The DAO Hack Report and Its Ongoing Implications to Cryptocurrency
Ethereum is one of the top digital currencies shaping the decentralized ledger technology. It’s a community blockchain behind the Ether (ETH) cryptocurrency and thousands of dApps. According to CoinMarketCap, ETH is the second-highest traded (over $5,776,058,511 in 24hrs, at the time of writing) coin behind BTC.
Ethereum is considered the most stable blockchain hence the preferred infrastructure for most stable coins. However, the blockchain is associated with some minimal flaws. Among these is an attack on the DAO. This article will look at the events that culminated in one of the most infamous reports in the crypto sphere.
About the DAO
DAO was a project by Slock.it that went live on April 30, 2016, as a virtual venture capital fund with a vision to fund future DAPPS in an ecosystem governed by the investors. The project is fuelled using Ether, which creates the DAO utility coin (DAO tokens).
To achieve its vision, the DAO had several participants:
- Investors or token holders – Investors will fund the project by buying DAO tokens using Ether (1 Ether = 100 DAO Tokens)
- Curators – responsible for safekeeping the network’s operations and conducting voting processes
The DAO has no physical offices. Stakeholders can only interact as curators or contactors (token holders) rather than hold traditional managerial roles.
How The DAO Worked
To become part of the project, one needed to buy DAO tokens. The funds raised from investors were then pooled.
As a token holder, you could become a contractor and receive funds from the pool to fund your projects. You’ll, however, need to submit a proposal to get funding. The proposal will then go through a process of approval which involves several steps:
- Curators test – an identity verification examination is issued by one of the curators picked from respected Ethereum community members.
- Voting by investors – the next step after passing the curators exam is getting investors’ approval through a vote. The proposal needs a 20% endorsement to move to the next phase. The more the DAO tokens an investor holds, the more their voting power.
- Funding of project – Once your proposal has gotten a 20% quorum, the DAO automatically funds Ether to the smart-contract address representing your proposal.
All Ether that will be generated from the proposal will be returned to participating token holders as rewards.
A Grand Take-Off
The DAO’s potential, its flexibility, and complete transparency were unmatched. Investors moved fast to get their share of the pie. Within its first 28 days, the DAO accumulated over $150 million worth of Ether in crowdfunding, making it the largest crowd sale.
While the DAO creators hoped and were busy enhancing the financial institution’s democracy, two errors were unknowingly introduced to the system that served as hacker’s window – The Split function and Child DAO.
Split Function and Child DAO
To protect minority token holders in the project’s decision making, the DAO embraced a governance mechanism similar to that of publicly traded stock corporations to create an exit door for the minority.
The idea was to allow the minority to retrieve their funds if a proposal they objected got approved.
A special proposal would be submitted by the minority and their supporters – token holders who voted for the special proposal.
Upon approval of the special proposal, the minority could transfer their Ether into a Child DAO – a clone of the DAO it split from.
Child DAO had the same capabilities as the main DAO with the same rules and restrictions. So powerful was the Child DAO that the creators could start accepting proposals as in the main project.
However, there was one strict condition in the contract; funds in the Child DAO could not be spent until 28 days after splitting. All things fine! Or so the creators thought. Several people, however, pointed out to loopholes in the code that could pose a threat:
- First, on calling a split function, Ether was retrieved, and the balance updated later.
- Second, the code could not detect a recursive call, i.e., a function that calls itself.
According to creators, that was not a big threat!
Well, it turned out to not just be a threat, but the DAO’s death trap.
The DAO Hack
On June 17, 2016, a hacker(s) exploited the loophole and managed to call a split function recursively and retrieved their funds to a Child DAO multiple times before the part of the code that updated the balance was reached. 3.6 million ETH (worth $50 million) was split out of the DAO through what is now referred to as “recursive call exploit.”
An Open Letter, The Soft Fork and The Hard Fork
One day after the attack, the “attacker(s)” wrote an open letter to the Ethereum community, justifying his acts.
Given the 28 days wait period, a solution had to be found within the remaining 27 days before the attacker(s) could spend the funds.
The Ethereum community geared up to rescue DAO to ensure the reputation of the blockchain is retained.
Three solutions were proposed:
- Do nothing – Several people argued that everything the code allowed was lawful as a smart contract and should be left to self-execute.
- Exercise a soft fork – this required that they collaborate with miners to destroy the Child DAO with stolen funds. Besides, a rule would be effected invalidating all calls to retrieve funds in the subject child DAO.
- Exercise a hard fork – the Ethereum community could also roll back the DAO transactions to a particular point before the hacking occurred, or update the network to block all transactions from the attacker’s ether address.
To decide on the right move, the community resorted to voting. Soft forking was voted in the first round and later dropped in the last minute before its launch due to several possible security flaws.
A hard fork was voted in the second round. The exercise was completed on July 20, with the Ethereum community returning the funds to investors.
Four years have passed since the DAO Attack occurred. So large was the attack that its effects are still felt to this day. Today, the recursive call exploit is used to test a smart contract’s feasibility before it’s released to the market.
The DAO Attack also attracted regulatory bodies like the Securities and Exchanges Commission (SEC), resulting in tightened measures for crypto venture fundings.
There’re many things to learn from the unfortunate DAO attack. Apart from the need for flawless system design, there is also the issue of a fast response. Although it killed a promising project, the DAO attack unleashed the responsive and robust side of the Ethereum community.