The 2016 Ethereum DAO Hack Remembered

Reading Time: 3 minutes
  • The Ethereum DAO hacktook place in June 2016 and saw 3.6 million ETH stolen
  • The theft caused Ethereum to split into Ethereum and Ethereum Classic
  • We remember what happened and how the hack went down

The DAO hack that nearly killed Ethereum and spawned Ethereum Classic took place three years ago yesterday, and it serves as a warning of the fragility of blockchain as an emerging technology. We look at the events that took place at the time, how the attack was dealt with, and what lessons we can learn from it.

What was the Ethereum DAO?

The Ethereum DAO (Decentralized Autonomous Organization), formed in May 2016, was supposed to be a kind of venture capital fund for the crypto world, with no centralized authority present to ensure that one single person didn’t control the funds. Based on the newly created Ethereum platform, the investor-directed fund existed to fund projects utilizing the new and exciting smart contract/blockchain combo, with votes taken on which projects would receive funding.

Recursive Call Hack

By June, the DAO’s pot had grown to $150 million in ETH, at which point a hacker decided to try and take advantage of the decentralized nature of the platform and hack into the account holding the ETH. This he managed to do with relative ease by using a recursive call attack to ‘ask’ the smart contract (DAO) to send ETH out multiple times before the smart contract could update its own balance.

Two main flaws made this hack possible: the lack of consideration of and therefore prevention against a recursive call attack, and the fact that the smart contract sent the ETH funds before updating the internal token balance. In the first few hours of the attack the hacker managed to drain 3.6 million ETH, the equivalent of $70 million at the time, at which point he withdrew.

I think TheDAO is getting drained right now from r/ethereum

Ethereum Hard Fork

Unfortunately for the hacker, the process wasn’t as simple as taking the money and running – a saving grace of the smart contract was the hacker would have to submit a proposal, and have it passed by the community, in order to take the money out of the DAO completely. This gave the community 27 days to come up with a remedy, with three options eventually tabled: doing nothing, initiating a soft fork, or initiating a hard fork.

Each option has advantages and disadvantages and caused huge debate within the community, with a soft fork initially adopted then abandoned on security grounds. Performing a hard fork was therefore the only viable option left, a process that would reverse all the transactions on the blockchain to a time just before the hack, overwriting the history and restoring the stolen ETH. This was carried out on July 20 and the funds returned to investors, an eventuality that wouldn’t have been possible had it not been for the lack of absolute immutability in the so-called immutable blockchain.

Human Frailty Exposed

The hard fork caused Ethereum to split into two branches, known as Ethereum and Ethereum Classic (Ethereum Classic is the original branch), and brought huge uncertainty to the burgeoning crypto community in terms of the safety of smart contracts. The DAO was the first large-scale application of Ethereum-based smart contracts, and its untimely end triggered a general suspicion against blockchain technology but also a lack of oversight and regulation. It also raised the question of how smart a smart contract is when, ultimately, it has a human at the end of it.

Of course, many more hacks have come and gone since then, making the DAO hack a kind of watershed moment in cryptocurrency’s short life.