Thoughts on The DAO Hack

We just lived through the nightmare scenario we were worried about as we called for a moratorium on The DAO: someone exploited a weakness in the code of The DAO to empty out more than 2M ($40M USD) ether.

The exploit seems to have targeted the reentrancy problem in the 'splitDAO' function. The reentrancy problem is related to but distinct from the unchecked-send problem that was discussed on this blog yesterday. Both problems are well-known, identified by Least Authority's audit of the Ethereum virtual machine as problems that can affect applications, as well as Peter Vessenes's recent blog post. In essence, a call that looks like a regular call can easily be turned into a recursive call, and unless the application is coded very carefully, it can be used to make multiple withdrawals when only one should be allowed. It looks like the attacker took advantage of it to withdraw substantial sums.

My immediate reactions to this hack are as follows.

What's a Hack When You Don't Have a Spec? First of all, I'm not even sure that this qualifies as a hack. To label something as a hack or a bug or unwanted behavior, we need to have a specification of the wanted behavior. We had no such specification for The DAO. There is no independent specification for what The DAO is supposed to implement. Heck, there are hardly any comments in The DAO code that document what the developers may have been thinking at the time they wrote the code. The "code was its own documentation," as people say. It was its own fine print. The hacker read the fine print better than most, better than the developers themselves. Had the attacker lost money by mistake, I am sure the devs would have had no difficulty appropriating his funds and saying "this is what happens in the brave new world of programmatic money flows." When he instead emptied out coins from The DAO, the only consistent response is to call it a job well done.

No Safe Haven Right Now You might think that, faced with an attacker on The DAO, you could just take your funds and be safe. But this is not the case here. The DAO devs decided to make it difficult to take funds out of The DAO. So they did not give people the option to "just take funds out." Instead, a DAO investor gets to create a new "child DAO" and move her funds into the child and keep them there for 27 days -- there is no direct withdrawal. The problem is that the child DAO is exactly the same code as the parent, and has the exact same vulnerability. Converting the child back to ether takes another 34 days; replacing the child DAO with an upgraded contract takes a minimum of 7 days. So, the attacker, if he so chose, could stalk people into their children DAOs, and drain them before they got a chance to upgrade their contracts. I don't think he'll do this: if he rose to this level of obnoxiousness, he'd certainly invoke specific censure.

Moving Funds Has A Cost The DAO was not designed to have an easy "update" function. In particular, at this moment, there seems to be no way to take The DAO from its current state, and reinstate it into a newer contract code, keeping its internal state intact. The "extraBalance" account, in particular, is not transferable through "newContract" upgrades. This means that the extraBalance amount, a few million dollars worth, is a writeoff.

The DAO Experiment is Over Practically, this should mark the end of The DAO. The SlockIt folks should work hard to dismantle the fund and return the coins back to the investors in as orderly a fashion as possible.

Is Ethereum/Solidity Suitable for Secure Smart Contracts? It's clear that writing a robust, secure smart contract requires extreme amounts of diligence. It's more similar to writing code for a nuclear power reactor, than to writing loose web code. Yet the current Solidity language and underlying EVM seems designed more for the latter. Some misfeatures are: A good language for writing state machines would ensure that there are no states from which it is impossible to recover.

A good language for writing state machines would make it painfully clear when state transitions can and cannot happen.

A good language for maintaining state machines would provide features for upgrading the security of a live contract.

A good language for writing secure code would make it clear that there are no implicit actions, that code executes plainly, as read. The current language does not fulfill any of these commandments, and in fact, the last one, involving implicit recursive calls, is what did The Dao in. The SlockIt team even had the designer and implementor of Solidity perform a review of their code. If he cannot get something like The DAO to be secure, no one can. A re-think seems called for.

Copycat Attacks The main worry right now involves copycat attacks. Others can learn from this attack and launch the exact same one.

Stopping the Attacker The big unknown is how the ethereum community will react. On the one hand, rolling back the ethereu...

The value of the digital currency Ethereum has dropped dramatically amid an apparent huge attack targeting an organisation with huge holdings of the currency.

The price per unit dropped to $15 from record highs of $21.50 in hours, with millions of units of the digital currency worth as much as $50 million stolen at post-theft valuations.

At a pre-theft valuation, it works out as a staggering $79.6 million.

Ethereum developers have proposed a fix that they hope will neutralise the attacker and prevent the stolen funds from being spent.

The core Ethereum codebase does not appear to be compromised.

Ethereum is a decentralised currency like bitcoin, but it is built in such a way that it also allows for decentralised organisations to be built on top of its blockchain (the public ledger of transactions) and for smart contracts that can execute themselves automatically if certain conditions are met.

One of these organisations is the DAO, the Decentralised Autonomous Organisation, which controls tens of millions of dollars’ worth of the digital currency. (The bitcoin news site CoinDesk has a good feature explaining more about how the DAO operates.) The DAO is sitting on 7.9 million units, known as ether, of the currency worth $132.7 million

.

Early Friday morning, it appears to have been hit with a devastating attack, with unidentified attackers appearing to exploit a software vulnerability and draining drain millions of ether — with a theoretical value in the tens of millions of dollars.

One ether wallet identified by community members as a recipient of the apparently stolen funds holds more than 3.5 million ether. At an exchange rate of about $14 a unit, that works out at $47 million. At $21.50, the value of ether before the hack, it’s significantly more — $79.6 million.

The price may well drop further as the US wakes up and news of the hack spreads.

The community has been working to come up with a solution to the theft, which has continued over a period of hours. One solution proposed was to “roll back” Ethereum several hours to before the attack — essentially restoring a backup of the digital currency and erasing any recent payments. But there is significant resistance to this idea.

“You can’t rollback and drag the whole of Ethereum into this mess,” one community member said in Slack. “The fault is entirely with The DAO and not Ethereum, let the DAO sink and have done with it. Ethereum will recover, there’s nothing wrong with Ethereum.”

Vitalik Buterin, the founder of Ethereum, is proposing a “soft fork” that will prevent the attacker from being able to make valid transactions, effectively freezing the funds. The stolen funds are locked in a “Child DAO” and are unable to be moved for another 27 days, Buterin says — giving the community time to debate and adopt a potential solution. “This will later be followed up by a hard fork which will give token holders the ability to recover their ether,” Buterin writes. (This solution would not involve any “rollback” or negating any transactions.)

The decentralised nature of the DAO — and of Ethereum and digital currencies more generally — means there is no central authority that can simply flip a switch and make changes. Decisions have to be reached by community consensus.

The Ethereum Foundation, a nonprofit that helps guide the digital currency, is calling on digital exchanges to temporarily halt withdrawals in light of the attack. Kraken has complied, writing on its website: “This does not appear to affect Kraken but, out of an abundance of caution, and at the request of the Foundation, we have temporarily paused withdrawals in order to prevent any ether stolen from The DAO from flowing through Kraken.”

The value of Ethereum relative to the US dollar has plummeted over the past few hours, according to data from CryptoCompare. At the same time, the volume of transactions in Ethereum has spiked, indicating panic selling.

CryptoCompare The top graph shows the value of ether in US dollars, while the second shows the volume of transactions on the network over time.

The news comes after a recent boom for Ethereum (as well as its sister digital currency bitcoin). It only recently passed $20 an ether in a first for the network.

The apparent exploit used by the attackers was documented earlier this month. “Your smart contract is probably vulnerable to being emptied if you keep track of any sort of user balances and were not very, very careful,” Peter Vessenes wrote in a blog post on June 9. It looks as if we’re now seeing this in action.

There is no indication as to who is behind the attack.

Business Insider Emails & Alerts Site highlights each day to your inbox. Email Address Join

Follow Business Insider Australia on Facebook, Twitter, LinkedIn, and Instagram....

Sometime in the wee hours Friday, a thief made off with $50 million of virtual currency.

The victims are investors in a strange fund called the DAO, or Decentralized Autonomous Organization, who poured more than $150 million of a bitcoin-style currency called Ether into the project.

Code was supposed to eliminate the need to trust humans. But humans, it turns out, are tough to take out of the equation.

The people who created the DAO saw it as a decentralized investment fund. Instead of leaving decisions to a few partners, anyone who invested would have a say in which companies to fund. The more you contributed, the more weight your vote carried. And the distributed structure meant no one could run off with the money.

That was the plan, anyway.

The DAO is built on Ethereum, a system designed for building decentralized applications. Its creators hoped to prove you can build a more democratic financial institution, one without centralized control or human fallibility. Instead, the DAO led to a heist that raises philosophical questions about the viability of such systems. Code was supposed to eliminate the need to trust humans. But humans, it turns out, are tough to take out of the equation.

A Never-Ending ATM

DAO developers and Ethereum enthusiasts are trying to figure out how they might reverse the theft. The good news is that time is on their side. The thief transferred the stolen funds into a clone of the DAO that likely includes code that, as in the original system, delays payouts for a few weeks.

Stephan Tual, the COO of Slock.it, the company that built the DAO, says the thief probably never expected to be able to spend the ether. Each unit of ether is unique and traceable. If the hacker tries to sell any of the stolen ether in a cryptocurrency market, the system will flag it.

"It's like stealing the Mona Lisa," he says. "Great, congratulations, but what do you do with it? You can't sell it, it's too big to be sold."

The DAO is a piece of software known as a "smart contract"–essentially an agreement that enforces itself via code rather than courts. But like all software, smart contracts do exactly what their makers program them to do—and sometimes those programs have unintended consequences.

It's not clear yet exactly how the hack worked, says Andrew Miller, a PhD student at the University of Maryland who studies smart contracts and helped audit Ethereum's code last year. But he says the attacker probably exploited a programming mistake that's exceedingly common in smart contracts.

Let's say you have $50 in the bank and you want to withdraw that from an ATM. You insert your card, punch in your PIN number and then request that $50. Before the machine spits out the cash it will check your balance. Once it spits out the cash, it will debit $50 from that balance. Then the machine asks you if you'd like to process another transaction. You tap "yes" and try to take $50 again. But the ATM sees that your balance is now $0 and refuses. It asks you again if you want to process another transaction, so this time you say "no." Your session ends.

Now imagine that the ATM didn't record your new balance until you ended the session. You could keep requesting $50 again and again until you finally told the machine you didn't want to process any more transactions—or the machine ran out of money.

