ball
ball

The DAO Hack: Understanding the Infamous Attack

Table of contents

This article will thoroughly explore the DAO Hack and answer these questions: What was it? Who did it? and What were the consequences?  

By understanding what happened, we can glean valuable insights into the future of decentralized finance and its implications for the broader blockchain community.

The DAO project logo

The Basics: DAO Concept explained

Cryptocurrencies and blockchain technology have introduced revolutionary concepts that challenge traditional centralized systems. One such concept is the Decentralized Autonomous Organization, commonly known as DAO. 

First, let’s learn how a typical DAO functions:

  • DAO creators write smart contracts (code written for the blockchain) and develop consensus mechanisms to run the organization. 
  • DAO gets funded via a crowdfunding method, where people invest in the DAO by buying native tokens (in some cases NFTs) or through an initial coin offering (ICO). 
  • The primary work of the DAO development starts when the funding period is over, and the organization begins to operate as a decentralized community. 
  • Community members can propose to the DAO what it should do: current and future development, how to spend DAO’s money, etc. Participants can vote to approve these proposals and make decisions collectively.

To help you better understand how DAOs work, think of the comparison with traditional organizations:

  • In a traditional organization, decisions are made by a centralized authority such as a board of directors or a CEO. 
  • In contrast, a DAO operates through a decentralized network of participants who hold voting rights and contribute to the decision-making process.

DAOs utilize blockchain technology to enforce the rules and automate decision-making. Smart contracts, self-executing agreements stored on the blockchain, enable DAOs to manage assets, allocate funds, and facilitate voting processes securely. This transparency is central to the appeal and growth of DAOs, as they strive to create trust and eliminate the need for intermediaries.

A brief overview of the DAO hack

The DAO Hack is a pivotal event in the history of cryptocurrencies, as it highlights the potential of DAOs and their associated vulnerabilities. 

Key takeaways of the attack:

  • “The DAO” was launched on April 30, 2016, by a few members of the Ethereum community. 
  • The DAO project’s first framework (crowdfunding smart contract) was created mainly by Stephan Tual, Simon Jentzsch, and Christoph Jentzsch using Ethereum blockchain technology. 
  • The DAO project raised 12.7 million ether (ETH) from more than 11,000 investors, worth more than USD 150 million, in the 28-day window when the crowd sale ended—making it the most successful crowdfunding. 
  • Investors received TheDAO tokens (no longer active and worth $0) at 1 ETH = 100 TheDAO. On May 28th, 2016, the DAO tokens became available for trade on some crypto exchanges. 
  • During May and June of 2016, several community developers pointed out that The DAO smart contract has security vulnerabilities. On June 9th, Peter Vessenes writes a blog post (archive) about some flaws. 
  • By June 14th, fixes had been proposed and were awaiting approval by members of The DAO, but unexpected happened. 
  • On June 17th, 2016, the DAO project got attacked, and the hacker drained 3.6 million ETH (worth around USD 50 million) from the fund. 
  • On July 20, 2016, the Ethereum community (with 85% of the votes) decided to do a hard fork, reversing the hacked DAO contract. The fork moved funds to a new contract, and people who lost funds could withdraw 1 ETH for every 100 DAO tokens in their wallets.
  • Some developers and community members continued using the old Ethereum blockchain, which now runs as a competing Ethereum Classic (ETC) system

The DAO Hack is a significant lesson for the crypto community. 

In the following sections, we will delve deeper into the background, structure, and fallout of the DAO Hack, aiming to understand its impact and the lessons learned from this infamous attack.

The rise of the decentralized organization concept 

DAOs emerged from wanting to create transparent, trustless, and inclusive systems that operate without intermediaries. 

Ethereum’s cofounder Vitalik Buterin mentioned the DAO concept in his writings in 2013, further contributing to its development. Since then, the idea of decentralized organizations inspired many projects. As of April 2023, there are more than 12,700 DAOs created in total across the globe (source).

But The DAO project was identified as a significant milestone for all types of DAOs. Here is why.  

