What Was The DAO? The Story of Infamous Hack
Feb 13. 2024
In 2016, The DAO made headlines as one of the first decentralised autonomous organisations (DAOs) in history. However, its promising concept was overshadowed by a major hack that resulted in the loss of millions of dollars worth of Ether.
In this article, we will explore the origins, functions, and consequences of The DAO, which became a cautionary tale for many projects in the blockchain space.
- DAOs are blockchain-based cooperatives operating through smart contracts, enabling decentralised governance and stakeholder decision-making.
- The first major DAO, “The DAO,” was launched on the Ethereum platform in 2016 with a high-profile funding window that raised over $100 million.
- The DAO’s success was short-lived due to a hack that drained funds worth approximately $70 million, revealing vulnerabilities in its code and raising concerns about securities laws.
- The DAO hack sparked a debate within the Ethereum community on how to address stolen funds and prevent future attacks.
What Is a DAO by Definition?
A DAO is a blockchain-based cooperative that operates through smart contracts. These contracts are executed and enforced by a network of computers, eliminating the need for centralised management structures.
One of the core concepts of DAOs is decentralised governance. These organisations enable collective decision-making, with stakeholders voting on proposals and allocating resources based on consensus.
DAOs, including “The DAO”, are built on top of blockchain networks like Ethereum. This network allows for the exchange of value and supports the execution of smart contracts. Ethereum has become the second most popular cryptocurrency after Bitcoin, with its blockchain currently performing more than a million transactions every day.
How Do DAOs Work?
DAOs operate through a series of steps, starting with creating smart contracts by a group of individuals. These contracts are designed to run the organisation autonomously and without the need for human intervention.
The next step is an initial funding period, during which people can purchase tokens representing ownership in the DAO.
Once the funding period is over and the DAO is operational, members can submit proposals on how to spend the funds. These proposals are then voted on by the members who have purchased tokens, giving them a say in the organisation’s decision-making process.
The DAO: How Everything Started
“The DAO” is considered the first decentralised autonomous organisation. It was created on the Ethereum platform, and its main purpose was to provide a decentralised version of Airbnb through its “smart locks” technology.
The DAO had a 28-day funding window, which started on April 30th, 2016. During this time period, it gained massive popularity and received over $100 million in funding from more than 11,000 members. This made it the largest crowdfunding blockchain project at that time.
However, despite its success in raising funds, The DAO faced a major setback due to vulnerabilities in its code. These concerns were raised during the funding period, but they were not addressed until after the crowdsale was over.
In June 2016, one of The DAO’s creators announced the discovery of a “recursive call bug,” which could potentially put DAO funds at risk.
Issues with Security in the DeFi Space
The stability and security of the Ethereum network have been proven time and again, with no major issues or vulnerabilities to date. However, it is crucial to acknowledge that all networked systems are at risk of potential attacks.
Given the value of ether held on the Ethereum network (often exceeding $1 billion), it is understandable that concerns arise regarding its safety. Any system that handles such a significant amount of currency is likely to be targeted by numerous malicious actors looking for the slightest security flaw.
Let’s consider the case of DeFi blockchain bridges. These bridges are designed to facilitate the transfer of digital assets between different networks. However, this accessibility comes with a notable drawback: bridges have become a prime target for hackers in the DeFi space.
While the individual networks remain secure, cybercriminals seek to exploit the weak points in their connections. In 2022 alone, over $2 billion was lost due to bridge exploits. The same goes for DAOs.
How The DAO Was Hacked
Within months of its launch, The DAO encountered a major setback that shook the entire cryptocurrency community. On June 17, 2016, a hacker drained funds worth approximately $70 million (3.6 million ETH) from the platform.
This attack was possible due to a loophole discovered by the attacker that allowed them to transfer ETH from The DAO into a “child DAO.” As a result, the price of ETH dropped from over $20 to under $13 overnight.
The DAO’s designers did not anticipate this level of funding and made a crucial mistake by storing all of the ether in a single address. This oversight allowed the attacker to access and steal the funds without much resistance.
The Aftermath of The DAO Hack
Despite several attempts by concerned parties to split The DAO and prevent further losses, they could not gather enough votes quickly. It is believed that the hacker voluntarily stopped their attack after hearing about the fork proposal.
Even before the hack, lawyers had raised concerns about The DAO’s compliance with securities laws across multiple countries. They also pointed to potential liabilities for the creators and token holders of The DAO, who may not have been aware of the risks they were accepting.
As a result of the hack, a new child DAO was created with the same structure, limitations, and vulnerabilities as its parent. However, due to the initial funding period requirement, the funds in this child DAO cannot be accessed for 28 days.
This new child DAO is open for anyone to see, and any attempt to use the funds will trigger alarms and investigations. It remains unclear whether the attacker will ever be able to use these stolen funds.
The vulnerability exploited by the hacker was specific to The DAO’s code and not inherent to the Ethereum network itself. It demonstrated the importance of thorough security testing and auditing when developing smart contracts.
The Response to The DAO Hack: Soft Fork vs. Hard Fork
Following the hack, the Ethereum community faced the challenge of deciding how to address the stolen funds and prevent future attacks.
Proposition of a Soft Fork
On 17th June, Ethereum founder Vitalik Buterin proposed a soft fork of the Ethereum network, which aimed to blacklist the attacker and prevent them from accessing the stolen funds.
However, in an open letter to the Ethereum users, the attacker responded by claiming that their actions were legal and threatening legal action against anyone trying to seize the funds.
