The DAO hack - How Ethereum and Ethereum Classic came to be

- 5 minute read

Ted Maas
Digital Marketeer
Ted Maas

It’s the year 2017 and the DAO (Decentralized Autonomous Organization) has gathered over 12.7 million Ethereum . At that time, one ETH was worth $20, meaning that the DAO smart contract had a collective worth of 250 million dollars. Things were looking bright for the independent venture capital fund. That is until the 17th of June when a hacker found an exploit in the DAO protocol and stole 3.5 million ETH (worth 70 million dollars) via its faulty source code. In today’s article, we are going to take a closer look at this infamous DAO hack. This is the first part of a series where we focus on the Ethereum and Ethereum Classic split.


dao hack


What is the DAO?

DAO stands for decentralized autonomous organization and was meant to act as a venture capital fund in a decentralized space. Built on the Ethereum network, commercial- and non-profit enterprises were able to ‘pitch’ their idea to the community. If people wanted to invest, they could do so via the DAO and buy a stake in the project. DAO was given a short funding period to sort everything out. It didn’t take long before the project had reached a cumulative worth of 150 million dollars, a staggering success. Techcrunch, a leading technological magazine focused on high-tech and startups had the following to say about the DAO project:


"a paradigm shift in the very idea of economic organization. ... It offers complete transparency, total shareholder control, unprecedented flexibility, and autonomous governance.”
TechCrunch

At the peak of its popularity, the DAO was worth 250 million dollars and had attracted 14% of all available Ethereum tokens on the network. However, certain drawbacks also came to light. On May 2016, a paper was published detailing certain vulnerabilities in the DAO source code. Investors were recommended to not yet invest until the problems were fixed. On the 9th, 14th and 16th of June, multiple developers found "recursive calls" vulnerabilities. Fixes were promised and awaited approval by the members of the DAO. Unfortunately, the warnings came too late, because, on the 17th of June, the DAO hack occurred.

The loophole

On the 17th of June 2016, a hacker found a loophole in the source code of DAO. Through this loophole, he was able to funnel 3.6 million Ethers from the smart contract in just one day. At that time, 3.6 million Ethers had a collective worth of 70 million dollars. Via the faulty source code, the hacker was able to send a big number of ETH and subsequently ‘ask’ the DAO smart contract to give it back. The hacker repeated this request and repeated this request and repeated this request, causing the blockchain to double-spent multiple times. This ‘recursive call’ vulnerability was never patched. Also, the smart contract was programmed in a way to first release the funds and update the token balance after. The hacker could repeat the process infinitely but stopped when he had collected 3.6 million dollars. This faulty source code was written by the DAO (not Ethereum themselves) and eventually became their downfall.


The waiting period

However, the smart contract also had a different rule implemented that eventually saved them. The DAO smart contract stated that transferred funds had to be put in a holding account, where it had to wait 28-days before being released. This measure was implemented in case certain deals went sour or had to be revoked. Eventually, this 28-day waiting period gave Ethereum, the DAO and the entire cryptocurrency community time to debate on what was going to happen next. The hacker himself went on Github and claimed that he didn’t do anything wrong, saying that he merely made use of the smart contract’s rules. The hacker had the following message:

===== BEGIN SIGNED MESSAGE =====

To the DAO and the Ethereum community,

I have carefully examined the code of The DAO and decided to participate after finding the feature where splitting is rewarded with additional ether. I have made use of this feature and have rightfully claimed 3,641,694 ether, and would like to thank the DAO for this reward. It is my understanding that the DAO code contains this feature to promote decentralization and encourage the creation of "child DAOs".

I am disappointed by those who are characterizing the use of this intentional feature as "theft". I am making use of this explicitly coded feature as per the smart contract terms and my law firm has advised me that my action is fully compliant with United States criminal and tort law. For reference please review the terms of the DAO:

"The terms of The DAO Creation are set forth in the smart contract code existing on the Ethereum blockchain at 0xbb9bc244d798123fde783fcc1c72d3bb8c189413. Nothing in this explanation of terms or in any other document or communication may modify or add any additional obligations or guarantees beyond those set forth in The DAO’s code. Any and all explanatory terms or descriptions are merely offered for educational purposes and do not supercede or modify the express terms of The DAO’s code set forth on the blockchain; to the extent you believe there to be any conflict or discrepancy between the descriptions offered here and the functionality of The DAO’s code at 0xbb9bc244d798123fde783fcc1c72d3bb8c189413, The DAO’s code controls and sets forth all terms of The DAO Creation."

A soft or hard fork would amount to seizure of my legitimate and rightful ether, claimed legally through the terms of a smart contract. Such fork would permanently and irrevocably ruin all confidence in not only Ethereum but also the in the field of smart contracts and blockchain technology. Many large Ethereum holders will dump their ether, and developers, researchers, and companies will leave Ethereum. Make no mistake: any fork, soft or hard, will further damage Ethereum and destroy its reputation and appeal.

I reserve all rights to take any and all legal action against any accomplices of illegitimate theft, freezing, or seizure of my legitimate ether, and am actively working with my law firm. Those accomplices will be receiving Cease and Desist notices in the mail shortly. I hope this event becomes an valuable learning experience for the Ethereum community and wish you all the best of luck.

Yours truly, "The Attacker"

===== END SIGNED MESSAGE =====

With the 28-waiting period, decisions had to be made. This discussion lead to a lot of arguments, controversy and eventually the birth of a brand-new currency. In our next part of this series, we are going to take a look at the discussion that took place. The proposition, the solution and the aftermath will be online in a few weeks.

Want to know more about Ethereum?

Read all you need to know in our 'What is Ethereum?' info page!