— By David Siegel
FINAL UPDATE: The DAO has been resolved. As far as I know, the DAO is now over. All that’s left is tokens sitting in a recovery contract, waiting for investors to come pick them up and resume life as usual. If you’re a token holder, you can follow these instructions to recover your tokens:
I leave the following text here for those who want to refer to it, but I will no longer be updating this page …
EARLY IN THE MORNING of June 17th, 2016, an unknown person or group attacked a fund called The DAO, exploited a software vulnerability, and started draining Ether, a cryptocurrency, from the main address where it was stored. This is my attempt to help journalists understand what happened and why it’s important to get the story right. It will be updated continuously.
Latest update: July 7. All updates will now be in an update section at the very end.
THE ETHEREUM NETWORK is a network of computers all running the Ethereum blockchain. The blockchain allows people to exchange tokens of value, called Ether, which is currently the second most popular cryptocurrency behind Bitcoin. Ethereum also allows people to write and put on the network smart contracts — general-purpose code that executes on every computer in the network (currently over 6,000 computers). People then execute these programs by sending Ether to them.
A DAO is a Decentralized Autonomous Organization. Its goal is to codify the rules and decisionmaking apparatus of an organization, eliminating the need for documents and people in governing, creating a structure with decentralized control. Here’s how it works:
- A group of people writes the smart contracts (programs) that will run the organization
- Then there is an initial funding period, in which people add cash to the DAO by purchasing tokens that represent ownership — this is called a crowdsale, or an Initial Coin Offering (ICO) — to give it the resources it needs.
- When the funding period is over, the DAO begins to operate. People can make proposals to the DAO on how to spend the money, and the members who have bought in can vote to approve these proposals.
- It’s important to understand that great care has been taken not to make these tokens into equity shares — they are more like contributions that give people voting rights but not ownership. In most cases, a DAO is not owned by anyone — it’s just software sitting on the Ethereum network.
- DAOs, DACs, and More — by Vitalik Buterin
- How to Build a Democracy on the Blockchain — Ethereum Foundation
The very first DAO is Bitcoin itself, which is governed by consensus among its core team and its mining network. All other DAOs have been launched on the Ethereum platform.
“The DAO” is the name of a particular DAO, conceived of and programmed by the team behind Slock.it — a company building “smart locks” that let people share their things (cars, boats, apartments) in a decentralized version of AirBNB. The DAO launched on April 30th, 2016, with a 28-day funding window. For whatever reason, The DAO was popular, raising over $100m by May 15, and by the end of the funding period, The DAO was the largest crowdfunding in history, having raised over $150 million from more than 11,000 enthusiastic members. The DAO raised far more money than its creators expected.
It can be said that the marketing was better than the execution, for during the crowdsale, several people expressed concerns that the code was vulnerable to attack. Once the crowdsale was over, there was much discussion of first addressing the vulnerabilities before starting to fund proposals. In particular, Stephan Tual, one of The DAO’s creators, announced on June 12th that a “recursive call bug” had been found in the software but that “No DAO funds are at risk.” At the time, hundreds of project proposals were being discussed and hoping to be accepted for voting.
It’s important to reiterate that the Ethereum network has no such bugs and has been working perfectly the entire time. All networked systems are vulnerable to various kinds of attacks. The Ethereum network, which supports (depending on the price) around $1 billion worth of Ether, has not been hacked and is continuously executing many other smart contracts. Everyone who writes a smart contract knows that if it can move a large amount of cash it will be subject to attack. This particular vulnerability was discovered recently in another system, called Maker DAO, and was neutralized quickly because that DAO was still in testing. Many people feel that testing and certifying smart contracts will be an important part of keeping the Ethereum ecosystem safe. You’ll find several smart-contract validation services listed at DecentralStation.com.
Unfortunately, while programmers were working on fixing this and other problems, an unknown attacker began using this approach to start draining the DAO of Ether collected from the sale of its tokens.
By Saturday, June 18th, the attacker managed to drain more than 3.6 million Ether into a “child DAO” that has the same structure as The DAO. The price of Ether dropped from over $20 to under $13. Several people made attempts to split The DAO to prevent so much Ether from being taken, but they couldn’t get the votes necessary in such a short time. Because the designers didn’t expect this much money, all the Ether was in a single address (bad idea), and we believe the attacker stopped voluntarily after hearing about the fork proposal (see below). In fact, that attack, or another similar one, could continue at any time.
Smart contracts are meant to be stand-alone agreements — not subject to interpretation by outside entities or jurisdictions. The code itself is meant to be the ultimate arbiter of “the deal” it represents. But of course, that’s an idealist (crypto-anarchist) perspective. Even before the attack, several lawyers raised concerns that The DAO overstepped its crowdfunding mandate and ran afoul of securities laws in several countries. Lawyers also pointed to its creators as potentially liable for any problems that may occur, and several expressed concern that token holders of The DAO were accepting responsibility they were likely unaware of. The DAO exists in a gray area of law and regulation.