The DAO hacker was probably able to run a transaction that automatically repeated itself over and over again before the system checked the balance, Miller says. That would allow anyone to pull far more money out of the fund than they put in.

The programming language that Ethereum developers use to write smart contracts, Solidity, makes it really easy to make this sort of mistake, says Emin Gun Sirer, a Cornell University computer scientist who co-authored a paper earlier this year pointing out a number of potential pitfalls in the DAO's design. Others have previously spotted places in the DAO code that would have made such a theft possible. Sirer says the DAO developers have tried to be vigilant about preventing such flaws, but because it's such an easy mistake to make, it's not surprising that instances of the bug escaped notice.

All Too Human

As bad as the bug was, Sirer still thinks that both the DAO and Ethereum are worthwhile experiments. The DAO helped raise awareness of the idea of smart contracts, which Sirer thinks will eventually become extremely important to how the world conducts transactions. The project has also called attention to some of the biggest technical challenges.

"This is a rite of passage for the project," he says.

The Ethereum team is now debating how, and whether, to refund the stolen funds. Ethereum works much like Bitcoin does: the system records each transaction in a global ledger that resides on every Ethereum user's computer. The Ethereum team could release a new version of the software that tweaks this ledger to essentially reverse all of the DAO heist transactions. If enough people installed this ver...

Analysis of the DAO exploit

Phil Daian

So I'm sure everyone has heard about the big news surrounding the DAO getting taken to the tune of $150M by a hacker using the recursive Ethereum send exploit.

This post will be the first in what is potentially a series, deconstructing and explaining what went wrong at the technical level while providing a timeline tracing the actions of the attacker back through the blockchain. This first post will focus on how exactly the attacker stole all the money in the DAO.

A Multi-Stage Attack This exploit in the DAO is clearly not trivial; the exact programming pattern that made the DAO vulnerable was not only known, but fixed by the DAO creators themselves in an earlier intended update to the framework's code. Ironically, as they were writing their blog posts and claiming victory, the hacker was preparing and deploying an exploit that targeted the same function they had just fixed to drain the DAO of all its funds. Let's get into the overview of the attack. The attacker was analyzing DAO.sol, and noticed that the 'splitDAO' function was vulnerable to the recursive send pattern we've described above: this function updates user balances and totals at the end, so if we can get any of the function calls before this happens to call splitDAO again, we get the infinite recursion that can be used to move as many funds as we want (code comments are marked with XXXXX, you may have to scroll to see em): function splitDAO ( uint _proposalID , address _newCurator ) noEther onlyTokenholders returns ( bool _success ) { ... uint fundsToBeMoved = ( balances [ msg . sender ] * p . splitData [ 0 ]. splitBalance ) / p . splitData [ 0 ]. totalSupply ; if ( p . splitData [ 0 ]. newDAO . createTokenProxy . value ( fundsToBeMoved )( msg . sender ) == false ) throw ; ... Transfer ( msg . sender , 0 , balances [ msg . sender ]); withdrawRewardFor ( msg . sender ); totalSupply -= balances [ msg . sender ]; balances [ msg . sender ] = 0 ; paidOut [ msg . sender ] = 0 ; return true ; } The basic idea is this: propose a split. Execute the split. When the DAO goes to withdraw your reward, call the function to execute a split before that withdrawal finishes. The function will start running without updating your balance, and the line we marked above as "the attacker wants to run more than once" will run more than once. What does that do? Well, the source code is in TokenCreation.sol, and it transfers tokens from the parent DAO to the child DAO. Basically the attacker is using this to transfer more tokens than they should be able to into their child DAO. How does the DAO decide how many tokens to move? Using the balances array of course: uint fundsToBeMoved = ( balances [ msg . sender ] * p . splitData [ 0 ]. splitBalance ) / p . splitData [ 0 ]. totalSupply ; Because p.splitData[0] is going to be the same every time the attacker calls this function (it's a property of the proposal p, not the general state of the DAO), and because the attacker can call this function from withdrawRewardFor before the balances array is updated, the attacker can get this code to run arbitrarily many times using the described attack, with fundsToBeMoved coming out to the same value each time. The first thing the attacker needed to do to pave the way for his successful exploit was to have the withdraw function for the DAO, which was vulnerable to the critical recursive send exploit, actually run. Let's look at what's required to make that happen in code (from DAO.sol): function withdrawRewardFor ( address _account ) noEther internal returns ( bool _success ) { if (( balanceOf ( _account ) * rewardAccount . accumulatedInput ()) / totalSupply < paidOut [ _account ]) throw ; uint reward = ( balanceOf ( _account ) * rewardAccount . accumulatedInput ()) / totalSupply - paidOut [ _account ]; if ( ! rewardAccount . payOut ( _account , reward )) throw ; paidOut [ _account ] += reward ; return true ; } If the hacker could get the first if statement to evaluate to false, the statement marked vulnerable would run. When that statements runs, code that looks like this would be called: function payOut ( address _recipient , uint _amount ) returns ( bool ) { if ( msg . sender != owner || msg . value > 0 || ( payOwnerOnly && _recipient != owner )) throw ; if ( _recipient . call . value ( _amount )()) { PayOut ( _recipient , _amount ); return true ; } else { return false ; } Notice how the marked line is exactly the vulnerable code mentioned in the description of the exploit we linked! That line would then send a message from the DAO's contract to "_recipient" (the attacker). "_recipient" would of course contain a default function, that would call splitDAO again with the same parameters as the initial call from the attacker. Remember that because this is all happening from inside withdrawFor from inside splitDAO, the code updating the balances in splitDAO hasn't run. So the split will send more tokens to the child DAO, and then ask for the reward ...

The recent debacle surrounding The DAO has shed an interesting spotlight on smart contract technology. Since individual developers wrote the entire concept of this project, it looks like smart contracts are not completely trustless. There is still a lot of work to be done before this technology is ready for mainstream adoption.

Not everyone is capable of – or interested in – writing smart contracts. A steep learning curve is associated with this concept, even though it is accessible to everyone who wants to take the plunge. A smart contract can be a powerful tool, but as The DAO has shown, it can cause a lot of harm as well

Premature Smart Contract Deployment?

This is one of the drawbacks blockchain-based solutions have at this time: hardly anyone fully understands the technology. While there is nothing wrong with getting excited about innovative concepts, not realizing the consequences of implementing technology is dangerous. There is a valuable lesson to be learned from what happened to The DAO but is could be a costly one.

When it comes to writing secure smart contracts, there is still a lot to be done. Cobbling together a smart contract, so that it works is not the same as creating a trustless implementation of technology. In most cases, these innovations sound exciting on paper, but it is only a matter of time until the reality takes effect.

Cornell Professor Emin Gun Sirer stated on Twitter:

Writing secure smart contracts is closer to writing nuclear reactor code than loose web code. Solidity/EVM target the latter. — Emin Gün Sirer (@el33th4xor) June 17, 2016

Ethereum enthusiasts may disagree with that statement, albeit there is some truth in it. Solidity and EVM make smart contracts available to every developer out there, regardless of experience. This is a good way to boost innovation in the smart contract space, but may not yield the best results in the initial stages.

Looking Towards The Future

The DAO debacle puts an interesting spotlight on this technology overall. Many people pointed out the project’s concept was not properly tested and rushed. Unfortunately, it appeared the critics were right. But that does not mean smart contracts have no place in the future of our society either. Enthusiasts and developers need to take the time to review what happened, and learn from the mistakes that were made.

Source: Twitter

Header image courtesy of Shutterstock...

Oops. Ethereum's first Decentralized Autonomous Organization, The DAO, has lost money - lots of it. To be specific, it has lost the equivalent of about US$ 60m. This is not because it is a duff idea and no-one can be bothered with it (though that might also be true). No, this was deliberate draining of funds by someone who spotted a loophole in the DAO’s “smart contract” and exploited it.

Admittedly, the loss is entirely in Ethereum's native cryptocurrency "ether", so you might be forgiven for thinking it is funny money and doesn’t really matter. But to DAO investors, the loss is real, and they are understandably upset. And Ethereum itself has suffered something of a credibility blow.

So what exactly happened? I’m reluctant to quote anything written by Ethereum developers, since they tend to use highly technical language, but this by Ethereum’s wunderkind Vitalik Buterin while the attack was in progress is reasonably clear:

An attack has been found and exploited in the DAO, and the attacker is currently in the process of draining the ether contained in the DAO into a child DAO. The attack is a recursive calling vulnerability, where an attacker called the “split” function, and then calls the split function recursively inside of the split, thereby collecting ether many times over in a single transaction.

For the geeks among you, Phil Daian at Hacking, Distributed has an excellent dissection of exactly how this worked. For ordinary mortals, all you need to know is that the DAO’s attacker created a “child” DAO, then drained the DAO’s funds into the child.

And this is where it all becomes unintentionally funny. There is absolutely nothing new about draining corporate funds into a new company. Embezzlers the world over have been doing this for centuries. In the real world, it is illegal. But in the DAO’s case, it isn’t. The DAO’s “smart contract” allows it.

In the DAO’s smart contract, there is absolutely nothing wrong with creating a child DAO. Indeed, it was set up to encourage creation of child DAOs. That’s how the DAO project aimed to take over the world. So the “split” function which enables child creation is a feature, not a bug.

And of course, anyone with an ether balance can remove their funds if they choose. That again is not a bug, it is a feature. The problem is the combination of the split function with funds withdrawal, as Daian observes:

….even though withdrawReward for was not vulnerable by itself, and even though splitDAO was not vulnerable without withdrawRewardFor, the combination proves deadly. This is probably why this exploit was missed in review so many times by so many different people: reviewers tend to review functions one at a time, and assume that calls to secure subroutines will operate securely and as intended.

(Somewhere in the two decades since I was a software programmer, coders forgot about defensive programming and exception testing. However, I digress.)

But the point is that the DAO’s smart contract as currently coded ALLOWS this deadly combination. And the smart contract is the DAO’s sole legal contract. So embezzlement is legal. It is written into the code.

To be sure, the attacker can’t yet get to the ether he has drained. The child DAO is locked down for 28 days. So the Ethereum community has a bit less than a month to decide what to do.

Now, Ethereum developers are nice people. And the DAO investors have lost a LOT of money. So some developers want the transaction rolled back, restoring the DAO to the state it was in before the attack and wiping out the child DAO. “Let’s not let the attacker get away with the funds,” said Griff Green, one of the developers.

