessons from the SEC’s ruling on The DAO attack.  

The DAO attack and the consequent hard fork marked the beginning of a new era of Ethereum’s blockchain, making it more secure for the development of platforms. The hard decisions made by Vitalik Buterin, Ethereum developers, and the Ethereum community ensured the blockchain’s survival in its earliest days following an attack that led to a hard fork that shook the Ethereum community.

What is a Decentralized Autonomous Organization?

A decentralized autonomous organization aims to achieve certain goals through self-organizing groups using peer-to-peer technologies. One example of such a project is Ethereum, a blockchain platform for building decentralised applications. Instead of having a single central authority that controls all aspects of the system, users can set up rules on how they want their data shared via smart contracts.

What is Ethereum Classic?

Ethereum Classic (ETC) is an open-source platform for decentralized applications based on blockchain technology. The currency was designed to solve scalability issues and provide developers with better tools to create new kinds of dapps. ETC allows transactions to be performed faster and cheaper and has reduced fees compared to other cryptocurrencies.

What is a Hard Fork in blockchain?

A hard fork occurs when two blocks are found at different times to be valid for the network, resulting in both chains continuing simultaneously. Because all nodes need to update their software to accept the new block, any transactions occurring during the fork must be abandoned and reentered once the system has been updated. A hard fork is similar to a chain split where two competing versions of the Bitcoin blockchain exist simultaneously on top of each other. This means that one side could continue mining while the other waits until they overtake them. The result is that users would be unable to send transactions from either version of the blockchain.

What is a Soft Fork in blockchain?

A soft fork is when developers add new features to software like Bitcoin did when they added SegWit. This means that everyone running older versions of Bitcoin (which do not support SegWit) will still be able to access these old coins, while those who updated were forced to upgrade. The soft fork was part of the solution to combat double spending, which prevented users from making multiple payments using the same address.