Wistia video thumbnail

The story of the DAO hack

“I think the DAO is getting drained right now” – was the quiet headline of a post at /r/ethereum - “Unfortunately, I am on a train to work, so [I] cannot investigate, but looks like a recursive call exploit of some kind.”

This “recursive call exploit”, resulted in the attacker controlling $50 million dollars worth of Ether out of about $150 million dollars worth that had originally been invested.

“Why,” you might be asking, “would people give control of $150 million dollars to a smart contract?” And what code did that attacker write that suddenly gave them control of $50 million dollars?”

That is exactly what we’re going to look at. First, let me tell you about what the DAO even was.

In 2016 a team had a revolutionary idea: that organizations could be decentralized.

For example, we can think of a business as an organization controlled by it’s founders and investors. The business takes labor and capital as inputs and, hopefully returns more capital to the investors than was put in.

The pitch for the DAO to act as a decentralized organization. The idea is you send money to the DAO and you’re given voting tokens.

Of course, the DAO can’t do anything on it’s own – it requires someone to perform actions such as writing code, designing, producing. The person who does the work is called the contractor.

If the contractor wants perform work for the DAO, they submit a proposal and the proposal is voted on by the token-holding members. If the proposal is accepted, Ether is transferred into the destination specified by the Contractor

Unlike centralized organizations which are often opaque, arbitrary, and controlled by a few, the DAO was supposed to be transparent, fair, and controlled directly by it’s token-holding members.


Slockit, the company behind the DAO, set to work, and wrote the code.

When it came time for funding, investors scrambled to take part. The funding raised $150 million dollars. It was the largest crowdfunding campaign in history.

In May, TechCrunch described The DAO as:

a paradigm shift in the very idea of economic organization. It offers complete transparency, total shareholder control, unprecedented flexibility and autonomous governance.

In June, the funds began to drain.

An attacker had read the DAO code, and crafted a set of malicious smart contracts which allowed him to take out more funds than he put in. Way more. This sparked a significant response from Ethereum developers.

They jumped into a chat and started debating what to do.

  • Could the funds be withdrawn directly from the DAO’s account?
  • No. The DAO contract was decentralized with no single privileged owner.

  • Could they convince all of the exchanges to halt trading and withdrawals of ETH so that the attacker couldn’t sell his ETH and the exchanges could return the funds?

  • They tried, but for this to work, you have to get all exchanges to agree in time, and the legitmate customers would not be happy about being unable to handle their own funds.

  • Could they roll back the transactions and apply a hotfix to the blockchain?

  • This was a very controversial idea and something we’ll touch on more. But ask yourself this if code is law, then maybe what the attacker did was unethical but not a hack at all.
  • On the other hand, the funds in the DAO represented nearly 15% of all available Ethereum tokens. Some developers feared that letting the attacker get away with it would kill the Ethereum project.

To fork or not to fork?

Some exchanges did freeze trading. And as rumor got around of a a possible hard fork to revert the transactions, the attacker stopped draining the funds. We can’t know his motivations for sure, but perhaps he knew that protecting what he had was more important than stealing as much as possible.

Whitehats exploited the same bug and withdrew a large number of funds from the DAO in the same way, with the intention of refunding as much as possible to their respective owners.

And with the majority of the funds out of the DAO the community had a decision to make: do we hard fork the chain to recover the funds, or do we let the attacker keep the funds and risk devaluation of the Ethereum ecosystem.

Anti-forkers argued that code-is-law and circumventing that would devalue Ethereum more than a hacker owning or selling a large number of coins.

Pro-forkers argued that Ethereum was still young and Bitcoin had forks early in it’s life and still survived.

During the hard-fork debate someone claiming to be the attacker, without a signature, gave an interview where he tried to bribe the miners to vote against the hardfork. The idea was, he’d give 1 million ETH back to miners who voted to let him keep the rest of the funds.

The community voted. And they decided to hard fork. The solution was direct – add code to Ethereum which directly transfers funds out of the DAO hacker’s accounts into a special smart contract called the WithdrawDAO, where investors could withdraw their funds.

Ethereum Classic

As you might imagine the response was polarizing. People who had funds stolen were relieved to have them back. But for many people it seemed wrong ideologically.

The bug was in the DAO and not Ethereum or Solidity itself. They argued that Ethereum wasn’t broken so there was no technical need to hard fork to bail out one buggy application. Many also worried that it set a bad precedent that circumvented the supposed immutability of a blockchain.

This group formed Ethereum Classic. In Ethereum Classic the DAO attacker was allowed to keep his funds. And as one of his first acts with the funds, he sent 1000 Ethereum-classic ETC tokens to the Ethereum Classic Developers.

Since the DAO

While the hard-fork might be ideologically concerning, the silver lining is that it was a decision made by the Ethereum community and not a proclamation decided by any one person or organization.

In the time since the DAO hack, Ethereum has flourished. In 2017 its been the de-facto platform for raising funds through token sales.

Also, EVM and Solidity platform is gaining wider adoption even beyond Ethereum itself. Platforms like as IBM’s Hyperledger, Microsoft’s Coco, and even other decentralized projects like QTUM have all integrated the EVM into their platforms.

What was the bug?

But when I hear the story of the DAO I’d always wonder, what was the bug exactly. If the Ethereum EVM wasn’t the problem, then that means, the DAO bug had could be implemented again today on any of these platforms.

When I’m writing my smart contracts, how can I prevent such a bug from ever happening to me.

Well in these videos that’s what we’re going to cover. It turns out, the Solidity bugs in the DAO aren’t that difficult to understand, once you know what to look for.

There were several different code issues with the DAO. But there two main patterns that caused the downfall of the DAO that we’re going to look at. They’re called:

  • re-entrancy and
  • race to empty

I’m going to show you toy versions of these patterns, and we’ll discuss alternative, safer patterns that help us mitigate the unwanted behavior.

Hearing of all these attacks might make you think that Solidity programming impossibly insecure and smart contract security is a lost cause. While Ethereum is young, this kind of blanket statement not true.

If history is any lesson, many people thought the same thing about web programming. SQL injection attacks, cross-site-scripting, and cookie-hacking, for example, were widely exploited until the attacks became better known and now these are common patterns we defend against, almost without thinking about - Defense for SQL injection is built into basically every web framework.

Solidity is similar in that we’re in the early stages where some attacks are not necessarily well understood. Raising awareness of these attacks and teaching you to defend against them is the point of this series.