Others (including Buterin) want the funds frozen. A “soft fork” has been proposed which would effectively extend the 28-day lockdown indefinitely.

But the attacker is not having any of it. He has written an open letter to the Ethereum community claiming that since his action was allowed by the code, and the code is the DAO’s legal basis, he is rightfully entitled to the money:

I have carefully examined the code of The DAO and decided to participate after finding the feature where splitting is rewarded with additional ether. I have made use of this feature and have rightfully claimed 3,641,694 ether, and would like to thank the DAO for this reward. It is my understanding that the DAO code contains this feature to promote decentralization and encourage the creation of "child DAOs".

And he goes on to threaten real-world legal action if any attempt is made to roll back the transaction or freeze the funds:

I am disappointed by those who are characterizing the use of this intentional feature as "theft". I am making use of this explicitly coded feature as per the smart contract terms and my law firm has advised me that my action is fully compliant with United States criminal and tort law….. I reserve all rights to take any and all legal action against any accomplices of illegitimate theft, freezing, or seizure of my legitimate ...

The tragic combination of inevitable bugs and immutable code

Last week witnessed a catastrophic event in the Ethereum ecosystem, when The DAO, a smart contract less than two months old, began rapidly leaking funds to an unknown party. Looking at the current set of Ethereum contracts, filled with casinos and self-declared Ponzi schemes, this might not seem like a big deal. That is, until you learn that over 12 million units of ether, the Ethereum cryptocurrency, had been invested in The DAO by almost 20,000 people. That’s around 15% of all the ether in existence, valued at over $250 million on June 17th.

Two days later, The DAO’s assets dipped below $100 million. Two things contributed to this precipitous fall. First, a third of its funds (as denominated in ether) had already been taken. And second, the resulting panic sent the market price of ether crashing down from its peak of over $21 to a more sobering $10.67. (At the time of publication, the price had recovered to around $14.) This second effect was a natural consequence of the first, since much of ether’s recent increase in value was driven by people buying it to invest in The DAO.

The DAO had promised to act as a new type of decentralized crowdsourcing vehicle, like Kickstarter or Indiegogo but without the middleman and regulation. It was designed to let participants pool their cryptocurrency, collectively vote on projects looking for funding, then invest and reap the future rewards. Before catastrophe struck, over 100 projects had already been proposed, most of which were related to Ethereum itself. In addition, The DAO allowed participants to withdraw their uninvested funds at any time, positioning itself as a low risk investment.

Ironically, the individual or group which drained The DAO did so by exploiting subtle errors in this withdrawal mechanism. Like all smart contracts in Ethereum, The DAO is just a piece of computer code, which is “immutably” (i.e. permanently and irreversibly) embedded in the blockchain and executed by every node in response to incoming transactions. And like any self-respecting smart contract, The DAO provides full transparency by making its source code easily accessible online. This means that anybody can independently verify its functionality but also, crucially, look for vulnerabilities. And yet, the immutable nature of blockchains prevents any such problems from being fixed.

At the end of May, several critical issues were highlighted on the outstanding Hacking Distributed blog, alongside a call for a moratorium on project proposals for The DAO. This is what we might call the ‘white hat’ approach, in which exploits are reported for the good of the community. Nonetheless nobody seemed too worried, as the problems related to skewed economic incentives rather than a risk of outright theft. Simultaneously, however, it appears that others were poring over The DAO’s code with greater self-interest – namely, to look for a way to make a ton of money. And on June 17th, someone succeeded.

Draining The DAO

In a general sense, the attack arose from the interaction between vulnerabilities in The DAO’s code and other code which was designed to exploit them. You see, when looked at in isolation, The DAO did not contain any obvious mistakes, and indeed it was only released after an extensive security audit. But with the benefit of hindsight and many more eyes, a significant number of errors have since been found.

I won’t provide a full technical description of the exploit’s mechanism here, since others have already published superb and detailed post mortems (see here, here and here). But I will explain one particular vulnerability that was present, because it has been discovered in many other smart contracts and serves as an instructive example.

Let’s say that a smart contract holds funds on behalf of a number of users, and allows those users to withdraw their funds on request. The logic for the process might look something like this:

Wait for a user to request a withdrawal. Check if that user’s balance is sufficient. If so, send the requested quantity to the user’s address. Check that the payment was successful. If so, deduct the quantity from the user’s balance.

This all looks eminently sensible, and rather like an ATM which gives you some cash and deducts the appropriate amount from your bank balance.

So how can this simple process go wrong? Well, it turns out that if an Ethereum address belongs to a contract rather than a regular user, then this contract can run some code in response to receiving funds. And this code can, in turn, trigger other pieces of code on the Ethereum blockchain. Crucially, it can even trigger the same piece of code that caused it to be paid in the first place.

This means that, during step 3 above, the receiving address can send a new request for withdrawal, beginning a new process at step 1 before the previous process has completed. Since the user’s balance is only reduced in step 5, a new withdrawal will...

David Siegel is a blockchain strategist and speaker, founder of Kryptodesign.com and curator of DecentralStation.com, a place to learn about blockchain.

In this piece, Siegal attempts to help journalists understand what happened when The DAO collapsed and why he believes it’s important for the press to get the story right.

The article will be updated on Medium as the situation develops. Disclaimer: Siegal owns a small number of DAO tokens.

The basics

The ethereum network is a network of computers all running the ethereum blockchain. The blockchain allows people to exchange tokens of value, called ether, which is currently the second most popular cryptocurrency behind bitcoin. ethereum also allows people to write and put on the network smart contracts – general-purpose code that executes on every computer in the network (currently over 6,000 computers). People then execute these programs by sending ether to them.

A DAO is a Decentralized Autonomous Organization. Its goal is to codify the rules and decisionmaking apparatus of an organization, eliminating the need for documents and people in governing, creating a structure with decentralized control.

Here’s how it works:

A group of people writes the smart contracts (programs) that will run the organization

There is an initial funding period, in which people add funds to the DAO by purchasing tokens that represent ownership – this is called a crowdsale, or an initial coin offering (ICO) – to give it the resources it needs.

When the funding period is over, the DAO begins to operate.

People then can make proposals to the DAO on how to spend the money, and the members who have bought in can vote to approve these proposals.

It’s important to understand that great care has been taken not to make these tokens into equity shares – they are more like contributions that give people voting rights but not ownership. In most cases, a DAO is not owned by anyone – it’s just software running on the ethereum network.

The very first DAO is bitcoin itself, which is governed by consensus among its core team and its mining network. All other DAOs have been launched on the ethereum platform.

“The DAO” is the name of a particular DAO, conceived of and programmed by the team behind German startup Slock.it – a company building “smart locks” that let people share their things (cars, boats, apartments) in a decentralized version of Airbnb.

The DAO launched on 30th April, 2016, with a 28-day funding window.

For whatever reason, The DAO was popular, raising over $100m by 15th May, and by the end of the funding period, The DAO was the largest crowdfunding in history, having raised over $150m from more than 11,000 enthusiastic members. The DAO raised far more money than its creators expected.

It can be said that the marketing was better than the execution, for during the crowdsale, several people expressed concerns that the code was vulnerable to attack.

Once the crowdsale was over, there was much discussion of first addressing the vulnerabilities before starting to fund proposals. In particular, Stephan Tual, one of The DAO’s creators, announced on 12th June that a “recursive call bug” had been found in the software but that “no DAO funds [were] at risk”.

At the time, more than 50 project proposals were waiting for The DAO’s token holders to vote on them.

It’s important to reiterate that the ethereum network has no such bugs and has been working perfectly the entire time. All networked systems are vulnerable to various kinds of attacks. The ethereum network, which supports (depending on the price) around $1bn worth of ether, has not been hacked and is continuously executing many other smart contracts.

Everyone who writes a smart contract knows that if it can move a large amount of cash it will be subject to attack. This particular vulnerability was discovered recently in another system, called Maker DAO, and was neutralized quickly because that DAO was still in testing.

Many people feel that testing and certifying smart contracts will be an important part of keeping the ethereum ecosystem safe. You’ll find several smart-contract validation services listed at DecentralStation.com.

The Hack

Unfortunately, while programmers were working on fixing this and other problems, an unknown attacker began using this approach to start draining The DAO of ether collected from the sale of its tokens.

By Saturday, 18th June, the attacker managed to drain more than 3.6m ether into a “child DAO” that has the same structure as The DAO. The price of ether dropped from over $20 to under $13.

Several people made attempts to split The DAO to prevent more ether from being taken, but they couldn’t get the votes necessary in such a short time. Because the designers didn’t expect this much money, all the ether was in a single address (bad idea), and we believe the attacker stopped voluntarily after hearing about the fork proposal (see below). In fact, that attack, or another similar one, could continue at any time....

Blockchains, Smart Contracts and the Law

…unravelling the legal issues surrounding The DAO

Reuben Bramanathan Blocked Unblock Follow Following Jun 24, 2016

The public debate following the spectacular implosion of The DAO is a good reminder of two things: laws are always going to struggle to keep up with the pace of change in the crypto space; and we can’t necessarily rely on the legal system to solve all of our problems.

As The DAO’s ETH was being drained, the legal questions began. Is this theft? Is it a breach of The DAO’s contract? Would a fork of the Ethereum blockchain be a breach of contract? Could the attacker sue the Ethereum developers for breach of contract? What could regulators like the SEC do?

All of these boil down to a more fundamental question: what could the law do to help prevent or fix a problem like The DAO? Of course, laws aren’t the same everywhere. But there are a lot of common concepts, even across different legal systems, that can help us break down the issues.

Is The DAO a corporation?

Modern legal systems are designed to allow organizations, as well as actual, real people, to participate. Most legal systems do this by giving organizations some of the legal powers that real people have — e.g. the power to enter into legal contracts, to sue, and to be sued.

But organizations don’t just automatically get these powers. Usually, the organization has to go through a process called incorporation — the forming of a corporation. Incorporation requires legal documents, registration with the relevant government agency, and, most importantly, the agreement of actual, real people, to form a corporation.

There was no incorporation process for The DAO. The token holders of the DAO did not agree to form a corporation. In fact, they didn’t agree to much at all, as we’ll discuss below.

The DAO is not a corporation. Not being a corporation is one of the main features of a distributed organization — that it does not rely on corporate law in order to function.

OK then, is The DAO a partnership?

