$60 000 000 USD

JUNE 2016




"A DAO is a Decentralized Autonomous Organization. Its goal is to codify the rules and decisionmaking apparatus of an organization, eliminating the need for documents and people in governing, creating a structure with decentralized control." "The DAO was a popular decentralized investment fund based on smart contracts." "If a project that requested funding received sufficient support from the DAO community, that project’s Ethereum address could withdraw ether from DAO." "Rather than the control that owning shares gives an investor in a traditional company, in a DAO, you have control over the organization's collected assets based on how many governance tokens you own."


"“The DAO” is the name of a particular DAO, conceived of and programmed by the team behind Slock.it — a company building “smart locks” that let people share their things (cars, boats, apartments) in a decentralized version of AirBNB." "The concept of a DAO was first ideated in 2015 by a team called Slock.it. In order to raise funds for various Web 3.0 projects and startups, the team built a crowdfunding smart contract  — but they took it one step further by programming in actual voting rights and ownership." "The DAO launched on April 30th, 2016, with a 28-day funding window. For whatever reason, The DAO was popular, raising over $100m by May 15, and by the end of the funding period, The DAO was the largest crowdfunding in history, having raised over $150 million from more than 11,000 enthusiastic members. The DAO raised far more money than its creators expected."


"As the days of the sale passed by, heads started to turn; something was happening that no one expected. The crowdsale was attracting investment figures in the tens of millions, way past expectations — more and more Ether kept flooding in. The flow of investment continued till by the end of the four week initial coin offering, a staggering 12 million Ether ($150 million based on ETH value in June 2016 and a staggering $33.3 billion based on today’s valuation) was deposited in the TheDAO smart contract." "In 2016, the DAO smart contract accumulated over $150,000,000 (at the time) of ether."


"Computer scientists say that a procedure is re-entrant if its execution can be interrupted in the middle, initiated over (re-entered), and both runs can complete without any errors in execution. In the context of Ethereum smart contracts, re-entrancy can lead to serious vulnerabilities." "One of the major dangers of calling external contracts is that they can take over the control flow, and make changes to your data that the calling function wasn't expecting." "A reentrancy attack can occur when you create a function that makes an external call to another untrusted contract before it resolves any effects. If the attacker can control the untrusted contract, they can make a recursive call back to the original function, repeating interactions that would have otherwise not run after the effects were resolved."


"Unfortunately for the DAO, the transfer mechanism would transfer the ether to the external address before updating its internal state and noting that the balance was already transferred. This gave the attackers a recipe for withdrawing more ether than they were eligible for from the contract via re-entrancy." "When the contract fails to update its state (a user’s balance) prior to sending funds, the attacker can continuously call the withdraw function to drain the contract’s funds." "It’s important to note that the TheDAO smart contract was the first of its kind, grievously untested and written in Solidity, Ethereum’s main method of writing code, a language only a few months old." However, "the exact programming pattern that made the DAO vulnerable was not only known, but fixed by the DAO creators themselves in an earlier intended update to the framework's code."


"On June 5th Christian Reitwiessner discovered an antipattern in solidity which could lead to attacks on smart contracts (later described in a blog post). And then on June 9th, Peter Vessenes wrote a blog about Christian’s discovery. At this point the general Ethereum developer community was aware of this issue."


"EARLY IN THE MORNING of June 17th, 2016, an unknown person or group attacked" the DAO. "The DAO smart contract suffered a reentrancy attack." "The DAO hack took advantage of Ethereum’s fallback function to perform re-entrancy."


The attack procedure is as follows: "(1) The attacker donates ether to the target contract. (2) The target contract updates the attacker’s balance for the donated Ether. (3) The attacker requests the funds back. (4) Funds are sent back. (5) The attacker’s fallback function is triggered and calls for a subsequent withdrawal. (6) The smart contract’s logic to update the attacker’s balance has yet to be executed, thus the withdraw is successfully called again. (7) Funds are sent to the attacker. (8) Repeat steps 5–7. (9) Once the attack is over, the attacker sends funds from their contract to their personal address."


"Imagine you walk up to an ATM and withdraw $200. You get $200, yet you notice your balance didn’t change… you go ahead and withdraw another $200… no change in the balance!"


"You keep withdrawing in figures higher and higher until your cash in hand is greater than your total balance — and then you keep going! Only once you remove your card does your balance finally care to reflect what just happened: -$120,000, or $0 in the ideal case — yet you only had a total initial balance of $2,000."


"All you know is that you now have $100,000 cash-in-hand because the ATM kept withdrawing from your original balance without updating each of those withdrawals. Every time you selected “Withdraw $200,” the ATM checked that your balance was enough — saw your original $2,000  balance — and withdrew from it… but then never updated it to $1,800! You just kept the ATM in a loop of withdrawing from the initial $2,000 indefinitely."


"Unfortunately there is no way to stop the attack once it has started. The attacker’s withdrawal function will be called over and over again until the contract either runs out of gas or the victim’s ether balance has been depleted."


"We all know what happened next: a series of futile attempts to recover the funds, the infamous chat room conversation, and the contentious hard fork that resulted in the creation of Ethereum Classic."


"Unlike traditional contracts, the idea was that smart contracts were going to eliminate the need for enforcement or dispute resolution. So that law is enshrined in code." "But this incident has set a precedent, at least within Ethereum, that the project leadership will intervene to enforce the spirit of a smart contract."


"Initially, Ethereum founder Vitalik Buterin proposed a soft fork of the Ethereum network, adding a snippet of code that would effectively blacklist the attacker and prevent them from moving the stolen funds. However, shortly thereafter, the attacker (or someone posing as the attacker — it has not been verified) published an open letter to the Ethereum community that claimed the funds had been obtained in a “legal” way in accordance with the rules set out in the smart contract. The attacker also said they would take legal action against anyone who attempted to seize the ether."