Because the child DAO has the same structure, limitations, and vulnerabilities as the parent DAO …
- The ether in this newly created child DAO can’t be accessed for 28 days, as that is the initial funding period.
- Everyone can see the Ether in this child DAO — any attempts to cash it in will trigger alarms and investigations. It could be that the attacker will never get to cash or spend a single Ether of it.
- It’s entirely possible that the attacker had a large short position on Ether at the time of the attack, which he then cashed out after Ether had been cut roughly in half. The attacker may already have made his money, regardless of the Ether sitting in the child DAO.
- There are things the Ethereum Foundation could do that may be able to nullify the Ether in this DAO. That’s where things get complicated.
The Soft-Fork Proposal
The DAO contains roughly 15 percent of all Ether, so a failure of The DAO has a negative impact on the Ethereum network and its cryptocurrency. It’s worth noting that dozens of startups are working on DAO/governance products, many smart-contracts have similar vulnerabilities, and building complex software using smart contracts is still in its infancy. Everyone involved has a stake in what happens next. All eyes are on The DAO and the Ethereum Foundation, hoping for a resolution that allows the ecosystem to continue to develop as it was before.
To understand what happens next, you will need to understand blockchain basics: a network of nodes puts transactions into blocks and blocks into a single chain that represents the “truth” of what has happened. If two competing transactions happen at about the same time, the network resolves this conflict by choosing one and rejecting the other, so all nodes have the exact same copy of the distributed ledger. The only way to “rewrite history” would be to have at least 51 percent of all nodes agree to such a collusion — something that has never happened in the history of Bitcoin or Ethereum. The goal of a decentralized network is that no one has the power to do that, or the network itself becomes untrustworthy.
On June 17th, Vitalik Buterin of the Ethereum Foundation issued a critical update, saying that the DAO was under attack and that he had worked out a solution:
A software fork has been proposed, (with NO ROLLBACK; no transactions or blocks will be “reversed”) which will make any transactions that make any calls/callcodes/delegatecalls that reduce the balance of an account with code hash0x7278d050619a624f84f51987149ddb439cdaadfba5966f7cfaea7ad44340a4ba (ie. the DAO and children) lead to the transaction (not just the call, the transaction) being invalid …
In this, Buterin specifically states that he isn’t proposing to rewrite any blocks, but just to install a “switch” in the basic Ethereum code that prevents moving any Ether out of the DAO or its children. Effectively, this is a one-time fix (called a “fork”) for a one-time event that seals those Ether into that address for all time. Buterin continued:
Miners and mining pools should resume allowing transactions as normal, wait for the soft fork code and stand ready to download and run it if they agree with this path forward for the Ethereum ecosystem. DAO token holders and Ethereum users should sit tight and remain calm. Exchanges should feel safe in resuming trading ETH.
In other words, a blacklist will be built into the Ethereum code to keep the bad guy from claiming his prize. The hope is that by making it impossible for the attacker to get his funds out, the DAO originators will be able to find a way to recover the funds.
This seemingly innocuous and well-meaning “Deus ex-machina” proposal — which is very likely to be approved by the mining community — has opened a huge can of worms.
Here are the worms …
The Attacker Responds — or, Does He?
I will call the attacker a lone male, even though I have no idea if he is one. What happened next was interesting. In an open letter to The DAO and Ethereum Community, the attacker supposedly claimed that his “reward” was legal and threatened to take legal action against anyone who tried to invalidate his work. Several people pointed out that the cryptographic signature in this message wasn’t valid — it could be fake. But it’s well written and, from a certain point of view, well reasoned: the premise of smart contracts is that they are their own arbiters and that nothing outside the code can “change the rules” of the transaction.
Later, through an intermediary, the attacker claimed that he would put a stop to the organized “theft” of his property by rewarding miners (nodes) who don’t go along with the proposed soft fork, saying:
[S]oon we will have a smart contract to reward miners who oppose the soft fork and mines the transaction. 1 million ether + 100 btc will be shared with miners.
This is clearly a complex dynamic system. These messages from “The Attacker” cannot be verified, so we’ll have to wait and see what happens. Next, I will try to categorize the responses from the community.
This note was posted on The DAO’s web site:
The Hard-Fork Proposal
Another proposal is more aggressive — to ask the miners in this case to completely unwind the theft and return all Ether to The DAO, where it can be redeemed by token holders automatically, thereby ending The DAO. As Stephan Tual puts it in his blog …
By 4pm local time, the consensus was that should a soft fork be deployed within 27 days, the attacker would not be able to retrieve the funds he had stashed into a child DAO. A subsequent hard fork could even return all ether, including the DAO’s ‘extraBalance’ and the stolen funds, back into a smart contract. That smart contract would contain a single function: withdraw().