In many legal systems, a group of people that isn’t a corporation can still operate a business together as a partnership. A partnership is much easier to form than a corporation — it doesn’t usually require registration or legal documents. It just requires that the people involved jointly own and operate a business together.

The explanation of terms of The DAO specifically states “DAO tokens do not represent or constitute an equity ownership stake, share, or equivalent in ANY public or private company, corporation, or other entity in any jurisdiction.”

Reduced to the most basic level, the only connection that token holders have with each other is that they happened to send ETH to the same smart contract address on the Ethereum blockchain (or bought tokens after their creation), with an expectation that the smart contract code would execute. Nothing in that code gives them an expectation or ownership interest in a business.

Token holders can’t prevent anyone from becoming a token holder. Generally in a partnership, the existing partners can decide whether or not to bring in new partners. Conceptually, it’s hard to imagine that I could be carrying on a business jointly with people all over the world, who I have never met, who can join and leave the business as quickly as their trading algorithm can execute orders on an exchange.

A partnership can be implied by conduct, but that probably isn’t the case here, because The DAO didn’t operate a business. The DAO probably isn’t capable of operating a business (at least not without human help). Even if it did, the token holders probably wouldn’t have an ownership interest in that business.

The DAO is probably not a partnership. Although a number of people have taken the opposite view, the stronger argument is that The DAO is not a partnership, for the reasons above.

The DAO is not a legal entity. There have been a number of comments about the need to ‘wrap’ distributed organizations in some form of legal entity. But this kind of misses the point — because it would constrain distributed organizations to the operational requirements under existing corporate law. If the objective is to develop decentralized, more efficient, and transparent type of organizations, then the technology needs to drive changes in law, not the other way around.

Is The DAO a legal contract?

Smart contracts were initially envisioned as having the potential to replace or supplement legal contracts for some functions. But there’s a persistent myth that smart contracts are inherently legal contracts. This is not true. In fact, the main perceived feature of smart contracts is the ability for code, rather than law, to govern. The concept of code displacing law has been around for some time.

A contract is simply a legally binding agreement. In order for a contract to exist, at least two legal entities have to agree to terms, and there must be a transfer of value between them (consideration).

Everyone who...

Ethereum burst onto the virtual currency scene almost a year ago. It’s similar to bitcoin, but with a key difference. In addition to supporting its own digital currency, ether, it also supports smart contracts, agreements written in computer code that execute automatically when conditions are met.

Though it garnered significant attention from the start, Ethereum’s biggest moment came in April 2016, with a radical experiment called the Distributed Autonomous Organization, or the DAO. Created by German blockchain startup Slock.it, the DAO had an ambitious goal—to build a humanless venture capital firm that would allow the investors to make all the decisions through smart contracts. There would be no leaders, no authorities. Only rules coded by humans, and executed by computer protocols.

Launched on April 30th, it took off like a runaway train. By May 21, it had raised $150 million from roughly 11,000 investors, in what’s considered the biggest crowdfunding effort in history.

For Ethereum, the backbone of the project, it was a major vote of confidence in its nascent technology.

Then it got hacked.

On June 17th, someone started siphoning money out of the DAO. People were watching in real time as the money was stolen—like a live video feed of a bank robbery. By the end, the hacker, who has said that he was simply taking advantage of a technical loophole in the DAO, had amassed $50 million in ether, based on current exchange rates.

While the core developers who designed and run Ethereum didn’t really have anything to do with the DAO, they were left to deal with the mess. The seven of them, led by Vitalik Buterin, decided to hack the hacker.

They managed to stop the theft and move the funds into another smart contract where they currently sit. But that’s only a temporary stopgap: the way the code of DAO was written, there is a question of whether the original hacker can still lay claim to the funds. Fixing this would require more intervention from the core developers.

Whether to do so has created an existential question for Ethereum. One of its underlying tenets is that it’s a decentralized platform, meaning the power lies almost exclusively with all of its users. By stepping in to fix this problem, it would completely undermine that objective. This has led to a heated debate between those who want to return the funds and the “code is king” purists who say that the the power of smart contracts lies in their immutability.

The intervention that’s being weighed is called a “fork.” It’s a decentralized network’s version of a reset button. It would entail rolling back the entire Ethereum network to a previous day. Doing so would basically eliminate the DAO, and move all the money into a smart contract that can only reimburse investors.

The initial proposal was a soft fork. This would entail a majority of the Ethereum miners (those who verify transactions on the network) voting on the roll back. Unfortunately, a security flaw was found in the voting process, which eliminated this option.

That leaves a hard fork, where the core developers of Ethereum unilaterally make the decision to essentially create a new version of the network with different rules than the original. Then, miners, exchanges, and other major apps that are built on it need to decide if they want to a part of the new version of Ethereum or the original. Hence, the idea of a fork.

“The Hard Fork is a delicate topic and the way we see it, no decision is the right one. As this is not a decision that can be made by the foundation or any other single entity, we again turn towards the community to assess its wishes in order to provide the most appropriate protocol change,” Ethereum cofounder Jeffrey Wilcox wrote in a blog post Friday (July 15).

The community seems unanimous—according to Ethereum’s publicly available Github code, a hard fork is tentatively scheduled for July 20.

But, after all this turmoil, several questions remain:

What happens to the banks working on smart contracts?

Ethereum’s greatest promise lies in its ability to offer smart contracts, which are basically small programs, built on its blockchain. Financial institutions believe smart contracts offer a way to cut costs and speed up trading and settlement. Big banks like Citi and J.P. Morgan, along with clearinghouses like the Depository Trust & Clearing Corporation, have been building and testing ways to trade credit default swaps with smart contracts, for instance.

Analysts think smart contracts, if developed sufficiently, could eventually replace lawyers and judges in some cases. “Doing so in principle removes the potential for parties to have a dispute: both parties are held to whatever outcome the smart contract determines,” writes Houman Shadab, a professor at the New York Law School who specializes in the area.

An Ethereum hard fork, however, could be a spanner in the works. If contracts held to be inviolable can effectively be overturned by a collective decision to run new software, w...

The Dao, the Hack, the Soft Fork and the Hard Fork Antonio Madeira 12 Mar 2019

What was the DAO incident?

In this guide we attempt to cover: how and why The DAO was created, how The DAO was exploited, how the soft fork failed miserably, and why everyone was relieved it did so, and how the hard fork led to a split community and the creation of Ethereum Classic.

Part 1: The DAO - Venture Fund Evolution

The Decentralized Autonomous Organization (known as The DAO) was meant to operate like a venture capital fund for the crypto and blockchain space. The lack of a centralized authority reduced costs and in theory provided more control and access to the investors.

At the beginning of May 2016, a few members of the Ethereum community announced the inception of The DAO, which was also known as Genesis DAO. It was built as a smart contract on the Ethereum blockchain. The coding framework was developed open source by the Slock.it team but it was deployed under "The DAO" name by members of the Ethereum community. The DAO had a creation period during which anyone was allowed to send Ether to a special wallet address in exchange for DAO tokens on a 1-100 scale. The creation period was an unforeseen success as it managed to gather 12.7 Ether (worth around $150M at the time), making it the biggest crowdfund ever. At some point, when Ether was trading at $20, the total Ether from The DAO was worth over $250 million.

The DAO was a complex Smart Contract with many features and should have allowed companies to make proposals for funding. Once a proposal was whitelisted by one of the curators, the DAO token holders (aka DAO investors) would then need to vote on the proposal. If the proposal received a 20% quorum - the requested funds would be released into the whitelisted contractor's wallet address. The team of curators that could whitelist addresses was put in place in order to avoid spam proposals and so as to have some human oversight in the automated process. Most of the curators were notable members of the Ethereum community.

In order to allow investors to leave the organization, in case a proposal that they saw as damaging or of poor quality was accepted, The DAO was created with an "exit door" known as the "split function". This function allowed users to reverse the process and to get back the Ether they sent to the DAO. If somebody decided to split from The DAO, they would create their own "Child DAOs" and approve their proposal to send Ether to an address after a period of 28 days. You could also split with multiple DAO token holders and start accepting proposals to the new "Child DAO".

The DAO launch went smoothly and proposals were created and voted on, security issues were raised during the coming weeks, there was a big community call for a moratorium, but it was not implemented and most of the security issues we not addressed fast enough.

Part 2: The Hack

On the 18th of June, members of the Ethereum community noticed that funds were being drained from The DAO and the overall ETH balance of the smart contract was going down. A total of 3.6m Ether (worth around $70M at the time) was drained by the hacker in the first few hours. The attack was possible because of an exploit found in the splitting function. The attacker/s withdrew Ether from The DAO smart contract multiple times using the same DAO Tokens. This was possible due to what is known as a recursive call exploit.

In this exploit, the attacker was able to "ask" the smart contract (DAO) to give the Ether back multiple times before the smart contract could update its own balance. There were two main faults that made this possible: the fact that when the DAO smart contract was created the coders did not take into account the possibility of a recursive call, and the fact that the smart contract first sent the ETH funds and then updated the internal token balance.

It's important to understand that this bug did not come from Ethereum itself, but from this one application that was built on Ethereum. The code written for The DAO had multiple bugs, and the recursive call exploit was one of them. Another way to look at this situation is to compare Ethereum to the internet and any application based on Ethereum to a website: if a website is not working, it doesn't mean that the internet is not working, it simply means that one website has a problem.

The hacker stopped draining The DAO for unknown reasons, even though they could have continued to do so.

The Ethereum community and team quickly took control of the situation and presented multiple proposals to deal with the exploit.

Part 3: The Soft Fork - Good news for everyone!

In order to prevent the hacker from cashing in the Ether from his child DAO after the standard 28 days, a soft-fork was voted on and came very close to being introduced. A few hours before it was set to be released, a few members of the community found a bug with the implementation that opened a denial-of-service attack vector. This soft fork was des...

The History of the DAO and Lessons Learned

Christoph Jentzsch Blocked Unblock Follow Following Aug 24, 2016

There are some things which one can only learn through experience, either one’s own, or that of others. In this post, We would like to offer a better understanding of what we have learned during the last 9 months.

Various people have attempted to tell the story of the DAO, but only observed a small part of it’s history. There is a large amount of false information circulating, we hope that throughout this post, we can offer a clear historical timeline of the DAO and the lessons we have learned in the last 9 months.

