Associated Incidents
We have done our best to curate and clarify The DAO hack developments. This page will be updated to reflect new developments. Do not hesitate to flag inconsistencies and suggest updates.
[Lire cette FAQ en français]
UPDATE 30 June: The envisioned temporary solution - a soft fork (see Q8 below), - has been discarded. The rationale is security: shortly after the technical implementation of the soft fork was proposed, a harmful attack vector was identified. This is a simple explanation of what it could cause to the network:
So, put simply: the soft-fork would allow an attacker to send many transactions to a mining node which the node would have to execute in order to detect that a call is being made to the contract. This would cost the attacker nothing and would slow down and potentially stop transaction mining while the soft fork is in place. A well-organised, well-financed attacker could probably cause substantial disruption to the network and reduce the fees you receive using this attack.
Although the vector was not used to attack the network so far, it bears the potential to significantly damage the network. Consequently, the soft fork as proposed a few days ago (see Q8. below) will not happen. The current options on the table are unclear, but discussions within the community start to show a growing acceptance of a hard fork (see Q10 below for what it is).
On 17 June 2016, an unknown individual or group exploited The DAO. The latter is the first and biggest crowdfunded and crowdequity-like fund based entirely on the Ethereum blockchain. If you would like to get an insight about The DAO, please read this explanation.
The attacker(s) exploited a software vulnerability and started draining ether from the primary address where it was stored. This attack resulted in the draining off of some 3.6 million ether from The DAO. This amounts to around a third of The DAO ether.
The drained ether was directed to what is referred to as a 'child DAO'. This 'child DAO' is an address where the sole curator is the attacker or group of attackers. Consequently, around a third of the total DAO fund got trapped in this 'child DAO'. Technicalities aside, the diverted assets cannot be withdrawn by the attacker for a total of 27 days following the creation of the child DAO.
In the following Q&A, we have done our best to untangle the complexities of the attack and explain their implications. As this is an evolving situation, we will certainly update our explainer to reflect new developments.
"Q1. So, you know who hacked The DAO?"
No, we do not. Outside of the perpetrator(s), nobody from the Ethereum community seems to know who the attacker(s) is(are). What is known at this time is that:
(a) the attacker(s) needed seven days to initiate the split;
(b) the two key contracts which held the tokens and allowed the recursive split were created two days before the attack; and
(c) the attacker(s) is(are) careful and used ether emanating from an account at ShapeShift.
"Q2. Was the hack, attack (as in a ‘bad action’)?"
The hack of The DAO is caused by a software vulnerability. Some might argue that the contract underlying The DAO allowed the exploit to happen and, therefore, the hack perpetrator ran a valid smart contract with a “draining feature”. There are, however, clear indications that the hack is ill-intentioned from its inception:
1/ The hacker considers the 3.6 million ether they drained from The DAO to be a reward for the exploit. This is contrary to The DAO’s mission, which is to fund projects.
2/ There is no way of independently validating that the “open letter” circulated a few days ago is indeed authored by the hack perpetrator. That text is the only public expression from the hacker or group of hackers, and its stance and tonality are clearly adversarial. The “open letter” contains no mention of a constructive approach, but includes an explicit formulation that the perpetrator rationally caused harm:
“I have carefully examined the code of The DAO and decided to participate after finding the feature where splitting is rewarded with additional ether.”
This sentence, as well as the whole letter, are a well-thought and calculated message. As aforementioned and clearly seen from this “open letter”, for the hacker, the end point of the operation was to keep the diverted funds, rather than fund companies.
3/ The perpetrator(s) offered to distribute funds (both bitcoin and ether) to miners who refuse to follow the proposed fork. Such a move is clearly aimed to damage trust and divide the Ethereum community, no matter whether said miners hold or not DAO tokens.
All things combined and all grains of salt added, it seems clear that the hacker's intent was to harm The DAO and the Ethereum community. The perpetrator’s ill-intentioned actions put a black mark of confidence against the field of crypto technologies. For those reasons, we qualify the hack as an attack, and the hack perpetrator(s) as attacker(s).
"Q3. OK, it sounds like some dude