This dispute led to a division within the Ethereum community. The attacker offered a collective reward of one million ether and 100 Bitcoins to bribe Ethereum miners not to comply with the proposed soft fork. The community faced a moral and philosophical dilemma, questioning blockchain technology’s immutability and censorship-resistance principles.
Hard Fork as a Solution
Ultimately, the community decided to pursue a hard fork due to concerns about the attacker’s potential actions and the significant financial implications for investors.
The hard fork aimed to roll back the Ethereum network’s history to a point before the DAO attack and reallocate The DAO’s funds to a different smart contract. This decision was controversial, with some arguing that it violated the core principles of decentralisation and immutability.
Some critics argued that the decision to hard fork set a precedent for future interventions and undermined the trustworthiness of blockchain technology. On the other hand, proponents believed that it demonstrated the community’s ability to adapt and address complex issues swiftly.
Ultimately, on 20th July 2016, the hard fork was implemented at block 192,000.
The Consequences: Ethereum vs. Ethereum Classic
The hard fork resulted in a split within the Ethereum community, with the majority of stakeholders adopting the new version of Ethereum. However, a minority disagreed with the decision and chose to continue using the original version, known as Ethereum Classic (ETC).
Ethereum Classic represents a continuation of the pre-forked blockchain, with all transactions and smart contracts remaining intact. On the other hand, Ethereum became the blockchain that implemented the hard fork, effectively changing its history and resolving the issues caused by The DAO hack.
The Lessons Learned: Security and Regulation
The DAO’s rise and fall left a lasting impact on the Ethereum ecosystem and the broader blockchain industry.
It highlighted essential lessons regarding security and regulation in the decentralised finance space. The hack exposed the vulnerabilities of smart contracts and emphasised the need for rigorous security measures and auditing processes when developing decentralised applications.
Furthermore, The DAO’s legal ambiguity raised concerns about regulatory compliance in the crowdfunding and token offering space. The United States Securities and Exchange Commission (SEC) ruled that The DAO token was a security and subject to federal securities laws. This ruling implicated not only The DAO but also its investors, who unknowingly violated securities regulations.
To prevent future incidents and maintain the trust of participants, blockchain startups and developers must prioritise security testing and compliance with relevant regulations. The DAO hack emphasised the importance of responsible development practices and the need for ongoing efforts to enhance security and the DAO governance structure.
The Legacy of The DAO: Continued Development and Growth
Despite its demise, The DAO sparked innovation and progress in the blockchain industry. Its concept of decentralised autonomous organisations has inspired a wave of new projects seeking to create more efficient and transparent governance systems.
Thanks to advancements in smart contract auditing and validation services, developers can now conduct thorough security checks before deploying their code on the blockchain. This helps prevent vulnerabilities and protects users’ assets.
Moreover, The DAO’s hack prompted the Ethereum community to address the issues and improve its platform’s security and functionality. As a result, Ethereum has become one of the leading blockchains for building decentralised applications and powering DeFi protocols.
The lessons learned from The DAO have also raised awareness about regulatory compliance in the blockchain space. Governments and regulators are now taking a more active interest in cryptocurrencies and decentralised finance, leading to the establishment of regulations that aim to protect investors and prevent fraudulent activities.
How much was stolen from The DAO?
The DAO hack is considered to be one of the biggest and most devastating hacks in the history of cryptocurrency, with a staggering amount of almost $70 million stolen (3.6 million ETH at the time).
Who was behind The DAO hack?
According to Forbes journalist Laura Shin, former co-founder of blockchain startup TenX Toby Henish was allegedly involved in the hack. The evidence was uncovered thanks to the work of a blockchain analytics company called Chainalysis, which provided crucial clues in identifying the attacker.
It was discovered that the hacker had sent funds to four different trading platforms, where they were quickly exchanged for Grin – a privacy-oriented cryptocurrency. Upon further investigation, an employee from one of these platforms revealed that the IP address and login credentials used for the transaction were linked to Henish himself.
The evidence continued to stack up as it was discovered that Henish regularly used the nickname ‘tobyai’ across multiple social networks, including a specific email address ending in ‘toby.ai’. He also had close connections with the creator of Slock.it – the startup that founded The DAO project – and was familiar with the project’s code.
In response, Henish vehemently denied any involvement in the hack and refuted Forbes’ accusations.
Are DAOs the future?
There is no definite answer to this question as it depends on various factors such as the technology’s adoption rate, regulatory challenges and potential security risks. However, some experts believe that DAOs have the potential to revolutionise traditional organisational structures and increase transparency in decision-making processes.
However, DAOs also face challenges such as scalability issues and the potential for governance disputes. The DAO hack was a prime example of these challenges, highlighting the need for robust security measures and effective governance protocols.
How do I secure my crypto assets?
There are a few steps you can take to secure your crypto assets:
- Use a hardware wallet: Hardware wallets, such as Ledger or Trezor, offer offline storage for your private keys and keep them safe from potential online attacks.
- Enable two-factor authentication (2FA): 2FA adds an extra layer of security by requiring a code generated on your phone to access your account.
- Use strong passwords: Make sure to use a unique and complex password for all of your crypto accounts.
- Stay up-to-date on security practices: Keep yourself informed about the latest best practices for securing your crypto assets, as new techniques are constantly being developed.
- Diversify your storage methods: Consider using a combination of hardware wallets, paper wallets, and online exchanges to spread out your risk.