The Quest for Autonomy

Slock.it started over a year ago with an ambitious vision: connecting all kind of smart locks to the blockchain, enabling them to receive payments directly and be used to rent, sell or share just about anything. We call this the Universal Sharing Network, and at its core lies the Ethereum Computer, a small home server mediating interactions from legacy locks to the blockchain.

After developing the prototypes, we immediately recognized their potential and, in turn, the need to scale the business in order to build the foundation of a decentralized sharing economy. We presented our vision and the prototypes at devcon1 in London, and received amazing feedback.

When you need funds to grow your company in the cryptospace, doing a token sale is a promising option and in this case would have helped guarantee an initial, decentralized user base for the Ethereum Computer and the Universal Sharing Network.

But after coding up a simple crowdfunding contract, we could not stop ourselves from giving the token holders more power. And with this, the story of the DAO started.

In the beginning, we created a slock.it specific smart contract and gave token holders voting power about what we — slock.it — should do with the funds received.

After further consideration, we gave token holders even more power, by giving them full control over the funds, which would be released only after a successful vote on detailed proposals backed by smart contracts. This was already a few steps beyond the Kickstarter model, but we would have been the only recipient of funds in this narrow slock.it-specific DAO.

We wanted to go even further and create a ‘true’ DAO one that would be the only and direct recipient of the funds, and would represent the creation of an organization similar to a company, with potentially thousands of Founders.

In this truly decentralized and autonomous model which we detailed in a whitepaper, people would create an organization together, and we as Slock.it, would be just one of the many companies that would offer products and services to it. Offers would take the form of Proposals detailed in smart contracts and giving the project even more flexibility.

After getting as much legal advice as we could, we came to the conclusion this model was also superior to token crowdsales in general. Nothing like this had ever happened before though, and therefore all legal advice was just that, advice. But we already believed in the dream of Decentralized Autonomous Organisations and were excited to be part of this revolution.

We made all the code open source so anyone could start one of these DAOs, audit their code and make improvements to their feature set.

The Birth of “The DAO”

In the meantime, a strong community developed in the DAO Slack (~5000 members), a lot of volunteers joined the effort, and the project became increasingly decentralized with different individuals taking different responsibilities.

For the DAO to be truly independent of Slock.it, the default service provider to the DAO would have to be replaced by a set of independent curators. A lot of well known experts from the Ethereum community volunteered to do this job, which gave the project additional traction. Slock.it saw its main responsibility as continuing to help with the development of the DAO framework, alongside many volunteers on github.

After the release of the Framework code version 1.0, multiple DAOs were immediately deployed to the Ethereum Blockchain by several individuals. One address was chosen at random by the community, and the creation of what will be known as “The DAO” began.

During the following 4 weeks the DAO surpassed everyone’s expectations. Day after day, it grew and grew. Its formation period ended with an astonishing ~12M ETH inside the DAO’s smart contract, worth roughly USD 150m at the time.

This was an order of magnitude larger than we or anyone could have expected. With this record breaking amount came a lot of media attention as well as very critical views regarding the governance model of the DAO.

The code of the DAO had been purposely kept very simple, and more complex governance models (such as liquid democracy, futarchy and others) had not been included for the sake of simplicity.

Being a modular framework, the DAO was able to update its code on a per proposal basis. We wanted to keep the...

The New Kid on the Block

The Decentralized Autonomous Organization (DAO) was set to become the first digital decentralized investment fund. Virtually all its daily operations would be handled, well, virtually. This includes investment plans, payments, and even the corporate governance—all of it is determined by code. Its crowd investment in May 2016 turned out to be the most successful crowd funding campaign ever, passing the previous world record held by the video game Star Citizen.

The DAO had no branch offices and no employees. It performed the duty of managing the crowdfunded investment via so-called Smart Contracts based on the Ethereum-Blockchain. Started in 2013, Ethereum uses the Blockchain to store data permanently in public storage and move it around easily and fast. Ethereum provides the infrastructure to set up Smart Contracts: agreements represented and carried out by a software that emulates the logic of traditional financial contracts.

The DAO used Smart Contracts as a replacement for contracts between investors and startups. Everyone could be an anonymous investor by buying Ether, the cryptocurrency of the Ethereum-Blockchain, and with Ether purchase DAO tokens, which are similar to a corporate share. Each investor could then decide to invest into a startup by sending a number of DAO tokens to the respective proposal. The startups can then exchange the token into Ether and later, if necessary, into traditional fiat currency. Smart Contracts would have carried out all of the aforementioned administration processes.

A Hack Hits Home

However, the promise of a new era of startup investing (beyond that of conventional venture capitalists and angel investors) seemed to be destroyed on June 17th, when a hacker took advantage of some of the code of The DAO’s smart contracts and managed to steal 3,6 Million Ether (50 Million USD at the time).

Fortunately for DAO investors, a waiting period for the withdrawal of funds was programmed into the Smart Contract, which the hacker had to abide by before they could exchange their stolen Ether into offline currency. This gave the DAO investors precious time to find a solution to save their investment.

Following heated debates in the Blockchain community, a majority of the fledgling DAO-network agreed to create an alternative version of the Blockchain on which the hack had never happened.

Now the Ethereum-Blockchain exists in two instances. One is the Ethereum Hard Fork (ETH) Blockchain where the hack was made undone. The other is the untouched, but hacked, Ethereum (ETC), which was intended to sink into oblivion and out of use. However, Blockchain-fundamentalists within the cryptocurrency community decided they had other plans: “Code is law”, they maintained, and “If the code of the DAO allowed this hack, the hack is legit”. These fundamentalists continue to operate the ETC Blockchain despite the immediate financial downside for all DAO investors. Strengthening the fundamentalist position, the cryptocurrency exchange Poloniex, was first to list ETC on its exchange, maintaining the liquidity of ETC.

Sadly, before the DAO had a chance to realize its vision of fluid and open investment funds, it turned into a bickering two-headed monster. With ETH a refund has been established where DAO-investors can get their investments back and on ETC the hacker still owns his stolen Ether.

A Legal Gambit

It has been some four months since the hack of the DAO. The months following the hack were turbulent, with the rescue of the investment capital contributing to a split in the blockchain and the corresponding, yet unwanted, doubling of the investment fund and its capital deposits.

During the DAO’s crowd investment campaign, the legal liability of the DAO didn’t seem to bother backers much; however, that changed after the June 17th hack. Suddenly, the question of legal liability became rather pressing.

“Whereas in a legal regime, contracts are enforced by a court, in a blockchain regime, contracts are automatically enforced by the entire network,” explains Florian Glatz, a Berlin based lawyer specializing in blockchain legality. “Therefore, organizations like The DAO do not need to have a legal personality to operate. On the other hand, the people building, investing and working with DAOs are very much members of our established legal systems.”

Regulators are only just beginning to take the first steps to consider blockchain regulation. In May of 2016, the European Parliament approved a proposal to dedicate a task force to digital currencies and blockchain-technology. However, the proposal clearly mandates a hands-off approach with minimal to no regulations suggested during the early stages of the blockchain’s life.

In September 2016, the US House of Representatives passed a non-binding resolution calling on the US government to craft a national technology policy that includes digital currencies and blockchain-technology.

But the question remains—how can smart contracts be inte...

Yesterday, a hacker pulled off the second biggest heist in the history of digital currencies.

Around 12:00 PST, an unknown attacker exploited a critical flaw in the Parity multi-signature wallet on the Ethereum network, draining three massive wallets of over $31,000,000 worth of Ether in a matter of minutes. Given a couple more hours, the hacker could’ve made off with over $180,000,000 from vulnerable wallets.

But someone stopped them.

Having sounded the alarm bells, a group of benevolent white-hat hackers from the Ethereum community rapidly organized. They analyzed the attack and realized that there was no way to reverse the thefts, yet many more wallets were vulnerable. Time was of the essence, so they saw only one available option: hack the remaining wallets before the attacker did.

By exploiting the same vulnerability, the white-hats hacked all of the remaining at-risk wallets and drained their accounts, effectively preventing the attacker from reaching any of the remaining $150,000,000.

Yes, you read that right.

To prevent the hacker from robbing any more banks, the white-hats wrote software to rob all of the remaining banks in the world. Once the money was safely stolen, they began the process of returning the funds to their respective account holders. The people who had their money saved by this heroic feat are now in the process of retrieving their funds.

It’s an extraordinary story, and it has significant implications for the world of cryptocurrencies.

It’s important to understand that this exploit was not a vulnerability in Ethereum or in Parity itself. Rather, it was a vulnerability in the default smart contract code that the Parity client gives the user for deploying multi-signature wallets.

This is all pretty complicated, so to make the details of this clear for everyone, this post is broken into three parts:

What exactly happened? An explanation of Ethereum, smart contracts, and multi-signature wallets. How did they do it? A technical explanation of the attack (specifically for programmers). What now? The attack’s implications about the future and security of smart contracts.

If you are familiar with Ethereum and the crypto world, you can skip to the second section.

1. What exactly happened?

There are three building blocks to this story: Ethereum, smart contracts, and digital wallets.

Ethereum is a digital currency invented in 2013 — a full 4 years after the release of Bitcoin. It has since grown to be the second largest digital currency in the world by market cap — $20 billion, compared to Bitcoin’s $40 billion.

Like all cryptocurrencies, Ethereum is a descendant of the Bitcoin protocol, and improves on Bitcoin’s design. But don’t be fooled: though it is a digital currency like Bitcoin, Ethereum is much more powerful.

While Bitcoin uses its blockchain to implement a ledger of monetary transactions, Ethereum uses its blockchain to record state transitions in a gigantic distributed computer. Ethereum’s corresponding digital currency, ether, is essentially a side effect of powering this massive computer.

To put it another way, Ethereum is literally a computer that spans the entire world. Anyone who runs the Ethereum software on their computer is participating in the operations of this world-computer, the Ethereum Virtual Machine (EVM). Because the EVM was designed to be Turing-complete (ignoring gas limits), it can do almost anything that can be expressed in a computer program.

Let me be emphatic: this is crazy stuff. The crypto world is ebullient about the potential of Ethereum, which has seen its value skyrocket in the last 6 months.

The developer community has rallied behind it, and there’s a lot of excitement about what can be built on top of the EVM — and this brings us to smart contracts.