This would make it possible for everyone who participated in the DAO to withdraw their funds: thanks to the support of the miners, and because nothing had been spent so far, nothing would be lost.
Fabian Vogelsteller explains it this way:
A hard fork would basically put a rule in place where on a specific block either the DAO code gets replaced with a refund contract, and/or the balances of all DAO’s will be moved into a refund contract.
This has the effect of rewriting the rules by which the blockchain executes, which is supposed to be impossible. Should we let that rule slide just this one time, to put the Ethereum project back on track? The Slock.it guys and most DAO tokenholders would be grateful if we did.
The hard fork is looking increasingly likely.
Responses to the Soft-Fork Proposal
Seen on its own, the proposal is reasonable: a one-time fix to a one-time problem. But many people don’t see it that way. You can read the massive response on Reddit, which I will try to summarize:
Trustworthiness of the Network is Sacred
As one person on Reddit put it:
The involvement of the Ethereum foundation in the DAO has been and is a mistake. As I see it Ethereum is supposed to be the foundational infrastructure upon which a flurry of projects and experiments are supposed to blossom, and in order for them to blossom they need a foundation that is strong, and that has integrity in the face of challenges. The hard fork proposal is a compromise that ruins that integrity and signals that projects like the DAO can influence the underlying foundation to their own advantage. To me that is totally unacceptable and is a departure from the principles that drew me to Ethereum.
The hard fork is a valid option, but should be kept for situations which require emergency modifications of the Ethereum protocol itself, and not for projects that run on it. The fact that the Ethereum foundation has been involved in and promoted the DAO project has been an error and it only usurps the trust that people have in Ethereum as a foundational infrastructure for other projects. I hope they will correct this error.
Another one chimed in:
I made a bad contract in the first days ETH was online and lost 2K ETH with it, can I also get it back? Thanks!
Ethereum worked exactly as intended. I don’t believe software should be updated when it works exactly as intended.
You assume the risks of your investment. If you don’t understand your investment, you assume unknown risk. Anything else is a bailout by a central authority, i.e. the antithesis of the crypto world.
In a related way, this is why Lehman Brothers was allowed to fail — because the deal is the deal, and if you bend the rules for a particular player, all other players will want special treatment, too.
Too Big to Fail
Just a month after Lehman Brothers, other banks did get special treatment, and you can decide for yourself whether that was a good idea — it’s quite analogous to the situation at hand. The DAO is not an island. It is considered “too big to fail” from the point of view of the Ethereum ecosystem. It may be noted that several people from the Ethereum Foundation are DAO token holders and also have advisory positions in The DAO. Even Dr Gavin Wood, one of the original Ethereum founders, supported the fork in a blog post.
In this view, then, it’s possible that some other large projects could need to be rescued and the Ethereum Foundation, having set a precedent once, may once again ask miners to rewrite history. The analogy to the bank bailouts is remarkable: banks were able to take huge risks hoping for huge returns, and when those trades went south, the taxpayers bailed them out (except for poor Lehman Brothers). This risk asymmetry is generally thought of as a bad way to incentivize market participants.
Those are the two extremes, but most people fall into one or the other.
The Long Arm of the Law, Not to Mention the Tax Man
The above discussion assumes we are operating in a vacuum, in crypto-anarchy space, where laws don’t apply. But people have invested real money and real laws can and will apply to this case. In fact, all parties here may have legitimate claims that could take years to settle out in courts around the world.
The Promoters May be at Risk
Even though they took great care to not create securities and make sure people were aware of the risks, they still may be held liable. If the DAO token holders lose most of their $150 million+ investment, a class-action suit against the originators seems likely.
Other DAOs May be at Risk
Some people have taken The DAO smart contract word for word to implement other DAOs. In the case of a hard fork, all of the Ether in any DAO that uses The DAO’s 1.0 smart contracts will forfeit their Ether into a refund address, to be divided among DAO token holders. Thus, DAO token holders could end up getting more than they put in. My understanding is that this doesn’t have to happen, but it could.
DAO Token Holders May be at Risk
As investors, and without the protection of a corporation, all 11,000+ DAO token holders may be seen as general partners in the fund. In that case, the attacker can sue individual DAO token holders in their own home jurisdictions, claiming that they represent the entity that seized his rightful property.
The Exchanges May be at Risk
Not long after the initial funding period, several cryptocurrency exchanges began making markets in DAO Tokens. As part of the chain, anyone who bought DAO Tokens from any exchange may sue the exchange for selling flawed investments. This could go very deep — to the level of securities law violations, or they could simply be liable for the profit they made on the tokens. Given that several exchanges have plenty of cash, they could be among the first targets.
