The DAO Hack Explained: Unfortunate Take-off of Smart Contracts

Logo of the DAO

Smart contracts brought distributed autonomous organizations, aka “DAO”s, to our life. A DAO is another computer code through which a set of smart contracts are connected together and function as a governance mechanism.

In this story I will explore the most famous DAO project, the DAO, and its effects on the smart contract environment. While reading the explanations, it must be borne in mind that all these discussions took place in online platforms such as GitHub and Reddit. Therefore, it is not possible to make definitive statements or give exact figures on all arguments used in these discussions.

1. The Creation of the DAO

The most infamous DAO project was the DAO created by the Slock.it[1] and went live on 30 April 2016. It was a virtual venture capital fund that is governed by the investors of the DAO. The idea was the following: Funds raised from the investors, the token holders, are pooled. Token holders can become contractors by submitting proposals for funding of their project by using the DAO funds. There was a curator examination, which was just an identity verification conducted by one of curators who were selected among the respected members of the Ethereum community. Once the proposal passed the curator’s check, it would be voted on by the investors. If a proposal is approved by a quorum of 20% of all tokens,[2] the DAO automatically transfers Ether to the smart contract that represents the proposal. Any Ether generated from the proposals funded by the DAO would be returned to participating investors as rewards.

During the initial offering[3] took place in May 2016, the only requirement for being an investor was to invest Ether into the system. In exchange, participants were given DAO Tokens, 100 DAO Tokens for 1 Ether, which give voting rights to be used during the selection of projects that would be funded. The DAO raised 12.7 million Ether, which was equal to more than 150 million USD back then and became the biggest crowdfunding project until its time. However, on 16 June 2016, the DAO got hacked.

2. Infamous ‘Split’ Function and the Child DAO

The governance mechanism embraced by the DAO was similar to the governance of publicly-traded joint stock corporations. Unsurprisingly, there was a possibility that the minority would be suppressed by the majority. The creators of the DAO wanted to introduce a protection for the minority: The idea was to make the minority able to retrieve their funds when a proposal they do not want to be a part of gets approved despite their objection, which was, in fact, a DAO equivalent of the appraisal right we see under the corporate law in some jurisdictions.

The creators implemented this solution as an ability of a DAO to split in two. By submitting a special form of proposal, the minority, along with other token holder who voted for this second special proposal, could take their Ether into a new DAO, which is called the child DAO but has the same abilities and it is subjected to same restrictions that of the DAO it is divided from.[4]

The split procedure can be initiated by any token holder at any time regarding their own Ether. However, once initiated, there is a schedule to be followed hardcoded in the DAO’s code according to which a split proposal must have at least 1 week (7 days) of debate time. After this 1 week, the split function can be called, and the initiator’s Ether can be moved to a new child DAO but then there is a 27 days of split creation period during which no proposal can be brought forward. And even after that, if you try to send the funds in the child DAO to an account under your own control, you need to submit a proposal and wait for 2 weeks (14 days), which is the regular proposal debating period. To sum up, once you decide to split a DAO, you need at least 48 days before getting it in an account you control.[5]

A coder found a loophole in this procedure. Once a split function is called, the code was written in a way to retrieve the Ether first and update the balance later. Additionally, it was not checking whether there was a recursive call, which is an expression used to indicate a function that calls himself. The attacker(s) managed to recursively call the split function and retrieved their funds multiple times before getting to the step where the code would check the balance. On 16 June 2016, the attacker managed to retrieve approximately 3.6 million Ether from the DAO fund abusing this loophole, which is known as a “recursive call exploit”.

3. Discussions and the Hard Fork

Ethereum community noticed this abnormal transfer from the DAO fund.[6] Additionally, the following day, someone who claimed himself to be the attacker published an open letter addressed to the Ethereum community.[7] These developments were followed by an intensive debate on what needs to be done to solve this ‘problem’. [8]

In the open letter, the attacker claimed that the code controls everything regarding the DAO and what he did was allowed by the code, thus, his actions were legitimate. The attacker continued by saying that “a soft or hard fork would amount to seizure [his] legitimate and rightful ether, claimed legally through the terms of a smart contract”.

Due to the split schedule explained above, the community had 27 days to decide what to do before the attacker could initiate a proposal to move the funds. There were three options on the table:

1. Doing nothing and leaving the state as it is.

2. Exercising a soft work on the Ethereum blockchain with the help of miners to destroy the child DAO with stolen ethers in it by adding a rule that is declaring all transactions making calls to reduce the fund in the child DAO invalid. This would not affect the validity of transactions took place until the fork.

3. Exercising a hard fork on the Ethereum blockchain to overwrite the history and restore the stolen ethers. This would reverse the all transactions happened after the starting point of the work.

All these options find some support from different groups. People supporting the first option, those who argued against any fork, mainly relied on the philosophical foundations of the Ethereum blockchain. They argued that the code was the law and everything the code allowed was legitimate. Additionally, specifically against the hard fork option, they claimed that the data on the blockchain was immutable, it should be kept that way, and doing the contrary would harm the Ethereum blockchain in the long term.[9] These arguments were similar to those made by the attacker in the open letter.

