top of page
Frame 5.png
Writer's pictureWirex Academy

The DAO Attack Explained: The Crypto Hack That Made History

Updated: Oct 17


Introduction


In 2016, the decentralized finance (DeFi) community was SHOOK by one of the most significant events in blockchain history: the DAO attack. The Decentralized Autonomous Organization (DAO) was an ambitious project that aimed to revolutionize venture capital funding through the Ethereum blockchain.


However, the DAO's vulnerability led to a catastrophic attack that not only resulted in substantial financial loss but also raised fundamental questions about the security and governance of blockchain-based systems. These are the events leading up to the DAO attack, the immediate aftermath, and its long-term implications for the blockchain industry.


The Rise of the DAO


Concept and Creation


The DAO was created as a decentralized venture capital fund that would allow investors to pool their money and vote on which projects to fund. Unlike traditional venture capital firms, the DAO operated without a central authority, relying instead on smart contracts coded on the Ethereum blockchain to enforce rules and execute decisions.


Launched in April 2016, the DAO raised over $150 million worth of Ether (ETH) from more than 11,000 investors, making it one of the largest crowdfunding campaigns in history at that time.


How the DAO Worked


Investors in the DAO received DAO tokens in proportion to their contributions. These tokens granted them voting rights on proposals for funding various projects. The smart contracts governing the DAO were designed to be immutable and transparent, theoretically ensuring fair and democratic decision-making. The allure of the DAO lay in its promise of decentralized control and its potential to democratize access to venture capital.


The Attack



Discovery of Vulnerabilities


Despite its innovative design, the DAO was not without flaws. In May 2016, a critical vulnerability in the DAO's smart contract code was identified by the community. This vulnerability, known as the "recursive call exploit," allowed malicious actors to repeatedly call the withdraw function before the smart contract could update the balance, effectively draining funds from the DAO.


Execution of the Attack


On June 17, 2016, an unknown attacker exploited this vulnerability, siphoning approximately 3.6 million Ether (worth around $70 million at the time and worth around an eye-watering $13,719,168,000 today) into a "child DAO" controlled by the attacker. This event sent shockwaves through the Ethereum community, as the immutability of the blockchain meant that the stolen funds could not be easily recovered through conventional means.


Immediate Response


The Ethereum community quickly mobilized to address the crisis. A "white hat" hacker group, consisting of security experts and developers, launched a counter-attack to secure the remaining funds in the DAO by exploiting the same vulnerability used by the attacker. This effort prevented further losses, but the fate of the stolen Ether remained uncertain.


The Aftermath


Hard Fork Proposal


The attack sparked intense debate within the Ethereum community about how to respond. One proposed solution was a "hard fork" of the Ethereum blockchain, which would effectively roll back the ledger to a point before the attack and restore the stolen funds to the original DAO. This proposal was highly controversial, as it challenged the principle of blockchain immutability and raised ethical and philosophical questions about the nature of decentralized systems.


The Hard Fork and Ethereum Classic


Despite the controversy, the hard fork proposal gained enough support to be implemented. On July 20, 2016, the Ethereum blockchain split into two separate chains: Ethereum (ETH) and Ethereum Classic (ETC). The new Ethereum chain followed the altered ledger that reversed the DAO attack, while Ethereum Classic continued on the original blockchain, maintaining the principle of immutability.


Legal and Ethical Implications


The DAO attack and the subsequent hard fork highlighted several legal and ethical issues. For instance, the reversal of transactions through the hard fork raised questions about the enforceability of smart contracts and the role of human intervention in supposedly autonomous systems. Additionally, the incident underscored the need for robust security practices and thorough code audits in the development of decentralized applications.


Technical Analysis of the Attack


The Recursive Call Vulnerability


The core vulnerability exploited in the DAO attack was the recursive call issue. In simple terms, the attack worked as follows:


  1. The attacker created a function that called the DAO's withdraw function.

  2. Before the DAO could update the attacker's balance, the function called the withdraw function again.

  3. This recursive loop allowed the attacker to drain funds repeatedly in a single transaction.


This exploit was possible because the DAO's smart contract did not correctly account for the state changes after each withdrawal. Properly designed smart contracts should include mechanisms to prevent such reentrant calls, typically by using checks-effects-interactions patterns.


Preventative Measures


In the aftermath of the attack, the Ethereum community and developers implemented several preventative measures to enhance smart contract security. These included:


  • Code Audits: Emphasizing the importance of thorough and independent code audits before deploying smart contracts.

  • Security Best Practices: Developing and promoting best practices for smart contract development, such as using established libraries and patterns that mitigate common vulnerabilities.

  • Improved Tooling: Creating and adopting tools for automated analysis and testing of smart contracts to identify potential security issues before deployment.


Long-Term Impact


Evolution of Ethereum


The DAO attack served as a catalyst for the evolution of Ethereum and the broader blockchain ecosystem. It highlighted the need for better governance mechanisms and more resilient smart contract designs. Ethereum's response to the attack, particularly the hard fork, demonstrated the community's ability to adapt and evolve in the face of adversity.


Regulatory Scrutiny


The incident also attracted regulatory attention. Governments and financial regulators began to scrutinize initial coin offerings (ICOs) and decentralized finance (DeFi) projects more closely, leading to the development of regulatory frameworks aimed at protecting investors and ensuring the integrity of financial systems.


Advancements in Smart Contract Security


In the wake of the DAO attack, the blockchain community made significant strides in improving smart contract security. Initiatives such as formal verification, where smart contracts are mathematically proven to be correct, and the development of new programming languages designed with security in mind, have helped mitigate the risk of similar exploits.


The Rise of DeFi


Despite the setback of the DAO attack, the principles underlying decentralized finance continued to gain traction. The lessons learned from the DAO's failure informed the development of more robust and secure DeFi platforms, contributing to the rapid growth of the DeFi ecosystem in subsequent years.


Conclusion


The DAO attack was a watershed moment for the Ethereum blockchain and the broader world of decentralized finance. It exposed critical vulnerabilities in smart contract technology and sparked essential debates about the principles of decentralization, governance, and security. The Ethereum community's response, including the controversial decision to implement a hard fork, demonstrated resilience and adaptability in the face of crisis.


In the long run, the DAO attack accelerated the maturation of the blockchain industry, leading to significant advancements in smart contract security and governance. As the blockchain ecosystem continues to evolve, the lessons learned from the DAO attack remain a crucial reference point for developers, investors, and regulators.


Disclaimer

The information contained herein has been prepared for informational purposes only, and is not intended to provide, and should not be relied on for financial, legal, or investment advice. Wirex and any of its respective employees and affiliates do not provide financial, legal, or investment advice.


The value of cryptoassets may fluctuate significantly over a short period of time. The volatile and unprecedented fluctuations in price may result in significant losses over a short period of time. Any Cryptoassets may decrease in value or lose all its value due to various factors including discovery of wrongful conduct, market manipulation, change to the nature or properties of the Cryptoasset, governmental or regulatory activity, legislative changes, suspension or cessation of support for a Cryptoassets or other exchanges or service providers, public opinion, or other factors outside of our control. Technical advancements, as well as broader economic and political factors, may cause the value of Cryptoassets to change significantly over a short period of time.


Content not intended for UK customers.

32 views

Subscribe to newsletter and start your crypto journey today with Wirex

logo_wirex_academy-white.png
bottom of page