Smart contracts are simply computer programs that run on the EVM. In many ways, they are like normal contracts, except they don’t need lawyers or judges to interpret them. Instead, they are compiled to bytecode and interpreted unambiguously by the EVM. With these programs, you can (among other things) programmatically transfer digital currency based solely on the rules of the contract code.

Of course, there are things normal contracts do that smart contracts can’t — smart contracts can’t easily interact with things that aren’t on the blockchain. But smart contracts can also do things that normal contracts can’t, such as enforce a set of rules entirely through unbreakable cryptography.

This leads us to the notion of wallets. In the world of digital currencies, wallets are how you store your assets. You gain access to your wallet using essentially a secret password, also known as your private key (simplified a bit).

There are many different types of wallets that confer different security properties, such as withdrawal limits. One of the most popular types is the multi-signature wallet.

In a multi-signature wallet, there are several private keys that can unlock the wallet, but just one key is not enough to u...

The DAO hack that threatened everything and affected Ethereum

Do you remember how a decentralized autonomous organization can create with the use of Ethereum? In the year 2016, there was a downfall. A startup was working on a DOA project named DAO hack.

Dao was a model which is programmed and initiated by a start-up firm called Slock it. The primary purpose of this project is to make no person venture capital firm that would allow investors to make decisions through smart contracts.

It’s the DAO that got hacked

The DAO is a DENCENTRALIZED AUTONOMOUS ORGANIZATION – this is an organization where rules by computer programs generate Smart Contracts. Specifically, the DAO was built to be an investment vehicle that funds proposals. It does this by allowing its investors, who hold The DAO Tokens. Let’s call them TDT from this point to vote on proposals. Voting limits future actions so if a TDT holder votes yes or no. They can’t change their vote until the period is has ended.

When it made its 27-day crowd sale, the DAO raised 11.5 million Ether. This had a value of over US 150 million at the time and 16% of the total supply of Ether. Not only is that a lot of money but it was the largest crowdfund in history.

If the proposal on which a TDT holder voted succeeds, the owner can only withdraw their share of Ether balance that is left after the winning project once funded. In contrast, token holders that do not vote can remove from the DAO by initiating a split. Splits take seven days to fork off the funds. Consequently, a division launched by a user seven days ahead of a proposal’s voting deadline can operate without any risk that her funds will spend on that project. The DAO does not permit funds to be withdrawn as Ether directly. Instead, token holders can take their TDT out by a process known as a ‘split’. This is a process that takes 34 days in total to complete and involves creating a new DAO.

One of these flaws is how the DAO acts as a factory for creating child ‘smart contracts’ that ‘split’ off from the main DAO to create a ‘child-DAO.’

Recall that splitting is the only method of extracting one’s Ether holdings from the main DAO contract. This is where the user who splits from the DAO initiates a new DAO contract. In this contract, they will initially be the sole investor and curator. The idea here is that a user can extract her funds by whitelisting a proposal to pay herself the entire contents of her contract, voting on it with 100% support and the obtaining the resources by executing the approved plan.

Even if no action is taken, the attacker will not be able to withdraw any Ether at least for another ~27 days (the creation window for the child DAO).

One solution is a soft fork which will make any operations that make any calls/call codes/delegate calls that reduce the balance of an account with the system.

With the hard fork, a typical Ethereum user will not feel anything from that hard fork, besides a minor client update.

If you are a TDH holder, you can vote ‘yes’ on those split above proposals.

One way you can help mitigate the attack is by spamming the Ethereum network using your Ethereum client. You can use this to spam the chain....

In 2016 a grand idea made its way onto the Ethereum network. The Decentralized Autonomous Organization (The DAO) was created to operate like a venture capital fund for decentralized cryptocurrency projects. The DAO was built as a smart contract on the Ethereum blockchain and had a creation period that allowed investors to send Ether to a wallet address in exchange for DAO tokens, with 1 Ether worth 100 DAO tokens. The DAO managed to attract approximately $150M worth of Ether turning it into the biggest crowdfunding event ever seen in the cryptocurrency space.

The DAO

The DAO was a complex Smart Contract with a focus on fair, decentralized operations. In order to allow investors to leave the organization in the case of a disagreement, The DAO was created with an exit or a ‘split function’. This function allowed users to revert the involvement process and to have the Ether they had sent to The DAO returned. If someone wanted to leave The DAO, they would create their own Child DAOs, wait 28 days and then approve their proposal to send Ether to another address.

During its early days of operation there were warnings of security issues and even a community call for a moratorium, however, most of the security issues were not solved.

The Hack

On June 18, it was noticed that funds were leaving The DAO and the Ether balance of the smart contract was being drained. Around 3.6M Ether worth approximately $70M were drained by a hacker in a few hours. The hacker was able to get the DAO smart contract to return Ether multiple times before it could update its own balance. There were two main flaws that allowed this to take place, firstly the smart contract sent the Ether and then updated the internal token balance. Secondly, The DAO coders had also failed to consider the possibility of a recursive call that could act in such a way.

The hack resulted in the proposal of a soft fork that would stop the stolen funds from being spent, however, this never took place after a bug was discovered within the implementation protocol. This opened up the possibility of a hard fork with wider reaching implications.

The Hard Fork

A hard fork was proposed that would return all the Ether stolen The DAO in the form of a refund smart contract. The new contract could only withdraw and investors in The DAO could make refund requests for lost Ether. While it makes perfect sense to seek to reimburse the victims of the attack, the hard fork uncovered a number of arguments that are still prevalent in the world of cryptocurrency today.

Some opposed the hard fork and argued that the original statement of The DAO terms and conditions could never be changed. They also felt that the blockchain should be free from censorship and things that take place on the blockchain shouldn’t be changed even in the event of negative outcomes. Opponents of these arguments felt that the hacker could not be allowed to profit from his actions and that returning the funds would keep blockchain projects free from regulation and litigation. The hard fork also made sense as it only returned funds to the original investors and would also help to stabilize the price of Ether.

The Conclusion

The final decision was voted on and approved by Ether holders, with 89% voting for the hard fork and as a result, it took place on July 20 during the 1920000th block. The immediate result of this was the creation of Ethereum Classic (ETC) which shares all the data on the Ethereum blockchain up until block 1920000.

The creation of Ethereum Classic showed that hard forks were very much possible and it can be said that the creation of the second Ethereum currency has had an influence on the creators of subsequent Bitcoin forks. It also became clear that while the DAO was great idea, it was not implemented correctly and in order to move forward successfully blockchain projects would have to implement rigid security protocols....

The Story of the DAO — Its History and Consequences

Samuel Falkon Blocked Unblock Follow Following Dec 24, 2017

One of the most incredible concepts to be successfully implemented through blockchain technology is the DAO, a decentralized autonomous organization. Decentralized autonomous organizations are entities that operate through smart contracts. Its financial transactions and rules are encoded on a blockchain, effectively removing the need for a central governing authority — hence the descriptors “decentralized” and “autonomous.”

The Decentralized Autonomous Organization (known as The DAO) was meant to operate like a venture capital fund for the crypto and decentralized space. The lack of a centralized authority reduced costs and in theory provides more control and access to the investors.

At the beginning of May 2016, a few members of the Ethereum community announced the inception of The DAO, which was also known as Genesis DAO. It was built as a smart contract on the Ethereum blockchain. The coding framework was developed open source by the Slock.It team but it was deployed under “The DAO” name by members of the Ethereum community. The DAO had a creation period during which anyone was allowed to send Ether to a unique wallet address in exchange for DAO tokens on a 1–100 scale. The creation period was an unexpected success as it managed to gather 12.7M Ether (worth around $150M at the time), making it the biggest crowdfund ever. At some point, when Ether was trading at $20, the total Ether from The DAO was worth over $250 million.

In essence, the platform would allow anyone with a project to pitch their idea to the community and potentially receive funding from The DAO. Anyone with DAO tokens could vote on plans, and would then receive rewards if the projects turned a profit. With the financing in place, things were looking up.

The DAO’s Great Start Gone Wrong

However, on June 17, 2016, a hacker found a loophole in the coding that allowed him to drain funds from The DAO. In the first few hours of the attack, 3.6 million ETH were stolen, the equivalent of $70 million at the time. Once the hacker had done the damage he intended, he withdrew the attack.

In this exploit, the attacker was able to “ask” the smart contract (DAO) to give the Ether back multiple times before the smart contract could update its balance. Two main issues made this possible: the fact that when the DAO smart contract was created the coders did not take into account the possibility of a recursive call and the fact that the smart contract first sent the ETH funds and then updated the internal token balance.

It’s important to understand that this bug did not come from Ethereum itself, but from this one application that was built on Ethereum. The code written for The DAO had multiple flaws, and the recursive call exploit was one of them. Another way to look at this situation is to compare

Ethereum to the Internet and any application based on Ethereum to a website — If a site is not working, it doesn’t mean that the Internet is not working, it merely says that one website has a problem. The hacker stopped draining The DAO for unknown reasons, even though he could have continued to do so. The Ethereum community and team quickly took control of the situation and presented multiple proposals to deal with the exploit.

However, the funds were placed into an account subject to a 28 day holding period so the hacker couldn’t complete his getaway. To refund the lost money, Ethereum hard forked to send the hacked funds to an account available to the original owners. The token owners were given an exchange rate of 1 ETH to 100 DAO tokens, the same rate as the initial offering.

Unsurprisingly, the hack was the beginning of the end for the DAO. The hack itself was contested by many Ethereum users, who argued that the hard fork violated the basic tenets of blockchain technology. To make matters worse, on September 5, 2016, the cryptocurrency exchange Poloniex delisted DAO tokens, with Kraken doing the same in December 2016.

All of these issues pale in comparison to the United States Securities and Exchange Commision (SEC) ruling that was released on July 25, 2017. This report stated:

“Tokens offered and sold by a “virtual” organization known as “The DAO” were securities and therefore subject to the federal securities laws. The Report confirms that issuers of the distributed ledger or blockchain technology-based securities must register offers and sales of such securities unless a valid exemption applies. Those participating in unregistered offerings also may be liable for violations of the securities laws.”

In other words, The DAO’s offering was subject to the same regulatory principles of companies undergoing the initial public offering process. According to the SEC, The DAO violated federal securities laws, along with all of its investors.

The Ongoing Impact of The DAO’s Rise and Fall

Though The DAO project has since folded, its impact is ongoing. C...

The DAO Hack — Stolen $50M & The Hard Fork.

