A Smart Contract That Crashed Shortly After A Promising Take-off

 A Smart Contract That Crashed Shortly After A Promising Take-off

This article takes a critical look at the rise and fall of Distributed Autonomous Organizations caused by a cybersecurity threat. A smart contract is a self-executing Ethereum-based contract with the conditions of an agreement between two parties directly written into computer lines of code.

A smart contract is a self-executing Ethereum-based contract with the conditions of an agreement between two parties directly written into computer lines of code. Smart contracts are the building blocks of Distributed Autonomous Organizations (DAO) – a set of smart contracts existing as a governance mechanism.

This article looks into “The DAO Attack” – One of the most infamous incidences involving smart contracts. It uncovers the story behind the attack including details of how it started, why, and its ongoing impact on the blockchain industry.

The DAO Project

"The DAO" was a decentralized autonomous organization developed as open-source by a German startup Slock.it — the company behind the smart locks. The project was launched on 30th April 2016 and aimed at operating as a venture capital fund for the cryptocurrencies.

The DAO allowed people to exchange Ether for DAO tokens during the project’s creation period. You could send Ether on a specific wallet address and receive DAO on a scale of 1-100.

For whatever reason, the success of The DAO crowdfunding during the creation period was overwhelming. Over $100 million was raised within 15 days of the creation period and a total of 12.7 million Ether (then $150) from over 11k passionate user making. This was the biggest crowdfunding ever recorded.

How It Works

The idea of the DAO was to give control to the investors through:

  • The DAO tokens bought by investors during the funding period are pooled.
  • DAO begins its operations and investors can submit proposals (pitches) to become contractors using their DAO funds.
  • Once an investor submits a proposal, a curator picked from trusted Ethereum community members would conduct an identity verification of the proposal.
  • On passing the check, investors would vote on the proposal. If 20% of investors approve the proposal, the DAO will automatically release Ether to Contractor’s smart contract address. 

Ethers generated from the DAO-funded proposals were distributed to participating nodes as rewards. Unfortunately, the DAO’s dream was cut short on 16 June 2016 by the attacker(s) who exploited a loophole in The DAO split function.

The DAO Split Function

The DAO split function was an “exit door” for minority users to leave the organization whenever they felt wrong decisions were made in accepting a proposal. Investors could use the split function to reverse Ether sent to the DAO.

Splitting from the DAO required that the investor creates a Child DAO – A minor DAO with the same structure and policies like the main DAO. On approval of a special proposal, an investor and other token holders supporting them would send their Ether into the child DAO.

Problem with the DAO Split Function

The split function was a good policy that protected minority token holders from decisions of the majority token holders. However, the function had two weaknesses hiding in its code:

  1. Disordered execution - Once a split function was initiated, the program retrieved the Ether first and updated the balance later.
  2. Recursive call exploits – The code didn’t check for recursive calls i.e. functions that call themselves during execution.

The DAO Exploit

On 18 June 2016, Ethereum community members noticed an abnormality where the ETH balance of the DAO was going down. Unknown to them, a hacker was recursively calling the split function to retrieve funds multiple times before the DAO could update the balance.

The attacker(s) managed to retrieve a total of 3.6 million Ether (worth $70M then) within hours. The price of ETH dropped from above $20 to below $13 during that period.

The hacker stopped draining the funds at the sixth hour of the attack in what appeared as a voluntary withdrawal.

Luckily, the hacker could not access the funds until the 28 days of initial funding were over. Besides, every user could see the ETH in this “child DAO.” A solution needed to be developed in the next 27 days.

The Solution

The DAO attack attracted the attention of the Ethereum community since it contained about 15% of all ETH. An open letter from the “attacker” addressed to the Ethereum community would later follow to justify their deeds.

A line on the letter read, “I have made use of this feature (split function) and have rightfully claimed 3,641,694 ether, and would like to thank the DAO for this reward.” And another, “I am disappointed by those who are characterizing the use of this intentional feature as ‘theft’.”

These developments called for a great strategy to solve the problem. With only 27 days left to come up with a solution, the community had three options.

  1. Initiate a soft-fork – Collaborate with miners to invalidate calls made by transactions to reduce the funds in the child DAO with the stolen Ether.
  2. Initiate a hard-fork – Overwrite the history of the blockchain to restore the stolen ETH to The DAO. From there, token holders can redeem them automatically, therefore, ending the child DAO.
  3. A third option was to do nothing assuming Smart contracts are laws and everything the law allows is legitimate.

These options got equal opponents and proponents. Voting was done on 22 June where the majority went for a soft-fork. The exercise that was to be activated on 30 June could however be discarded a few hours before release after a team pointed security flaws it could pose. The team, therefore, settled on the hard-fork which was completed on 20 July with investors receiving back their funds.

security blockchain fintech cyber attack dao

Bootstrap 5 Complete Course with Examples

Bootstrap 5 Tutorial - Bootstrap 5 Crash Course for Beginners

Nest.JS Tutorial for Beginners

Hello Vue 3: A First Look at Vue 3 and the Composition API

Building a simple Applications with Vue 3

Deno Crash Course: Explore Deno and Create a full REST API with Deno

How to Build a Real-time Chat App with Deno and WebSockets

Convert HTML to Markdown Online

HTML entity encoder decoder Online

What are the top Cyber Security Threats in 2020?

Learn Cyber Defense programming by Cyber Security Training. Know how to stop tactics of ransomware, malware, social engineering, phishing by hacking course.

Cyber Security for Businesses: Tips to Reduce Risks

Cyber security is a human issue before it is technological. This is why all companies — whatever their size — must work on bringing awareness of these issues to their employees. Today, companies are targeted, because hackers ultimately are looking to access their customers and suppliers. Cyber security is therefore no longer a niche activity and, above all, is no longer something that can be ignored or put aside.

What Makes a Blockchain Secure?

Our Blockchain Online Training will provide you to learn about Blockchain technology aspects with realty. Our Blockchain Course also includes live sessions, live Projects

The Pros and Cons Of Cybersecurity Course for Your Business

How to protect data from malware attacks? Enroll now at CETPA best institute in India for Cyber Security Online Training and Certification program. Also avail 50% student discount.

Securing media content using Blockchain Technology

Venture-backed blockchain and cryptocurrency startups are mushrooming across Silicon Valley. To get most out of blockchain, media & broadcasting industry is hoping to get some of its longstanding problem resolved through the technology.