You just learned chemistry and the first thing you built was a giant bomb and you can’t understand why it blew up in your face.
– brockchainbrockshize, /r/ethereum1
Not content with their existing sales of Internet fairy gold, some Ethereum developers at German blockchain startup Slock.it came up with an even more complicated scheme: The DAO – a Decentralized Autonomous Organization, with “The” as part of the name. This was a smart contract on Ethereum which would take people’s money and give it to projects voted on by the contributors as worth funding: a distributed venture capital firm.
The DAO’s Mission: To blaze a new path in business organization for the betterment of its members, existing simultaneously nowhere and everywhere and operating solely with the steadfast iron will of unstoppable code.2
Bold in original. I’m sure there are no obvious problems there that jump right out at you.
The DAO launched on 30 April 2016, got massive publicity and became the biggest crowdfunding in history up to that time, with over $150 million in ETH from 11,000 investors in DAO tokens. Fourteen per cent of all Ether was in The DAO. It was also the most prominent smart contract of all time, achieving much mainstream press coverage. It proceeded to illustrate just about every potential issue that has ever been raised with smart contracts.
The DAO’s legal footing was uncertain, and widely questioned. Selling tokens in The DAO closely resembled trading in unregistered securities – particularly when DAO tokens themselves hit cryptocurrency exchanges – and the SEC had come down on similar schemes in the past. There was no corporate entity, so it would default in most legal systems to being a general partnership, with the investors having unlimited personal liability, and the creators and the designated “curators” of the scheme likely also being liable.
Shortly before the go-live date, researchers flagged several mechanisms in the design of The DAO that would almost certainly lead to losses for investors, and called for a moratorium on The DAO until they could be fixed.3
Worse, on 9 June a bug was found in multiple smart contracts written in Solidity, including The DAO: if a balance function was called recursively in the right way, you could withdraw money repeatedly at no cost. “Your smart contract is probably vulnerable to being emptied if you keep track of any sort of user balances and were not very, very careful.”4 This was not technically a bug in Solidity, but the language design had made it fatally easy to leave yourself wide open.
The principals decided to proceed anyway, Stephen Tual of Slock.it confidently declaring on 12 June “No DAO funds at risk following the Ethereum smart contract ‘recursive call’ bug discovery”5 … and on 17 June, a hacker used this recursive call bug to drain $50 million from The DAO. And nobody could stop this happening, because the smart contract code couldn’t be altered without two weeks’ consensus from participants. The price of ETH promptly dropped from $21.50 to $15.
(Tual posted on 9 July a hopeful list of reasons why the attacker might give all the ether back, just like that. Because it would be in their rational self-interest.6 This didn’t happen, oddly enough.)
Ethereum Foundation principals discussed options including a soft fork or a hard fork of the code or even of the blockchain itself, or a rollback of the blockchain. The community wrangled with the philosophical issues: this contract had been advertised as “the steadfast iron will of unstoppable code,” but it appeared only the hacker had read the contract’s fine print in sufficient detail.7 Some seriously debated whether this should even be regarded as a “theft”, because code is law and intent doesn’t matter (unlike in real-world contracts operating in a legal system, or indeed in fraud law). Others argued that the market integrity of the Ethereum smart contract system required that incompetent contracts, which The DAO certainly was, had to be allowed to fail.
(The proposed soft fork solution was to blacklist transactions whose result interacted with the “dark DAO” the attacker had poured the funds into. This would have been an avenue for a fairly obvious denial-of-service attack: flood Ethereum with costly computations that end at the dark DAO. In computer science terms, this approach could only have worked by first solving the halting problem: you would need to be able to determine the outcome of any possible Ethereum program without actually running it and observing the result.8)
The DAO was shut down soon after, and on 20 July the Ethereum Foundation — several of whose principals were curators of The DAO9 and/or heavily invested in it — changed how the actual code of Ethereum interpreted their blockchain (the “immutable” ledger) so as to wind back the hack and take back their money. The blockchain was “immutable,” so they changed how it was interpreted. The “impossible” bailout had happened.
This illustrated the final major problem with smart contracts: CODE IS LAW until the whales are in danger of losing money.
Ethereum promptly split into two separate blockchains, each with its own currency – Ethereum (ETH), the wound-back version, supported by the Ethereum Foundation, and Ethereum Classic (ETC), the original code and blockchain – because this was too greedy even for crypto fans to put up with. Both blockchains and currencies operate today. Well done, all.
Apologists note that The DAO was just an experiment (a $150 million experiment) to answer the question: can we have a workable decentralized autonomous organization, running on smart contracts, with no human intervention? And it answered it: no, probably not.
1 brockchainbrockshize. Comment on “Attacker has withdrawn all ETC from DarkDAO on the unforked chain”. Reddit /r/ethereum, 25 July 2016.
2 The DAO front page, archive of 22 June 2016. Yes, that’s after the hack. The page doesn’t say that any more.
3 Dino Mark, Vlad Zamfir, Emin Gün Sirer. “A Call for a Temporary Moratorium on The DAO”. Hacking, Distributed (blog), 27 May 2016.
4 Peter Vessenes. “More Ethereum Attacks: Race-To-Empty is the Real Deal”. Blockchain, Bitcoin and Business (blog), 9 June 2016.
5 Stephen Tual. “No DAO funds at risk following the Ethereum smart contract ‘recursive call’ bug discovery”. blog.slock.it, 12 June 2016. (archive)
6 Stephen Tual. “Why the DAO robber could very well return the ETH on July 14th”. Ursium (blog), 9 July 2016. (archive)
8 Tjaden Hess, River Keefer, Emin Gün Sirer. “Ethereum’s DAO Wars Soft Fork is a Potential DoS Vector”. Hacking, Distributed (blog), 28 June 2016.
9 Stephen Tual. “Vitalik Buterin, Gavin Wood, Alex van De Sande, Vlad Zamfir announced amongst exceptional DAO Curators”. blog.slock.it, 25 April 2016.
Your subscriptions keep this site going. Sign up today!