"Shortly after, tensions were heightened yet again as the attacker (or someone posing as them) claimed through an intermediary on The DAO Slack channel that they would attempt to thwart any soft fork by bribing Ethereum miners with a collective reward of one million ether and 100 bitcoin to not comply and thus split the Ethereum network in two. The situation not only presented technical challenges, but questioned the moral and philosophical underpinnings of the technology — and the resilience of the Ethereum project’s leadership."


"Before the Ethereum community could proceed with the soft fork, a bug was discovered in the update’s code, making it vulnerable to attack." "[D]espite being implemented in the two major clients (Geth, Parity) and having received majority support from the miners, this modification to the clients opened up a DoS vulnerability and the soft fork was called off before it could come into action."


"The last chance was a hard fork allowing for the safe return of funds to their original owners. A hard fork is of course a very contentious topic, and for good reasons should only be the last resort." "The hard fork effectively rolled back the Ethereum network’s history to before The DAO attack and reallocated The DAO’s ether to a different smart contract so that investors could withdraw their funds. This was extremely controversial — after all, blockchains are supposed to be immutable and censorship-resistant." "Although the tools to really measure the interest in the hard fork were in their early stage and did not cover the whole community, Reddit, Carbonvote and mining pools with polls all indicated that there was enough interest in it to justify its implementation."


"In parallel, a Robin Hood Group spontaneously formed and drained the remaining funds of the DAO in order to prevent further attacks and of course with the intent of handing the ETH back to its original owners."


"Eventually, after a controversial community vote where only holders of 5.5% of the total Ether supply participated, the hard fork option was approved and set to happen at block number 1,920,000. In the end, the extraordinary nature of the situation meant extreme measures had to be taken and thus the immutability of the chain sacrificed — just in this one instance. So: to fork."


"It was initially unclear as to whether the fork would be executed. Though it was proposed by Ethereum developers, they did not have the unilateral power to implement the change. Miners, exchanges, and node operators also had to agree to update their software. After more heated debate in public forums, on July 20, 2016, at block 192,000, the Ethereum hard fork was implemented."


"It’s because the stolen funds were frozen in a childDAO that a hard fork was able to undo the theft cleanly. Thanks to this failsafe in the DAO code, the attacker was unable to transfer the funds out of their child DAO until a certain period of time had expired. Otherwise, the funds would have already made their way to the exchanges and a hard fork would have become unfeasable. This in turn created a huge time pressure to execute on the hardfork."


"While the vast majority of stakeholders adopted the change and the fork was implemented, not everyone was on board. As a result, the hard fork resulted in two competing — and now separate — Ethereum blockchains. Those who refused to accept the hard fork that rolled back the blockchain’s history supported the pre-forked version — now known as Ethereum Classic (ETC). The blockchain presently known as Ethereum is the blockchain that implemented the hard fork and altered the blockchain’s history — and the history of blockchain as a whole."


"Though the funds stolen from The DAO were restored to its investors, the attacker did not lose out entirely. The pilfered tokens still remained in their possession on the Ethereum Classic chain and were worth around $8.5 million in ETC in the months following the attack."


"Original DAO token holders started to withdraw their ETH, while the signatories of the curator multisig started to work on the edge cases (note: this is still a work in progress)"


"Surprisingly, the old chain did receive more support than expected. Exchanges listed the token of the old chain (under the name “Ether classic”), and blockchain explorers were created. Users found themselves confronted with the choice of two chains, which challenged the former Robin Hood Group to start the process of also returning the ETC, an ongoing process."


"Now, more than two years later, Ethereum has largely put The DAO hack in its rearview mirror." "The DAO has been resolved. As far as I know, the DAO is now over. All that’s left is tokens sitting in a recovery contract, waiting for investors to come pick them up and resume life as usual."


"There is a great Ethereum Stack Exchange post that details many different avenues you can take to get ether out of the Withdraw Contract, including a fantastic UI built by the MyEtherWallet.com team. The only thing it lacks currently is screenshots to make using Mist easier."


However, "according to Emin Gün Sirer‏, a computer science professor at Cornell and the co-director of cryptocurrency research initiative IC3, who said that he has seen a variety of smart contracts that may be vulnerable to a “reentrancy” attack that allows a malicious user to drain ETH from a payment channel."


“BTW, I’ve seen other contracts like this one that implicitly trust the erc-20 tokens issued on top of their platform to not perform reentrant calls. I’m sure this isn’t the last episode of this bug,” he wrote on Twitter.

The DAO was a large smart contract which allowed people to vote on blockchain proposals. Funds were stored such that members who had deposited could withdraw their funds again, however this was implemented such that they could trigger additional withdrawals within the single withdrawal, prior to the balance updating.


This was announced publicly on multiple blog posts, and weeks went by without it being properly fixed. Eventually, a hacker decided to exploit and take the funds.


As a result, the ethereum blockchain split in two. The main ethereum that we know today reverted the exploit. We also have ethereum classic, which is the original chain with the exploit intact.


There is a suspicion that the attacker was Toby Hoenisch, CEO of TenX.


While not specifically related to exchanges, this is the most classic case to highlight how storage of funds in complex smart contracts is often insecure. In general, a smart contract has a similar security profile to a hot wallet, since the funds are "online" and only protected by a layer of software.


When evaluating storage methods for significant quantities of funds, preference must be given to simpler methods of security such as simple multi-sig. Complexity is typically the enemy of security.


Check Our Framework For Safe Secure Exchange Platforms

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.