Cryptonomy Blocked Unblock Follow Following Apr 20, 2018

The last article explained the idea of DAOs, but I think we can’t talk about DAOs without mentioning “The DAO”.

The DAO was the first DAO to run on the Ethereum blockchain, it was built by the Ethereum community to be a decentralized venture capital. The DAO was launched on April 30, 2016. It was controlled and operated by its token holders. For funding, the project raised around 150M$.

In June 2016, a user exploited vulnerability in the code of the smart contract of the DAO and successfully stole 3.6 million Ether, which at the time was worth around 50M$.

In response to the attack, the Ethereum community has decided to do a hard fork (a rule violating change in the blockchain) which reverted the attack and returned the funds. The fork took place on block number 192,000 and led to one of the biggest continuous debates in the blockchain space.

One thing to note is that the funds were subjected to a 28 holding period which means the funds didn’t actually arrive at the attacker, this made the hard fork a lot easier since the attacker was yet unable to spend the funds.

The proposal of doing a ‘hard fork’ led to great controversy in the Ethereum community. The supporting side claimed that the attack was not only unfair but it was also a great threat for the future of the Ethereum project as such a great loss of money for such a large part from the community could make lots of people lose faith in the system. Also, it is ethereally wrong to allow a malicious actor to profit from the hack and it can be very dangerous for the network to leave such an amount in the hands of a malicious actor which in turn can use it to further manipulate the network.

Trending Cryptocurrency Hub Articles:

On the other hand, the opposing side claimed that the blockchain should be immutable and the ‘hard fork’ would not just violate it but may also serve as a precedent in future cases. Furthermore, the entire agenda of the DAO is it should be based on code and changing the code breaks the idea of DAO.

The controversy over the ‘hard fork’ led the Ethereum network to split into 2 chains. The unforked version where the attacker received the funds which called Ethereum Classic, and the forked modified version which kept the original name Ethereum.

The controversy over whether the blockchain should be modified in this type of cases started catching fire again lately when an anonymous developer accidentally exploited a vulnerability in Parity contract and destroyed it. The contract was some kind of a library used by lots of multi-signature wallets for managing their funds. The destruction of the contract left the contracts relying on it futile and the funds in them froze (meaning there is no way to move them). The entire amount lost because of this incident was around 900,000 Ether which was worth 300M$ at the time.

To recover the funds, an EIP (Ethereum Improvement Proposal) was published. EIP999 is a proposal for restoring the contract code through a hard fork. This leads to a debate similar to the DAO one, only now the network is more mature and may be able to continue to operate without recovering the funds.

My personal argument is that as the chain is built and agreed upon by the community, the community should be able to revert transactions in consensus agreement. But as noted here https://ethereum-magicians.org/t/eip-999-restore-contract-code-at-0x863df6bfa4/130/21?u=maurelian a problem is that smaller cases of less influential voices may be treated differently which can make the network unfair.

As I see it, there is no clear right or wrong here as both sides have strong, justified claims and I will not take a side for now but will leave it for your discretion.

Explore Cryptonomy and Follow us on Twitter and Facebook.

This guest article was written by Ben Kaufman, founder of BitCampus.io

Join tens of thousands of other crypto-enthusiasts on Cryptonomy for iOS orAndroid....

Security considerations override all other considerations in software in general and in blockchain specifically. If security fails, nothing else matters. Blockchain proves decentralized, trustless transactions work, but many blockchain security vulnerabilities remain nonetheless.

Security exploits exist at the design and architectural level, at the coding stage, and in the operational phase. And in case you were wondering, yes, the blockchain can be hacked.

Blockchain Security Vulnerabilities – From Here to Eternity

Diamonds are forever, and smart contracts live for as long as the blockchain they are deployed on continues to be used. Consequently, all bugs and blockchain security vulnerabilities also live as long as the contract does.

Typically, each blockchain provides its own programming language to implement smart contracts. Let’s take a closer look.

Smart Contract Languages

Blockchain environments include their own languages for developing smart contracts.

The Ethereum platform, for example, includes the Solidity language to write smart contracts. The creators designed Solidity to be a Turing complete language.

A Turing complete language essentially allows the programmer to implement anything the underlying system is capable of. Consequently, this gives programmers abilities like implementing loops in the code, which can potentially cause blockchain security vulnerabilities.

Turing Completeness

Turing complete languages contain complexity by nature, and complexity invites bugs and vulnerabilities.

The Bitcoin network also has a programming language which it calls Script. Script is purposely not Turing complete to enhance security.

The fewer options that are given to a programmer, the less likely for blockchain security vulnerabilities to enter the system.

To minimize the risk of releasing faulty code into the wild, programmers must understand common pitfalls and anti-patterns inherent in smart contract programming. (Anti-patterns represent bad programming practices).

The DAO Hack: The Reentrancy Problem

The reentrancy problem probably ranks highest among blockchain security vulnerabilities programmers coded into smart contracts. Reentrancy drains an account through multiple expenditures for the same transaction. The use case of processing refunds lends itself to this exploit, but this flaw affects any kind of transaction if not addressed at the design and coding stage.

In one of the most infamous cryptocurrency attacks to date, hackers of the DAO exploited reentrancy. No organizational leader dictated how to run the DAO (or Decentralized Autonomous Organization), and the DAO proposed to empower users with the ability to vote on projects to invest in.

It raised over $150 million in funding in its first month. On June 17, 2016, hackers drained $50 million from the organization through the reentrancy flaw. The hard fork from Ethereum Classic (ETC) to Ethereum (ETH) resulted in an effort to resolve the problems this hack created.

Anti-Pattern Vulnerable to Reentrancy

A vulnerable reentrant logic for code looks like this:

function to process a payment () {

(1) check the validity of the transaction, the recipient, and the account balance;

(2) process the transaction;

(3) update the state of the system to show the transaction has been processed;

}

At first glance, the logic looks correct and complete, but the flaw resides in the order of doing step 2 before step 3.

While the first call to the function continues processing step 2, another call for the same transaction can enter the function. Since state information remains in its initial state and not yet processed in step 3, the second call checks out as a valid transaction to process.

Consequently, the system spends currency for the same obligation a second time. Hackers rush multiple transactions to the function before the state gets set properly.

Cure for Reentrancy

This change to the algorithm corrects the above problem:

function to process a payment () {

(1) check the validity of the transaction, the recipient, and the account balance;

(2) update the state of the system to show the transaction has been processed;

(3) process the transaction;

}

The code must account for all necessary exception handling, and it must account for all logical dependencies as well.

Overflow

Overflow is another common security flaw programmers need to be aware of.

Some programming languages provide strong typing, and others provide weak typing. Strongly typed languages refuse to allow programmers to assign string data to a numeric variable, for example, and weakly typed languages allow such actions.

Strongly typed languages enforce range restrictions. If an array is ten elements, programmers cannot attempt to access the eleventh element. Weakly typed languages allow such behavior, but crashes result. If the maximum allowable value a variable holds is 99, and you assign it a value of 100, watch it crash when you run it!

Consequently, overflow is an exploit that hackers use. If a...

The DAO Hack Explained: Unfortunate Take-off of Smart Contracts

Osman Gazi Güçlütürk Blocked Unblock Follow Following Jul 31, 2018

Logo of the DAO

Smart contracts brought distributed autonomous organizations, aka “DAO”s, to our life. A DAO is another computer code through which a set of smart contracts are connected together and function as a governance mechanism.

In this story I will explore the most famous DAO project, the DAO, and its effects on the smart contract environment. While reading the explanations, it must be borne in mind that all these discussions took place in online platforms such as GitHub and Reddit. Therefore, it is not possible to make definitive statements or give exact figures on all arguments used in these discussions.

1. The Creation of the DAO

The most infamous DAO project was the DAO created by the Slock.it[1] and went live on 30 April 2016. It was a virtual venture capital fund that is governed by the investors of the DAO. The idea was the following: Funds raised from the investors, the token holders, are pooled. Token holders can become contractors by submitting proposals for funding of their project by using the DAO funds. There was a curator examination, which was just an identity verification conducted by one of curators who were selected among the respected members of the Ethereum community. Once the proposal passed the curator’s check, it would be voted on by the investors. If a proposal is approved by a quorum of 20% of all tokens,[2] the DAO automatically transfers Ether to the smart contract that represents the proposal. Any Ether generated from the proposals funded by the DAO would be returned to participating investors as rewards.

During the initial offering[3] took place in May 2016, the only requirement for being an investor was to invest Ether into the system. In exchange, participants were given DAO Tokens, 100 DAO Tokens for 1 Ether, which give voting rights to be used during the selection of projects that would be funded. The DAO raised 12.7 million Ether, which was equal to more than 150 million USD back then and became the biggest crowdfunding project until its time. However, on 16 June 2016, the DAO got hacked.

2. Infamous ‘Split’ Function and the Child DAO

The governance mechanism embraced by the DAO was similar to the governance of publicly-traded joint stock corporations. Unsurprisingly, there was a possibility that the minority would be suppressed by the majority. The creators of the DAO wanted to introduce a protection for the minority: The idea was to make the minority able to retrieve their funds when a proposal they do not want to be a part of gets approved despite their objection, which was, in fact, a DAO equivalent of the appraisal right we see under the corporate law in some jurisdictions.

The creators implemented this solution as an ability of a DAO to split in two. By submitting a special form of proposal, the minority, along with other token holder who voted for this second special proposal, could take their Ether into a new DAO, which is called the child DAO but has the same abilities and it is subjected to same restrictions that of the DAO it is divided from.[4]

The split procedure can be initiated by any token holder at any time regarding their own Ether. However, once initiated, there is a schedule to be followed hardcoded in the DAO’s code according to which a split proposal must have at least 1 week (7 days) of debate time. After this 1 week, the split function can be called, and the initiator’s Ether can be moved to a new child DAO but then there is a 27 days of split creation period during which no proposal can be brought forward. And even after that, if you try to send the funds in the child DAO to an account under your own control, you need to submit a proposal and wait for 2 weeks (14 days), which is the regular proposal debating period. To sum up, once you decide to split a DAO, you need at least 48 days before getting it in an account you control.[5]

A coder found a loophole in this procedure. Once a split function is called, the code was written in a way to retrieve the Ether first and update the balance later. Additionally, it was not checking whether there was a recursive call, which is an expression used to indicate a function that calls himself. The attacker(s) managed to recursively call the split function and retrieved their funds multiple times before getting to the step where the code would check the balance. On 16 June 2016, the attacker managed to retrieve approximately 3.6 million Ether from the DAO fund abusing this loophole, which is known as a “recursive call exploit”.