On the other hand, the majority of the community was of the opinion that something must be done. The development community proposed the soft fork.[10] The hard work remained as the contested option for a while as it would destroy the so-called immutability and integrity of the Ethereum blockchain. The development community’s proposal was to conduct a follow-up hard fork after the completion of the first work to recover the stolen ether. However, even this type of hard fork was contested by some participants and other options not involving any hard fork were developed.[11]

While discussions were going on, a group of ‘white hat’ hackers referred to as ‘Robin Hood’ tried first to secure what was left in the DAO and, second, to take what was drained by using the same exploit that was used by the attacker. However, the attacker managed to be involved into one of the ‘Robin Hood’-led splits which made him entitled to arrange another split attack once the split creation period is over. However, Robin Hood’s move has secured most of the remaining ether in a child DAO and given the community additional time to implement another solution, such as a fork.[12]

On 22 June, a voting started on biggest mining pools regarding the implementation of a soft work. The majority agreed on a soft fork[13] and, accordingly, the soft fork was scheduled to be activated on 30 June. However, due to additional security flaws it would pose,[14] the soft-fork was discarded.[15]

After the cancellation of the soft work, discussions regarding a hard fork gained momentum. According to proponents of the hard fork, the hack was too big to let go and the community should be the final decision makers.[16] By doing so, the funds would be returned, and regulators would be kept out. The hard fork proposal was voted and accepted by majority of the Ethereum community.[17] The hard fork was completed on 20 July and the funds were returned to the investors.[18] Ironically, victims of the hack were able to get their funds back since the so-called immutability was not absolute.

The Ethereum hard-fork did not prevent all participants from following the old main branch. Thus, the branch created with the hard-fork continued as the Ethereum whereas the old branch kept going as the Ethereum Classic.[19]

Final Remarks

The DAO can be considered as the first big-scale application of Ethereum-based smart contracts. The heist not only triggered a general suspicion against the Blockchain technology but also it heated the debate on the requirement of regulation. It was a real example how things could get bad in a world based on computer programs.

Additionally, it also showed us that the human judgment, the element smart contracts trying to get rid of and are claimed ‘smart’ by doing so, is not always bad. Our daily transactions might get extremely complex and computer programs, due to their deterministic nature, are not in a state to mimic all of them, at least not for now.

I believe that the above-mentioned discussion in the Ethereum community on the legitimacy of acts permitted under the code is a typical example of what we will be seeing in further conflicts between the rule of law and the rule of code.

References

[1] All codes regarding the DAO, including samples of smart contracts and proposal offers, can be found at https://github.com/slockit/DAO.

[2] The quorum is not fixed but it is calculated with an equation depending on the proportion of requested ether by the proposal to the total funds of the DAO. 20% is the initial quorum. See ‘The DAO White Paper’, 2.

[3] This process is called “the Creation Phase” in the DAO White Paper. However, in technical terms, this is one of the first examples of what is called “Initial Coin Offering” or “ICO” now.

[4] https://github.com/slockit/DAO/wiki/How-to-split-the-DAO.

[5] Ibid.

[6] https://np.reddit.com/r/ethereum/comments/4oi2ta/i_think_thedao_is_getting_drained_right_now/?limit=500, https://np.reddit.com/r/ethtrader/comments/4oi6tb/dao_attack/.

[7] The letter can be accessed at https://pastebin.com/CcGUBgDG.

[8] Walch, Open-Source Operational Risk: Should Public Blockchains Serve as Financial Market Infrastructures?, 17.

[9] https://www.cryptocompare.com/coins/guides/the-dao-the-hack-the-soft-fork-and-the-hard-fork/.

[10] https://blog.ethereum.org/2016/06/17/critical-update-re-dao-vulnerability/.

[11] https://www.reddit.com/r/ethereum/comments/4ov5yi/all_eth_can_be_restored_with_soft_forks_only/, https://www.reddit.com/r/TheDao/comments/4p0u7q/lets_talk_about_all_the_options_to_secure_recover/.

[12] https://www.coindesk.com/dao-counter-attack-ethereum/, https://www.reddit.com/r/ethereum/comments/4p9z93/it_seems_attacker_just_targeted_the_whitehatdaos/.

[13] https://news.bitcoin.com/ethereum-miners-back-soft-fork/.

[14] http://hackingdistributed.com/2016/06/28/ethereum-soft-fork-dos-vector/.

[15] https://blog.bity.com/what-the-dao-navigating-the-hack/.

[16] https://www.cryptocompare.com/coins/guides/the-dao-the-hack-the-soft-fork-and-the-hard-fork/.

[17] The acceptance rate at voting varies depending on the pools and calculations. See, https://www.cryptocompare.com/coins/guides/the-dao-the-hack-the-soft-fork-and-the-hard-fork/, https://futurism.com/the-dao-heist-undone-97-of-eth-holders-vote-for-the-hard-fork/, http://carbonvote.com/.

[18] https://www.coindesk.com/ethereum-executes-blockchain-hard-fork-return-dao-investor-funds/.

[19] https://bravenewcoin.com/news/ethereum-hard-fork-results-in-two-surviving-cryptocurrencies-both-are-now-trading/.