DAOs harness the power of blockchain technology and smart contracts to enable decentralized decision-making, asset management, and governance.

Here are some key benefits of DAOs:

  1. Transparency: DAOs leverage blockchain’s transparency to provide a clear view of all transactions, voting records, and decisions made within the organization. This transparency fosters trust among participants and reduces the risk of fraud or manipulation.
  2. Inclusivity: DAOs aim to provide equal opportunities for participation and decision-making. By eliminating centralized authorities, DAOs allow anyone with an internet connection to become a member and have a say in the organization’s affairs.
  3. Efficiency: Through automating processes via smart contracts, DAOs streamline operations and reduce the need for manual intervention. This automation saves time and minimizes the chances of human error.
  4. Elimination of intermediaries: Traditional organizations often involve intermediaries such as banks, lawyers, or accountants. DAOs eliminate these intermediaries, reducing costs and increasing efficiency by enabling direct peer-to-peer interactions.

The creation of the DAO project

The DAO was conceived as a groundbreaking project to revolutionize venture capital funding and bring a new era of decentralized investment. 

It was launched on the Ethereum blockchain in April 2016. The first framework (crowdfunding smart contract) was created mainly by Stephan Tual, Simon Jentzsch, and Christoph Jentzsch using Ethereum blockchain technology. 

The idea for the DAO project came from a startup Stock.it that the same group of people launched in 2015. Stockit planned to connect all smart locks to the Ethereum blockchain and use smart contracts to handle access-control permissions. 

The team created a simple crowdfunding smart contract to raise funds for their startup that gave token holders voting power on what the project should do with the funds. The coding framework was later used to develop the DAO smart contract. 

The DAO project concept quickly gained attention due to its innovative approach.

During the initial funding period of 28 days, the DAO project raised 12.7 million ether (ETH) = more than $150 million from more than 11,000 investors, becoming the most extensive crowdfunding campaign ever. 

Investors received TheDAO tokens at the rate of 1 ETH = 100 TheDAO. And native DAO tokens got listed on some of the crypto exchanges. 

Here are some critical aspects of The DAO:

  1. Crowdfunding: The DAO sought to raise funds through a token sale, allowing individuals to purchase DAO tokens using Ether (the native cryptocurrency of the Ethereum blockchain). The funds raised would be used to invest in promising projects and generate returns for DAO token holders.
  2. Token holder voting: DAO token holders had voting rights and the ability to influence investment decisions. Each token represented a proportional ownership stake and voting power within The DAO. This democratic governance model aimed to ensure that decisions were made collectively, reflecting the will of the token holders.
  3. Ambitious scope: The DAO’s vision was to create a decentralized venture capital fund that leveraged the collective wisdom of its participants. It aimed to disrupt the traditional venture capital industry by enabling global investment opportunities and removing barriers to entry.

The creation of The DAO generated substantial enthusiasm within the cryptocurrency community, raising an unprecedented amount of Ether during its token sale. However, the project’s ambitious goals and complex code paved the way for an unforeseen vulnerability leading to a hacker attack.  

In the following sections, we will delve deeper into the events that unfolded during the attack.

The vulnerability that led to the hack

The DAO Hack resulted from a critical vulnerability in The DAO’s smart contract code. The flaw allowed an attacker to manipulate the code and drain a substantial amount of Ether from The DAO’s funds. The vulnerability was related to the mechanism of splitting, which allowed token holders to exit the organization and retrieve their Ether.

At the early stage of the DAO project (May to June 2016), developers and community members raised red flags, pointing out several security vulnerabilities and flaws relating to “recursive calls.” 

Here are some key points about the vulnerability:

  1. Reentrancy attack: The attacker exploited a reentrancy attack, which involves manipulating the order of execution in a smart contract to call a function before it completes its execution repeatedly. By exploiting this vulnerability, the attacker could drain funds from The DAO multiple times, bypassing the intended control measures.
  2. The “Recursive call” exploit: The vulnerability stemmed from how The DAO’s code handled transactions during the splitting process. The attacker crafted a malicious contract that made a recursive call to the function responsible for transferring Ether, enabling them to drain funds from The DAO repeatedly.

