The DAO: When immutability is inconvenient, mutability is the choice (Article 19):
One of the biggest failures of decentralized technologies taught developers about the importance of strengthening smart contracts and DeFi.
--
The biggest and most widely-known blockchain hack was the hack of The DAO: its rise and fall shook the decentralised community to its core. Yet, while it caused much distress among decentralisation enthusiasts, it ultimately led to much-needed improvements in the operation of DAOs and DeFi.
The Launch:
The idea of DAOs began shortly after the conception of Bitcoin, but developments only began after Ethereum came to life. In the early days of Ethereum in 2015, a blockchain company called Slock.it and an Ethereum protocol engineer named Christoph Jentzsch released an open-source code for a framework for a collective ETH-investment organization. Ethereum developers and ETH holders supported this idea, and shortly after, “The DAO” was born.
The initial launch occurred on April 30th, 2016. The DAO presented itself as a cryptocurrency venture capital firm which would undergo a fundraising period of 28 days, during which The DAO gave investors 100 DAO tokens for each ETH raised. After the end of the fundraiser, or the DAO token sale, it was planned to have start-ups submit pitches to The DAO community, and then investors would have had a chance to vote on which projects would receive allocated funds. Later, investors would have been able to reap the profits from the successful projects.
The first phase of this plan was completed successfully: in less than 3 weeks, The DAO managed to raise 12M ETH worth over $150M from more than 11,000 investors, making it not only one of the earliest, but also one of the biggest, and most successful crowdfunding campaigns on the Ethereum blockchain. By the end of the token sale period, some estimated up to 20,000 investors had trusted and supported The DAO with their ETH, with a peak locked value of over $250M.
However, the success did not last long, and chaos would strike before the later phases of The DAO’s plan could be realised. Already during the token sale, some computer scientists showed concerns regarding a bug in the smart contract of The DAO’s wallet. It was a potential exploit which could be used to drain funds. For the next few months, The DAO programmers worked on fixing the bugs in The DAO code, including this fund-draining bug. Unfortunately, they were not fast enough.
The Fall:
While The DAO programmers were working on bug fixes, an attacker exploited the draining bug and more than $60 million worth of ETH were drained from its wallet’s smart contract. This happened less than three months after the launch. At that point in time, Ethereum was only one year old, and The DAO was its most important application, so this attack upset the entire community and threatened the existence of Ethereum.
Users debated furiously how to respond to this attack, as it threatened not just the future of Ethereum but arguably second-generation blockchains altogether. This attack also in a sense assured the developers behind Bitcoin in their decision not to upgrade to a second-generation blockchain, as the DAO-incident demonstrated the true dangers of code bugs and how they can negatively impact a blockchain and its users.
To prove the viability of second-generation blockchains, Ethereum had to prove it was able to survive such an incident. The survival of The DAO was not a requirement, but the return of the stolen ETH was necessary. A solution was urgently needed as The DAO raised about 14% of the total ETH in circulation at the time, and about 20,000 Ethereum users were affected.
The Solution:
The problem was so big that Ethereum founder Vitalik Buterin became involved and even exerted his power in deciding on a solution that would preserve the integrity of the community and reward the ethical behaviour of the participants.
Initially, a soft fork was proposed to blacklist the attacker and return the funds to the investors. Forks will be covered in a later article, but a “soft fork” can be compared to an update for software, while a “hard fork” is comparable to a new version of software, or even an entirely new piece of software.
Someone claiming to be the attacker threatened that they would take legal action against any attempt to seize the ETH they obtained from this attack, as they had obtained them legally, due to not having violated any of the rules of The DAO’s smart contract.
Tension heightened between the attacker and solution-seekers on the network. While Ethereum and The DAO developers worked on obtaining consensus on a soft fork, the attacker threatened to obstruct any consensus by bribing Ethereum miners with stolen funds as well as bitcoins to vote against the proposed soft fork solution. As the soft fork had to be implemented fast, its code was bug-prone. Unfortunately, a bug was discovered that made the solution vulnerable to attacks. As a result, a further solution — that of a hard fork — was proposed, discussed, and eventually executed. With this hard fork, it would be possible to roll back the blockchain to the point before the attack occurred, effectively erasing the history of the theft.
The solution of using a hard fork was a very controversial decision, as it goes against the morals and philosophy of blockchains; it must be remembered that one of the main selling points of blockchains is that they are supposedly being immutable and resistant to censorship. Although Vitalik Buterin made it clear that theft of funds cannot be tolerated and proposed and backed the hard fork, he and Ethereum developers did not have the power to execute it. The network needed to reach a consensus first. Debates and discussions rallied with a lot of heat and steam until a majority adopted the hard fork on July 20th, 2016, at block 192,000. This move effectively deprived the blockchain momentarily of its immutability characteristic.
The Outcome:
Not everyone was on board with the hard fork, with many arguing that a fork will shake the trust in the blockchain. These users, instead of moving to the fork, continued building on the original Ethereum blockchain, which was then given the name Ethereum Classic with the ticker ETC. So the current Ethereum blockchain is not the original one, and its initial users, miners and developers have all agreed to go against blockchains’ philosophy.
The forked Ethereum blockchain still included The DAO, but the funds were returned to another smart contract that was accessible to The DAO’s team, and investors got their ETH back. Also, since the forked blockchain, Ethereum was an identical copy of Ethereum Classic, it included the same number of coins. The original 82M coins of ETH were instantly duplicated, which produced 82M ETH and 82M ETC.
The attacker still had the stolen funds but in ETC. And since Ethereum Classic neither had the majority of the network nodes, nor the support of Vitalik or Ethereum developers, its value dropped significantly; however, the attacker’s coins still held a value of $8.5M at the time.
The DAO’s implementation was very fragile, and the attack was the beginning of its end. Shortly after the attack, crypto exchanges started pulling the plug on the DAO token leading to The DAO’s death. The quick rise and fall highlighted the risk attached to virtual organizations, like The DAO, which led the United States Securities and Exchange Commission (SEC) to decide that virtual organisations need to follow the same regulatory rules as regular companies, and that their Initial Coin Offerings (ICOs) need to follow the same rules and responsibilities as Initial Public Offerings (IPOs) of stock. ICOs will be covered in a future article.
The Lessons:
Although The DAO grew to be a synonym for massive failure, its downfall provided valuable lessons that accelerated the progress and improvement of smart contracts, DAOs and ICOs, while shedding new light on blockchains and decentralization.
The fact that Ethereum went against a core value of blockchains — immutability — and still survived and is currently striving and one of the main pillars of blockchains, demonstrates that decentralization and consensus trump immutability. In the end, blockchains are about communities and individuals coming together for their collective benefit.
The DAO code was developed to be the standard that all other DAOs could build upon, but unfortunately, it was not robust enough to survive its first test. The attack on the DAO stressed the need for rigorous code checking and testing before deployment, and this has become standard practice since the incident.
The SEC’s conclusion that The DAO and its investors had violated federal securities law also had the effect of encouraging other DAOs and ICOs to investigate and follow the legal pathways available to them in order to avoid such violations in the future. Thus, there is now increased awareness among both the regulators of the crypto-space and developers regarding the proper way of bootstrapping their projects.
The most important lesson that was learned from the rise and fall of The DAO is exactly the same lesson that has emerged from all other Bitcoin hiccups, namely the importance of having a good foundation for the blockchain and a decentralized, vigilant, and supportive community that works not just for their personal, but also their collective benefit.
