A smart contract is a self-executing Ethereum-based contract with the conditions of an agreement between two parties directly written into computer lines of code. Smart contracts are the building blocks of Distributed Autonomous Organizations (DAO) – a set of smart contracts existing as a governance mechanism.
This article looks into “The DAO Attack” – One of the most infamous incidences involving smart contracts. It uncovers the story behind the attack including details of how it started, why, and its ongoing impact on the blockchain industry.
“The DAO” was a decentralized autonomous organization developed as open-source by a German startup Slock.it — the company behind the smart locks. The project was launched on 30th April 2016 and aimed at operating as a venture capital fund for the cryptocurrencies.
The DAO allowed people to exchange Ether for DAO tokens during the project’s creation period. You could send Ether on a specific wallet address and receive DAO on a scale of 1-100.
For whatever reason, the success of The DAO crowdfunding during the creation period was overwhelming. Over $100 million was raised within 15 days of the creation period and a total of 12.7 million Ether (then $150) from over 11k passionate user making. This was the biggest crowdfunding ever recorded.
The idea of the DAO was to give control to the investors through:
Ethers generated from the DAO-funded proposals were distributed to participating nodes as rewards. Unfortunately, the DAO’s dream was cut short on 16 June 2016 by the attacker(s) who exploited a loophole in The DAO split function.
The DAO split function was an “exit door” for minority users to leave the organization whenever they felt wrong decisions were made in accepting a proposal. Investors could use the split function to reverse Ether sent to the DAO.
Splitting from the DAO required that the investor creates a Child DAO – A minor DAO with the same structure and policies like the main DAO. On approval of a special proposal, an investor and other token holders supporting them would send their Ether into the child DAO.
The split function was a good policy that protected minority token holders from decisions of the majority token holders. However, the function had two weaknesses hiding in its code:
On 18 June 2016, Ethereum community members noticed an abnormality where the ETH balance of the DAO was going down. Unknown to them, a hacker was recursively calling the split function to retrieve funds multiple times before the DAO could update the balance.
The attacker(s) managed to retrieve a total of 3.6 million Ether (worth $70M then) within hours. The price of ETH dropped from above $20 to below $13 during that period.
The hacker stopped draining the funds at the sixth hour of the attack in what appeared as a voluntary withdrawal.
Luckily, the hacker could not access the funds until the 28 days of initial funding were over. Besides, every user could see the ETH in this “child DAO.” A solution needed to be developed in the next 27 days.
The DAO attack attracted the attention of the Ethereum community since it contained about 15% of all ETH. An open letter from the “attacker” addressed to the Ethereum community would later follow to justify their deeds.
A line on the letter read, “I have made use of this feature (split function) and have rightfully claimed 3,641,694 ether, and would like to thank the DAO for this reward.” And another, “I am disappointed by those who are characterizing the use of this intentional feature as ‘theft’.”
These developments called for a great strategy to solve the problem. With only 27 days left to come up with a solution, the community had three options.
These options got equal opponents and proponents. Voting was done on 22 June where the majority went for a soft-fork. The exercise that was to be activated on 30 June could however be discarded a few hours before release after a team pointed security flaws it could pose. The team, therefore, settled on the hard-fork which was completed on 20 July with investors receiving back their funds.
#security #blockchain #fintech #cyber attack #dao