Good hacker, bad hacker, worse hacker, worst hacker.
What Is a DAO?
But a DAO differs from traditional financial funds in more ways than just tokens vs. shares.
A centralized venture fund will usually have the traditional hierarchical organizational structure that we all know: one person at the top as CEO in charge of making executive decisions, a CTO, a COO, a UFO (kidding).
In a DAO, owning governance tokens gives you the ability to propose and vote on new rules, which are then executed automatically via a smart contract method call — there is no CEO passing executives orders down the line, DAO’s rely just on smart contracts to get the job done.
Join us in showcasing the cryptocurrency revolution, one newsletter at a time. Subscribe now to get daily news and market updates right to your inbox, along with our millions of other subscribers (that’s right, millions love us!) — what are you waiting for?
The Decentralized Autonomous Organization Is Born
‘The DAO’ Hack Part 1: Setup
It’s important to note that the TheDAO smart contract was the first of its kind, grievously untested and written in Solidity, Ethereum’s main method of writing code, a language only a few months old.
The setup takes the cake as to the most obviously naive part of everything that went down. The project was extremely over-hyped and investor FOMO was at an all-time high.
To clarify, similar to a traditional company, investors were putting money into TheDao with the hope that their TheDAO tokens would appreciate in value.
As a token holder in a DAO (if you own any reputable ERC-20 token, you are most certainly part of a DAO with active governance proposals), you can then draft any type of proposal to which the rest of the DAO’s community will vote on.
An investment proposal could be as simple as: “Proposal to loan 100 ETH from the DAO’s treasury to [insert promising new startup here], to be paid back 110 ETH in 6 months...” A governance proposal could look something like: “Proposal to create incentives, such as a farm, to encourage users to become liquidity providers on Uniswap…” A cool one a contemporary DAO recently executed was to buy a pricey NFT then flip it and distribute profits/re-invest into the treasury.
DAO tokens represent direct ownership — thus it is the case that amassing large amounts of a DAO’s token supply gives a holder greater influence over decisions by increasing their proportional vote share. The value of a DAO’s token is not just derived from its community’s investment prowess, but by how valuable governance decisions become to large and small holders.
Again, it’s key to remember that there was simply no way to set up this type of globally-accessible decentralized venture fund before Ethereum came around, so the investor hype for $TheDAO did seem appropriate. The problem was that Ethereum and Solidity — the two foundational blocks of TheDAO — were just too early in technological maturity.
On various chat boards, many programmers around the world had raised concerns about code vulnerabilities in the TheDAO smart contract and how they could potentially be exploited so as to drain the funds collected — these warnings were not heeded quickly enough.
‘The DAO’ Hack Part 2: The Exploit
Imagine you walk up to an ATM and withdraw $200. You get $200, yet you notice your balance didn’t change… you go ahead and withdraw another $200… no change in the balance!
You keep withdrawing in figures higher and higher until your cash in hand is greater than your total balance — and then you keep going! Only once you remove your card does your balance finally care to reflect what just happened: -$120,000, or $0 in the ideal case — yet you only had a total initial balance of $2,000.
All you know is that you now have $100,000 cash-in-hand because the ATM kept withdrawing from your original balance without updating each of those withdrawals. Every time you selected “Withdraw $200,” the ATM checked that your balance was enough — saw your original $2,000 balance — and withdrew from it… but then never updated it to $1,800! You just kept the ATM in a loop of withdrawing from the initial $2,000 indefinitely.
The moving pieces of the setup were now in final position — the rising hype, excitement and purity of one of Ethereum’s first cornerstone projects was about to come to a chaotic climax. Everything had, against all odds, come together for a final screeching cacophonous bang.
Thanks to rising Ether prices at the time, the contract then held a total of $250 million — and this sudden whirlwind of funds leaving the contract had a global community of Ethereum developers and stakeholders scrambling. Who was draining the contract and how could this be stopped?
The hype of Slock.it’s crowdsale thus ended in painfully dramatic fashion. A project that was supposed to smoothly herald in a new age of decentralized financial engineering had begun to lose millions of investor dollars per minute. The vulnerability that had indeed been hinted at by various developers around the world was caught too little too late. The re-entrancy hack had been discovered… and not by a friendly.
‘The DAO’ Hack Part 3: Dagor Dagorath
Noble characters, consisting of TheDAO stakeholders, emerged to fight the evil. Key players in this battle include: Griff Green, community manager at Slock.it, Alex Van de Sander, an Ethereum developer and Christoph Jentzch, lead at Slock.it — these were key players of the newly formed “Robin Hood Group” soon mentioned below.
As millions of dollars worth of Ether continued to be drained minute-by-minute, the above embattled white hat hackers dealt with immense stress in coming up with a plan to resolve the situation. Ethereum developers around the world were effectively called to war and diverted all attention to this matter, fearing TheDAO’s fallout would be radioactive enough to kill Ethereum permanently.
Replicating the attack and draining the money out from the main DAO in order to stop the hacker was a popular defense vector discussed in the community (furiously active through various messaging boards across the world).
A spectrum based on two political endpoints emerged: in one corner, the code-is-law laissez-faire advocates shouted that no intervention should happen, the purity of blockchain immutability is too important.
On the opposing corner, there were advocates for greater intervention: action should be taken so as to minimize the effects of this one-of-a-kind catastrophe. Along with all the other viewpoints that fell in between the formed spectrum, a very slippery slope emerged — both sides had valid points.