The Ethereum Foundation May be at Risk
The Ethereum Foundation has a lot at stake here. They want the network to be rock solid, to support billions of dollars worth of commerce, and to be “the operating system of the future.” But now they are between a rock and a hard place: if they do nothing, the Ethereum network suffers a setback that could take years to recover from; if they intervene, they set a dangerous precedent that erodes the social contract they set up with their network of independent nodes. They didn’t design the Ethereum network to be the judge and jury in case one or more parties are injured.
Miners and Nodes May be at Risk
The 6,000+ full ethereum nodes may be liable for any forks they vote for. If the attacker can be seen as having acquired his Ether as a result of a “feature” of a smart contract, then he may (and has already threatened to) sue any of the miners that try to take what he feels is rightfully his away from him. He could also sue the Ethereum Foundation if they write the software that implements the fork. On the other hand, DAO token holders could sue nodes that don’t vote for the fork, claiming that they aren’t doing the right thing. On the other hand, people running nodes like money, and they may get money from “the attacker” not to fork. It’s entirely possible that governments will step in here and try to make big changes in the governance of the Ethereum system.
People who Sold their Tokens May be at Risk
After the hack, some people sold their tokens at a loss, just to be rid of them. If the hard fork takes place, the new token holders will make a profit converting to Ether, and those who panicked and sold their tokens will have a loss.
The Attacker May be at Risk
The attacker may already have made a substantial sum via market manipulation — this is illegal in many jurisdictions. He also may have a huge tax liability. There is obviously a tremendous incentive for the community to learn his identity and “out” him. There is probably enough information out there for people to figure out who he is — it may just be a matter of time before they do.
It seems at this point that The DAO will die, and that DAO token holders will get somewhere between 0 and 100% of their Ether back. It’s safe to say that the Slock.it guys have their hands full for a while, they may not get their project funded (I’m told they put quite a bit of their own money into The DAO), and they may be talking with lawyers for months.
The DAO is still subject to another similar attack.
Vitalik can propose an Ethereum-based solution, but the nodes must decide. It’s not clear which of these paths the nodes will take. Many people say that “doing nothing is perhaps the worst option.” It depends which side of various fences you’re on. There are slippery slopes everywhere.
There’s another wrinkle: The Ethereum Foundation is on track to switch to a new consensus mechanism called “proof of stake,” and in that scenario, any entity, like a DAO, who owns 14 percent of all Ether will have tremendous control over the future blockchain. In fact, Vitalik has asked for projects to have a limit of $10 million or so, to help contain the magnitude of unintended errors.
It’s also very likely that there will be law suits. We could see a total mess, with law suits extending for many years. Or we could see a fairly neat and tidy ending, Ethereum goes on, and “the attacker” never surfaces again. Though I would bet five Ether that the attacker will be found within a month or two. Even though the letter and the spirit of smart contracts is that “smart contracts rule,” and the rule of law doesn’t apply — in this case, most people would like to see a do-over. I’m guessing we will see various rules of law apply.
I have tried to stick with the facts, and now I will offer one simple opinion: This situation will resolve itself well if the attacker will simply buy a bunch of Ether, then agree to work with The DAO people to return the money to all token holders and dissolve The DAO completely. The attacker will have made some money, made his point, no lawyers will be involved, we will all have learned a hard lesson, and the Ethereum Foundation can start planning for a safer, more resilient future.
I believe we can say that this event marks the beginning of a new era of Ethereum’s public blockchain. While the agile approach of “ready, fire, aim” generally works best with new software, it can be dangerous when $150 million gets loaded into the chamber. Ethereum was billed as a general-purpose computer and the harbinger of a new decentralized model for computing and for society. We will see, a bit sooner than we may have wanted, how all this plays out in the real world.
Consensys has published an update. Hard fork likely. Please read.
There are several polls of whether people favor the hard fork or not. Here’s a good one that requires sending Ether to vote, which makes it more legitimate.
The DAO, The Fork, The Fallout — A group discussion
A supposed Slack interview with a representative of the hacker
Consensys’ DAO Hack FAQ
A guy named Fabian Vogelsteller wrote a few corrections to this article, most of which are technically sound, but the general gist here is still the same — see it if you care about the details.
Coindesk Summary of June 18th
Wired Article of June 18th
Reddit discussion of Vitalik’s proposal
The Reddit “DAO Heist FAQ”
Preston Byrne on Failing Fast vs Failing Unecessarily
The Legal Aspects of the DAO Hack, by Drew Hinkes
People to Contact
Any experts who want to be named here as media contacts, please email me and I’ll add you.