Home Web3 Security An Insight into the DAO Attack

An Insight into the DAO Attack

by ImmuneBytes
An Insight into the DAO Attack

It’s been almost five years since The infamous DAO hack that shook the Ethereum network to its core. The collapse of ‘The DAO’ cost nearly $150M to the Ethereum network, forcing it to take the route of a hard fork. 

Meant to function as a venture capital fund for new projects on Ethereum, the attack puts a question mark on the decentralized crowdfunding model. 

What are Decentralized Autonomous Organizations(DAOs)?

A decentralized autonomous organization (DAO) is a type of legal structure with no centralized authority and has members who are all driven to act in the organization’s best interests.

The goal of a DAO is to encourage the management and monitoring of an entity that resembles a corporation. A DAO’s lack of a centralized power source is its fundamental feature, which enables its participants and leaders to work together to serve as the organization’s governing body.

Unlike a top-to-the-bottom arrangement in a regular organization, DAO provides control based on the governance tokens one holds. 

In a DAO, owning governance tokens gives you the ability to propose and vote on new rules, which are then executed automatically via a smart contract call method, and unlike a conventional organization, there is no CEO passing executive orders down the line. DAOs rely just on smart contracts to get the job done.

The first DAO that marked the commencement of the new technology was “The DAO.” 

What? First DAO is The DAO! Confused?

Well! Actually, “The DAO” is the name of the first DAO launched by ‘Slock.it‘, a blockchain firm built on the Ethereum platform.  

The DAO was a type of investor-directed venture capital fund created through a token sale, and it grew to become one of the greatest crowdfunding campaigns in history.

Now, we know what DAO is in general and ‘The DAO’ in particular. Let’s get on to the workings of a decentralized autonomous organization. 

The DAO- Working Mechanism

The objective of a decentralized autonomous organization (DAO) is to codify the rules and regulations that govern an organization, do away with the need for a centralized authority, and build a framework for decentralized control.

Look at the infographic given below to understand how decentralized autonomous organization works. 

Here is how a DAO functions:

  • A team of programmers creates smart contracts (programs) that power the organization.
  • A crowd sale, also known as an initial coin offering (ICO), is a period during which people contribute funds to the DAO by buying tokens that signify ownership to provide it with the resources it requires.
  • The DAO starts working after the financing period is over.
  • Following that, individuals can suggest how to spend the funds, and members who have invested can vote to approve these suggestions.

In the upcoming section, we shall discuss what happened in the Ethereum network in 2016, causing the DAO hack, taken to the tune of $150M. 

The DAO Hack: Explained

The DAO, which debuted on Ethereum on April 30, 2016, came in with a 28-day window for fund collection. Surprisingly, the funding exceeded the creator’s expectations of reaching the mark of $150M.  

In the DAO’s case, the vulnerability was actually known. Stephen Tual, one of the DAO’s creators, determined a ‘recursive call bug’, a kind of a reentrancy attack, found in the software but ascertained that no DAO funds were at risk.

While the developers fixed the bug in the code, an attacker was already prepared and started extracting Ether from the DAO smart contract. After the 28-day window, exactly by 18th June, the attacker successfully drained 3.6M Ether, transferring it to a ‘child DAO’ having an identical structure to The DAO. 

As discussed earlier, nobody expected the crowdfunding to break all benchmarks, and all the Ether was resting at one address only. In order to stop the transfer of Ether, several attempts were made to split The DAO. But in DAO, consensus determines the action, and getting the required number of votes in such a short span becomes difficult.  

With the child DAO having the same structure, limitations, and vulnerabilities as the actual DAO, the ETH in the child DAO cannot be accessed over the first 28 days of the initial funding period.

The Ether was visible to everyone in child DAO, but any efforts to cash it would have resulted in alarms followed by scrutiny. It was possible that the attacker would never receive or spend any ether.

The DAO hack in a nutshell

  • The DAO- Ethereum’s first crypto crowdfunding initiative
  • $150M worth of cryptos were collected
  • Smart contract vulnerability, a recursive call bug, led to a critical crypto-draining hack.
  • Ether, worth millions of dollars, was stored in the child DAO(mimic of The DAO)
  • To save investor’s funds- Ethereum made a hard fork- forming Ethereum Classic.

An attacker has to wait the whole creation term of the child DAO (27 days) before withdrawing any funds in a malicious split due to certain DAO traits, especially the requirement that any split executes the same code as the original DAO. 

This provides the community time to react to a heist by freezing the attacker’s cash through a soft fork or rolling back the compromise with a hard fork.

But what was Ethereum’s reaction to the DAO hack?

Let’s find out.

Ethereum: Post the DAO hack- Birth of Ethereum Classic

The DAO was roughly catering to 15% of all Ether in circulation then. So, the failure of the DAO could have a devastating impact on the Ethereum network. 

Right now, Ether that should have been in the DAO is in the child DAO and cannot be extracted for the next 27 days ( funding window). So, we can see our Ether but have no control over it.

Many proposals came in, including a soft fork proposed by Ethereum’s founder Vitalik Buterin. The idea was to freeze the assets, keeping the hacker at bay from claiming his reward. Interestingly, through an open letter, the attacker threatens the Ethereum community with legal action, citing his claims to be legal. 

Indeed, many of you must be thinking, “How dare he?” Actually, it can have subjective interpretations for anyone losing their money because of the con artist. Threatening the entire community is a grave step. On the other hand, smart contracts are meant to be their own arbitrators; no outsider can mutate the transaction rules. 

Alternatively, a hard fork was another valid option. Numerous members of the Ethereum Foundation own DAO tokens and serve as advisors to The DAO. Even one of the original Ethereum inventors, Gavin Wood, backed the fork. From the perspective of the Ethereum ecosystem, it is “too big to fail.”

Finally, there was a hard fork, splitting Ethereum into classic Ethereum, that kept the original blockchain, and Ethereum moved in another direction with a new blockchain. 

By rolling back the hack, the Ethereum community somehow recovered the lost Ether. Also, the rollback divided Ethereum’s team.

Wrapping Up

One year into the working, Ethereum has to face a significant separation not only at the technical level but also in the team. 

The first significant Decentralized Autonomous Organization, which thousands of people had labored to create over several months with enormous goodwill, was instantly destroyed.

Even though this particular DAO adventure may be finished, the idea of DAOs still exists. In fact, DAOs have become the current trend in crypto, with innumerable DAOs coming up now and then on different blockchain platforms.

You may also like