In the midst of more ETH being drained, a group dubbed the “Robin Hood Group,” consisting of the above-mentioned key players, formed and was pivotal in the white hat (good-intentioned hacking ) battle to regain funds before they were all completely stolen by the malicious attacker.
On Day 1 of the attack, the thief had stolen around 30% of the total supply in “The DAO” smart contract — and had then mysteriously stopped, giving the RHG a few short hours to assess the situation. On Day 2, the attacker re-surfaced and began draining ETH once again.
In the meantime, the Robin Hood Group had been busy stockpiling ammunition in the form of 300,000 $TheDAO tokens — more $TheDAO tokens available to deposit into the smart contract in exchange for ETH meant that the withdrawal amount became that much higher. Think back to the ATM example: the more tokens you have in your possession, the higher the amount you can withdraw against at a time, making for a more efficient attack.
The Robin Hood Group had, with petitions to community and investors, amassed an impressive 6,000,000 $TheDAO tokens in donations.
The Robin Hood Group would have to use the exact same technique the thief was using: steal from the smart contract using the same re-entrancy exploit, with the intention of providing the ETH a safe harbor to then return to original investors. This was the real-life equivalent of robbing a bank before the malicious bank-robbers and then returning the money back to the bank. There was much fear and angst from group-members; what were the legal ramifications of such a move?
The seconds ticked by and millions of dollars worth of ETH continued to be drained… the group had no choice but to initiate a counter-attack. The group had to do what the thief was doing: deposit $TheDAO tokens to TheDAO smart contract in order to withdraw an equivalent ETH deposit and then recursively call the buggy function to withdraw more ETH than entitled to. The 6,000,000 tokens of ammunition, along with continuous refinement of the automated withdrawal bot built by the RHG, allowed the white-hat hackers to withdraw ~$30,000 every 5 seconds.
70% of funds were recovered by the Robin Hood Group. The effort had mainly helped stall the attacker as due to protocol rules, withdrawals from TheDAO smart contract required a waiting period of about a month to be cleared — this rule applied to anyone withdrawing from the smart contract. The RHG made efforts to return any donated $TheDAO to the community, but given the outcome mentioned in Part 4 and 5, this never really became an issue.
The bloody Dagor Dagorath was over. 70% had been recovered by "the good guys" and 30% had been stolen. The malicious attack had been stopped in its tracks — at least temporarily.
The real blood of the battle came in its aftereffects. The thief had been stopped, but had fought with strength and savvy — even though the RHG had pulled a win by recovering the greater amount of ETH, the 70% of those funds recovered were still vulnerable to malfeasance due to how withdrawals from child TheDAOs worked. The thief still had direct control over 30% of funds, about 2 million ETH, and would still be able to withdraw them after the waiting period — the thief would also probably work to sabotage the withdrawal of the other recovered 70%. This was a problem.
‘The DAO’ Hack Part 4: To Fork or Not to Fork
With the malicious thief now temporarily stalled, something more permanent would need to be implemented before the wait period to withdraw ended. Due to possible denial-of-service attacks, the soft fork was not a valid option. The only options left were: do nothing or hard fork.
The “code is law” advocates had a point: how would a hard fork be any different than standard central banking procedures like “bail-outs”? The intervention of central developers into the monetary policy of Ethereum worried many.
The “hard fork” advocates also had a point: if there is a way to reclaim the stolen funds for all the victims and hand the thief an L, why not do it?
Eventually, after a controversial community vote where only holders of 5.5% of the total Ether supply participated, the hard fork option was approved and set to happen at block number 1,920,000.
In the end, the extraordinary nature of the situation meant extreme measures had to be taken and thus the immutability of the chain sacrificed — just in this one instance. So: to fork.
‘The DAO’ Hack Part 5: or Not to Fork
The hard fork came and went pretty unceremoniously. Any block mined after block 1,920,000 on the original chain was no longer considered ETH. The parallel dimension caused by the hard fork was successful, and it effectively erased the effects of Dagor Dagorath. The ETH you use today lives in this parallel dimension.
We believe in a decentralized, censorship-resistant, permissionless blockchain. We believe in the original vision of Ethereum as a world computer that cannot be shut down, running irreversible smart contracts. We believe in a strong separation of concerns, where system forks of the codebase are only possible, when fixing protocol level vulnerabilities, bugs, or providing functionality upgrades. We believe in the original intent of building and maintaining a censorship-resistant, trust-less and immutable development platform.
So: not to fork… kinda.
The radioactivity of this series of events was undeniable. The DAO hack left the Ethereum community split and many stakeholders, as exemplified by ETC, flocked to other projects.
It is worth it to ask whether this early catastrophe was actually a blessing in disguise for Ethereum.
Engineers and developers, pivotal to innovation and buidling, learned the real risks of designing and deploying unsafe/untested smart contracts. Stakeholders and investors, pivotal to keeping the space lush with cash flow and risk, learned the bloody effects of investing in unsafe/untested smart contracts.
Dagor Dagorath would be a puny event compared to the likes of the AAVE smart contract, containing almost $10 billion TVL, being hacked today.
It could well be said that these early events lit a fire under all stakeholders’ butts and thus was essential in further setting up a healthy ecosystem long-term, which now appears to be indeed thriving. Expect more investment to flood in.