The impact of hacker’s exploit on The DAO project

The attacker successfully exploited the vulnerability in The DAO’s code, resulting in the theft of a significant amount of Ether. 

The amount stolen was 3.6 million ETH (the equivalent of $50 million at the time), almost 30% of the initial funds raised by the DAO, making it one of the largest hacks in cryptocurrency history. 

  • The price of ETH dropped by 40%, from $21 to around $13 in a few days. 
  • Crypto exchanges delisted the TheDAO token later the same year. 

Funds were moved into a separate account with a 28-day holding period to stop the draining process until further decisions were made.  

The impact on The DAO and its participants was substantial, raising questions about the security and viability of decentralized systems.

The exploit had the following effects:

  1. Loss of funds: The hacker drained a significant portion of The DAO’s funds, resulting in financial losses for both The DAO itself and the token holders who had invested in it.
  2. Investor confidence is shaken: The DAO Hack undermined confidence in the security and integrity of decentralized systems. Many participants in The DAO and the broader cryptocurrency community questioned the viability of DAOs and their ability to protect investor funds.

Ethereum “hard fork” and the community response

In response to the DAO Hack and the subsequent loss of funds, the Ethereum community faced a critical decision on how to address the situation. This decision ultimately led to a significant event known as the Ethereum hard fork. 

The decision to do a hard fork reached 85% of votes within the Ethereum community. Frozen funds were moved to a new contract with the option to withdraw. Original contributors who lost funds could withdraw 1 ETH for every 100 DAO tokens in their wallets. 

Here’s what you need to know:

  1. Hard fork defined: A hard fork is a radical change to a blockchain protocol that is not backward-compatible. It involves creating a new blockchain version with different rules, often resulting in a split between the community and the network.
  2. The fork’s purpose: The Ethereum hard fork was initiated to address the DAO Hack by creating a new blockchain with modified rules to restore the stolen funds to their rightful owners. The goal was to reverse the attacks’ associated transactions and prevent the hacker from accessing the stolen funds.
  3. Community response: The proposal for the hard fork sparked intense debate within the Ethereum community. Some argued in favor of the hard fork as a necessary response to protect the ecosystem and investor confidence. Others opposed the fork, citing concerns about the immutability and integrity of the blockchain.

Creation of Ethereum Classic as a result 

Some miners refused and disagreed with the fork idea, leading to a split community. 

The Ethereum hard fork created two separate blockchain networks: Ethereum (ETH) and Ethereum Classic (ETC). 

Here’s what you need to know about Ethereum Classic:

  1. Fork outcome: The hard fork led to a divergence in the Ethereum blockchain, with one branch following the modified rules (Ethereum) and the other maintaining the original rules (Ethereum Classic).
  2. Ethereum Classic’s principles: ETC upholds the principle of immutability and maintains the original blockchain’s history, including the transactions associated with the DAO Hack. It aims to preserve the idea that code is law, even in cases of exploitation or hacks.

The fallout from the DAO Hack, the subsequent Ethereum hard fork, and the creation of Ethereum Classic highlighted the complexities of handling security breaches within decentralized systems. 

In the next section, we will explore the identity and motivations of the suspected hacker behind the DAO Hack, shedding light on the individuals involved and their possible methods.

Investigation and identification of potential hackers

Following the attack, an extensive investigation was conducted to trace the stolen funds, identify potential hackers, and explore possible solutions. While no attacker was officially found and changed, various theories of his identity arose through the years. 

Did the hacker respond?

There is no solid evidence, but the attacker could be a single male who communicated with the community. 

In an open letter addressed to The DAO and the Ethereum community, the attacker allegedly asserted their actions were legitimate and warned of potential legal consequences for anyone attempting to invalidate their work. 

However, some observers noted that the message’s cryptographic signature was questionable and possibly forged. 