3. Discussions and the Hard Fork

Ethereum community noticed this abnormal transfer from the DAO fund.[6] Additionally, the following day, someone who claimed himself to be the attacker published an open letter addressed to the Ethereum community.[7] These developments were followed by an intensive debate on what needs to be done to solve this ‘problem’....

CCN is an unbiased financial news site reporting on US Markets and Cryptocurrencies. Op-eds and opinions should not be attributed to CCN. Journalists on CCN follow a strict ethical code that you can find here. You can contact us here....

The DAO (stylized Đ) was a digital decentralized autonomous organization,[5] and a form of investor-directed venture capital fund.[6]

The DAO had an objective to provide a new decentralized business model for organizing both commercial and non-profit enterprises.[7][8] It was instantiated on the Ethereum blockchain, and had no conventional management structure or board of directors.[7] The code of the DAO is open-source.[9]

The DAO was stateless, and not tied to any particular nation state. As a result, many questions of how government regulators would deal with a stateless fund were yet to be dealt with.[10]

The DAO was crowdfunded via a token sale in May 2016. It set the record for the largest crowdfunding campaign in history.[6]

In June 2016, users exploited a vulnerability in The DAO code to enable them to siphon off one-third of The DAO's funds to a subsidiary account. On 20 July 2016 01:20:40 PM +UTC at Block 1920000, the Ethereum community decided to hard-fork the Ethereum blockchain to restore virtually all funds to the original contract.[11] This was controversial, and led to a fork in Ethereum, where the original unforked blockchain was maintained as Ethereum Classic, thus breaking Ethereum into two separate active blockchains, each with its own cryptocurrency.

The DAO was delisted from trading on major exchanges such as Poloniex and Kraken in late 2016.

History [ edit ]

The computer code behind the organization was written by Christoph Jentzsch, and released publicly on GitHub.[6] Simon Jentzsch, Christoph Jentzsch's brother, is also involved in the venture.[6]

The DAO was launched on 30 April 2016 at 01:42:58 AM +UTC on Ethereum Block 1428757,[12] with a website and a 28-day crowdsale to fund the organization.[13] The token sale had raised more than US$34 million by 10 May 2016, and more than US$50 million-worth of Ether (ETH)—the digital value token of the Ethereum network—by 12 May, and over US$100 million by 15 May 2016.[13][14] On 17 May 2016, the largest investor in the DAO held less than 4% of all DAO tokens and the top 100 holders held just over 46% of all DAO tokens.[15] The fund's Ether value as of 21 May 2016 was more than US$150 million,[16] from more than 11,000 investors.[17]

As of May 2016, The DAO had attracted nearly 14% of all ether tokens issued to date.[1]

Since 28 May 2016 the DAO tokens were tradable on various cryptocurrency exchanges.[18]

A paper published in May 2016 noted a number of security vulnerabilities associated with The DAO, and recommended that investors in The DAO hold off from directing The DAO to invest in projects until the problems had been resolved.[19] An Ethereum developer on GitHub pointed out a flaw relating to "recursive calls" in early June that was picked up and blogged by Peter Vessenes, founder of the Blockchain Foundation on June 9, and by June 14, fixes had been proposed and were awaiting approval by members of The DAO.

On June 16 further attention was called to recursive call vulnerabilities by bloggers affiliated with the Initiative for CryptoCurrencies & Contracts (IC3).[20]

On June 17, 2016, The DAO was subjected to an attack that exploited a combination of vulnerabilities, including the one concerning recursive calls, and the user gained control[dubious – discuss] of 3.6 million Ether, around a third of the 11.5 million Ether that had been committed to The DAO; the affected Ether had a value of about $50M at the time of the attack.[2][21] The funds were put into an account subject to a 28-day holding period under the terms of the Ethereum contract so were not actually gone; members of The DAO and the Ethereum community debated what to do next, with some calling the attack a valid but unethical maneuver, others calling for the Ether to be re-appropriated, and some calling for The DAO to be shut down.[21][22] Eventually, the Ethereum network was hard forked to move the funds in The DAO to a recovery address where they could be exchanged back to Ethereum by their original owners.[23] However, objectors to the hard fork continued to use the original Ethereum blockchain, now called Ethereum Classic.

In September 2016 Poloniex de-listed DAO trading pairs,[24] and in December 2016 Kraken also de-listed the token.[25]

Operation [ edit ]

The DAO was a decentralized autonomous organization[26] that exists as a set of contracts among people that resides on the Ethereum blockchain;[27] it did not have a physical address, nor people in formal management roles. The original theory underlying the DAO was that by removing delegated power from directors and placing it directly in the hands of owners the DAO removed the ability of directors and fund managers to misdirect and waste investor funds.[28]

As a blockchain-enabled organization, The DAO claimed to be completely transparent: everything was done by the code, which anyone could see...

One of the design goals of Ethereum was to simplify the specification of the consensus layer. That’s a noble goal, as it facilitates the re-implementation of the platform for different programming languages and constraints. But even if the minimum subset of instructions that enables Turing complete smart contracts is below 10, Ethereum did not limit itself to such minimal instruction set, for several reasons: (a) It reduces the performance considerably (b) it makes compiled code difficult to audit. So Ethereum has about 100 different opcodes. However it seems that for the sake of minimization the CALL opcode was overloaded with two functions: call a method of another contract, and send ether. But the semantics of these two functions and the contexts where each of these functions being used is very different. This lack of education was one of the factors that also led to the DAO hack. It is interesting to note that indirectly the VM already provides a mean to send ether without calling any function, by creating a temporary contract and using the suicide opcode, albeit with a much higher gas cost. This option leads to the simple conclusion that the VM should offer a SEND opcode that does not call any code, reducing the complexity of upper layers. One can argue that limiting the amount of gas offered for the call to 2300 gas has the side-effect that no other CALL can be performed, so it’s safe. This argument is false if we consider that the VM may later undergo hard-forks that may: reduce the cost of a CALL operation, or allow contracts to pay for its gas. So basically that solution is shortsighted, hides the real problem to the user and prevent future improvements. At RSK we’ve implemented a simple SEND opcode that does not call any code in the destination contract....

We have done our best to curate and clarify The DAO hack developments. This page will be updated to reflect new developments. Do not hesitate to flag inconsistencies and suggest updates.

[Lire cette FAQ en français]

UPDATE 30 June: The envisioned temporary solution - a soft fork (see Q8 below), - has been discarded. The rationale is security: shortly after the technical implementation of the soft fork was proposed, a harmful attack vector was identified. This is a simple explanation of what it could cause to the network:

So, put simply: the soft-fork would allow an attacker to send many transactions to a mining node which the node would have to execute in order to detect that a call is being made to the contract. This would cost the attacker nothing and would slow down and potentially stop transaction mining while the soft fork is in place. A well-organised, well-financed attacker could probably cause substantial disruption to the network and reduce the fees you receive using this attack.

Although the vector was not used to attack the network so far, it bears the potential to significantly damage the network. Consequently, the soft fork as proposed a few days ago (see Q8. below) will not happen. The current options on the table are unclear, but discussions within the community start to show a growing acceptance of a hard fork (see Q10 below for what it is).

On 17 June 2016, an unknown individual or group exploited The DAO. The latter is the first and biggest crowdfunded and crowdequity-like fund based entirely on the Ethereum blockchain. If you would like to get an insight about The DAO, please read this explanation.

The attacker(s) exploited a software vulnerability and started draining ether from the primary address where it was stored. This attack resulted in the draining off of some 3.6 million ether from The DAO. This amounts to around a third of The DAO ether.

The drained ether was directed to what is referred to as a 'child DAO'. This 'child DAO' is an address where the sole curator is the attacker or group of attackers. Consequently, around a third of the total DAO fund got trapped in this 'child DAO'. Technicalities aside, the diverted assets cannot be withdrawn by the attacker for a total of 27 days following the creation of the child DAO.

In the following Q&A, we have done our best to untangle the complexities of the attack and explain their implications. As this is an evolving situation, we will certainly update our explainer to reflect new developments.

"Q1. So, you know who hacked The DAO?"

No, we do not. Outside of the perpetrator(s), nobody from the Ethereum community seems to know who the attacker(s) is(are). What is known at this time is that:

(a) the attacker(s) needed seven days to initiate the split;

(b) the two key contracts which held the tokens and allowed the recursive split were created two days before the attack; and

(c) the attacker(s) is(are) careful and used ether emanating from an account at ShapeShift.

"Q2. Was the hack, attack (as in a ‘bad action’)?"

The hack of The DAO is caused by a software vulnerability. Some might argue that the contract underlying The DAO allowed the exploit to happen and, therefore, the hack perpetrator ran a valid smart contract with a “draining feature”. There are, however, clear indications that the hack is ill-intentioned from its inception:

1/ The hacker considers the 3.6 million ether they drained from The DAO to be a reward for the exploit. This is contrary to The DAO’s mission, which is to fund projects.

2/ There is no way of independently validating that the “open letter” circulated a few days ago is indeed authored by the hack perpetrator. That text is the only public expression from the hacker or group of hackers, and its stance and tonality are clearly adversarial. The “open letter” contains no mention of a constructive approach, but includes an explicit formulation that the perpetrator rationally caused harm:

“I have carefully examined the code of The DAO and decided to participate after finding the feature where splitting is rewarded with additional ether.”

This sentence, as well as the whole letter, are a well-thought and calculated message. As aforementioned and clearly seen from this “open letter”, for the hacker, the end point of the operation was to keep the diverted funds, rather than fund companies.

3/ The perpetrator(s) offered to distribute funds (both bitcoin and ether) to miners who refuse to follow the proposed fork. Such a move is clearly aimed to damage trust and divide the Ethereum community, no matter whether said miners hold or not DAO tokens.

All things combined and all grains of salt added, it seems clear that the hacker's intent was to harm The DAO and the Ethereum community. The perpetrator’s ill-intentioned actions put a black mark of confidence against the field of crypto technologies. For those reasons, we qualify the hack as an attack, and the hack perpetrator(s) as attacker(s).

"Q3. OK, it sounds like some dude...