A Fork in the Road

Yesterday morning, the unthinkable happened: “The DAO”, a project instantiated by the community using the DAO Framework 1.0, had been compromised.

The months of hard work and extraordinary goodwill thousands of individuals had poured into building the first large scale Decentralized Autonomous Organization were wiped away in an instant. To me personally, it was unfathomable that we’d have to turn back the clock on an entity designed to give considerable — even transformational — resources to Ethereum based startups and projects.

Those 12 million ETH (valued at over $225 Million at the time of the attack) could have backed hundreds if not thousands of amazing Dapps built by the little guys in a garage with no real access to VC funding, all under the supervision of the people who actually had put skin in the game.

Adding insult to injury, the DAO Framework is a wall-to-wall open source project. The Solidity code pattern the attacker leveraged had been specifically screened against by the top Ethereum experts and by the thousands of pairs of eyes from the community, not just once, but dozens of times, including on the Ethereum Testnet, Morden. Were the opponents of open-source development proven right?

As for our team, having worked pro-bono day and night for 7 months to help bring the DAO to life, this was a slap in the face. Not to mention that for our company as a whole, Friday marked a significant financial loss. The attacker(s), whatever their motive might have been, seemingly had won.

A ray of hope

Yet, hope emerged from a somber morning, First, the odd chat channel. Then the other, then the next. By 1pm UK time, Skype, Telegram, Mumble and Slack were buzzing with the community of Token Holders, experts in the field, the Ethereum Foundation, all major exchanges and even the notorious publicity shy miners and mining pools. The whole community came together to fight the attack.

We saw a strong mobilization, the kind of which I never experienced in crypto before. Competing companies worked together on common solutions. These ecosystem actors realized this was not just an attack on the DAO, but an attack on Ethereum itself. Whether you believe in The DAO’s potential or favor a more centralized model, there is no escaping that The DAO was the Ethereum network’s flagship application, containing 14% of the total ether supply, and that the attack that brought it down was a common design pattern that had just wiped out another dapp, Maker OTC, the week prior.

Choosing a path

By 4pm local time, the consensus was that should a soft fork be deployed within 27 days, the attacker would not be able to retrieve the funds he had stashed into a child DAO. A subsequent hard fork could even return all ether, including the DAO’s ‘extraBalance’ and the stolen funds, back into a smart contract. That smart contract would contain a single function: withdraw().

This would make it possible for everyone who participate in the DAO to withdraw their funds: thanks to the support of the miners, and because nothing had been spent so far, nothing would be lost.

Yesterday, we saw EthCore’s Parity client implement the soft fork approach, while Ethereum Foundation’s Geth followed suit this very morning. We are now sure the attacker will not benefit from the stolen funds, but the ‘hard fork’ returning all ether isn’t confirmed yet. Our CTO Christoph Jentzsch is preparing a detailed description of both approaches which will be published shortly.

Motivations

A brief note on the attacker(s)’ motivation. First, it takes 7 days to set up such an attack, which would put his first commit within 24h of the race to empty security advisory being published. I estimate about 100–200 people in the world have had the necessary exposure to Ethereum and enough mastery of Solidity to pull off such an attack in such a short time frame. This is an exclusive club, and the attacker must have known that while a hard fork might be controversial, a soft fork would be a no brainer, and that they would never enjoy the fruits of their attack directly. They also didn’t do it for the ‘fame’ as no group has taken responsibility for the attack.

So, two options: a) they played the markets, and thought it would be worth executing a high risk attack and crash a USD 225m organization in order to net a few hundred thousands out of Poloniex, Bitfinex and Kraken. Or, b) they did it because they radically opposed the concept of the DAO itself and the potential projects it could have backed.

Either way, the attackers hail from a small group that follows security advisories very closely, of which the vast majority are our trusted friends, work colleagues and advisors are part of. I’m personally convinced at least one of us must have bumped into the attacker at a conference or meetup in the past.

And no, the attacker is not that troll with the amusing pastebin making the rounds (no proof of key ownership).

Word to the wise: these attackers would do well to understand that all exchanges are currently cross referencing shorts information from the last 2 weeks, which mean they could very well be traced and prosecuted.

In fact, I’m very confident the perpetrators will be identified, in time.

Onwards and Upwards

The DAO didn’t belong to anyone but the DAO Token Holders. Yet, in the last two days we have had many people from outside the community coming together to help and this shows that the project is important to the ecosystem, and that the ecosystem will help its own.

If the powers that be allow the hard fork to go through (read: miners adopt code provided by the major clients which implement this fork), all the funds put in by the DAO Token Holders will make their way back to their rightful owners, ready to be used towards new, exciting Ethereum projects.

This particular DAO journey might be over, but the concept of DAOs lives on. The DAO was a brilliant social experiment. It attracted so many good, smart people, probably some of the most visionary people I’ve ever met. Becoming the largest crowdfunding by far in history, the concept was received unbelievably well.

DAOs are the wikis of the blockchain: elitist ‘experts’ might hate them, sneering at them and cackling when something goes wrong. Still, inexorably, the future of the Internet is being built around blockchains, with or without the experts’ permission. Stacks, beware.

No entity, attacker or event will destroy the concept of collaboration, decentralization and the wisdom of the crowd. As for ourselves, as a company, our enthusiasm for the Universal Sharing Network and Ethereum Computer is higher than ever. How these two projects will come to life is something we will be looking into in the coming weeks, but for now we are dedicated to helping the DAO Token Holders receive their stolen ether back.

About the Author

Stephan Tual is the Founder and COO of Slock.it.

Previously CCO for the Ethereum project, Stephan has three startups under his belt and brings 20 years of enterprise IT experience to theSlock.it project. Before discovering the Blockchain, Stephan held CTO positions at leading data analytics companies in London with clients including VISA Europe and BP.

His current focus is on the intersection of blockchain technology and embedded hardware, where autonomous agents can transact as part of an optimal “Economy of Things”.