Nevertheless, the letter demonstrated a well-written argument and perspective that appeared rational from a particular standpoint. It revolved around the fundamental premise of smart contracts, which asserts their autonomy as self-governing entities impervious to external influences. 

The suspected hacker: Who attacked the DAO? 

A recent investigation by Laura Shin pointed to a suspected hacker. Toby Hoenisch, a programmer and a co-founder of the TenX project, lived in Singapore at the time of the attack. 

Toby denies his involvement and responded only once to the investigation with the following statement:

~ “Your statement and conclusion is factually inaccurate.”

He hasn’t responded to Laura’s follow-up messages, but she believes she has hard evidence that all trails point to him. 

Here are some critical pieces of evidence that pointed to the possible hacker: 

  • After the hard fork, the attacker kept possessing the stolen funds as Ethereum Classic tokens – 3.64 million ETC. In the same summer of 2016, the attacker moved their ETC to a new waller and kept it untouched until October. 
  • The hacker began using ShapeShift exchange, which didn’t require personal identity to open an account and managed to exchange ETC to Bitcoin—obtaining 282 bitcoins. Perhaps, because ShapeShift was blocking exchange attempts, the hacker gave up, leaving behind 3.4 million Ether Classic (ETC). 
  • A few blockchain analytics companies, Coinfirm and Chainalysis, noticed that the presumed attacker had sent 50 BTC to a Wasabi Wallet. This private desktop Bitcoin wallet aims to anonymize transactions by mixing them.
  • The Chainalysis crew de-mixed the Wasabi transactions and tracked their output to four exchanges. In a final, crucial step, an employee at one of the exchanges confirmed to one of my sources that the funds were swapped for privacy coin Grin and withdrawn to a Grin node called “grin.toby.ai.”
  • The IP address for that node also hosted Bitcoin Lightning nodes: ln.toby.ai, lnd.ln.toby.ai, etc., and was consistent for over a year. It was hosted on Amazon Singapore Lightning Explorer 1ML and showed a node at that IP called TenX.
  • The CEO and co-founder of the TenX company used the handle @tobyai on AngelList, Betalist, GitHub, Keybase, LinkedIn, Medium, Pinterest, Reddit, StackOverflow, and Twitter. His name was Toby Hoenisch.
  • Before and after the attack, Toby interacted with the DAO members via email and Reddit, raising concerns about problems with the DAO smart contract. He Tweeted (Retweeted) information about the attack and the aftermath and published multiple Medium posts focused on the DAO case. Strangely enough, he cleaned up all his old Reddit and Twitter messages after the DAO hack.      

Laura goes into more detail about her investigation in this article. FYI, Toby was not changed related to this fraud and has not been proven guilty. 

Conclusion and key takeaways

The DAO Hack was a watershed moment in the history of decentralized finance. 

The DAO project aimed to revolutionize investment and decision-making within the Ethereum ecosystem. However, its smart contract code vulnerability allowed a hacker to exploit the system, stealing approximately $50 million worth of ether (ETH). The impact was far-reaching and immediately affected The DAO and the whole Ethereum ecosystem.  

In response to the hack, the Ethereum community faced a critical decision. A controversial hard fork was proposed to reverse the transactions and restore the stolen funds. This led to a heated debate about the fundamental principles of decentralization and immutability. Ultimately, the hard fork was executed, resulting in a split within the Ethereum blockchain and the creation of Ethereum Classic as a dissenting alternative.

The DAO Hack served as a valuable learning experience for the cryptocurrency community, offering key takeaways and lessons for the future of decentralized finance:

  • Security and auditing
  • Governance and risk management
  • Community consensus
  • Ethical hacking and bug bounties
  • Balancing decentralization and security

As the crypto industry continues to evolve, the DAO Hack serves as a reminder of the risks and complexities inherent in decentralized finance. By embracing the lessons learned from this incident, the community can work towards building more robust, secure, and resilient systems that empower individuals while minimizing vulnerabilities. Decentralized finance can reach its full potential through collective vigilance and continuous improvement.

Some additional resources:

Article by
Artem Minaev