Understanding The DAO Hack for Journalists

Background

THE ETHEREUM NETWORK is a network of computers all running the Ethereum blockchain. The blockchain allows people to exchange tokens of value, called Ether, which is currently the second most popular cryptocurrency behind Bitcoin. Ethereum also allows people to write and put on the network smart contracts — general-purpose code that executes on every computer in the network (currently over 6,000 computers). People then execute these programs by sending Ether to them.

  1. A group of people writes the smart contracts (programs) that will run the organization
  2. Then there is an initial funding period, in which people add cash to the DAO by purchasing tokens that represent ownership — this is called a crowdsale, or an Initial Coin Offering (ICO) — to give it the resources it needs.
  3. When the funding period is over, the DAO begins to operate. People can make proposals to the DAO on how to spend the money, and the members who have bought in can vote to approve these proposals.
  4. It’s important to understand that great care has been taken not to make these tokens into equity shares — they are more like contributions that give people voting rights but not ownership. In most cases, a DAO is not owned by anyone — it’s just software sitting on the Ethereum network.

The Hack

Unfortunately, while programmers were working on fixing this and other problems, an unknown attacker began using this approach to start draining the DAO of Ether collected from the sale of its tokens.

  1. The ether in this newly created child DAO can’t be accessed for 28 days, as that is the initial funding period.
  2. Everyone can see the Ether in this child DAO — any attempts to cash it in will trigger alarms and investigations. It could be that the attacker will never get to cash or spend a single Ether of it.
  3. It’s entirely possible that the attacker had a large short position on Ether at the time of the attack, which he then cashed out after Ether had been cut roughly in half. The attacker may already have made his money, regardless of the Ether sitting in the child DAO.
  4. There are things the Ethereum Foundation could do that may be able to nullify the Ether in this DAO. That’s where things get complicated.

The Soft-Fork Proposal

The DAO contains roughly 15 percent of all Ether, so a failure of The DAO has a negative impact on the Ethereum network and its cryptocurrency. It’s worth noting that dozens of startups are working on DAO/governance products, many smart-contracts have similar vulnerabilities, and building complex software using smart contracts is still in its infancy. Everyone involved has a stake in what happens next. All eyes are on The DAO and the Ethereum Foundation, hoping for a resolution that allows the ecosystem to continue to develop as it was before.

The Attacker Responds — or, Does He?

I will call the attacker a lone male, even though I have no idea if he is one. What happened next was interesting. In an open letter to The DAO and Ethereum Community, the attacker supposedly claimed that his “reward” was legal and threatened to take legal action against anyone who tried to invalidate his work. Several people pointed out that the cryptographic signature in this message wasn’t valid — it could be fake. But it’s well written and, from a certain point of view, well reasoned: the premise of smart contracts is that they are their own arbiters and that nothing outside the code can “change the rules” of the transaction.

The Hard-Fork Proposal

Another proposal is more aggressive — to ask the miners in this case to completely unwind the theft and return all Ether to The DAO, where it can be redeemed by token holders automatically, thereby ending The DAO. As Stephan Tual puts it in his blog

Responses to the Soft-Fork Proposal

Seen on its own, the proposal is reasonable: a one-time fix to a one-time problem. But many people don’t see it that way. You can read the massive response on Reddit, which I will try to summarize:

The Long Arm of the Law, Not to Mention the Tax Man

The above discussion assumes we are operating in a vacuum, in crypto-anarchy space, where laws don’t apply. But people have invested real money and real laws can and will apply to this case. In fact, all parties here may have legitimate claims that could take years to settle out in courts around the world.

The Aftermath

It seems at this point that The DAO will die, and that DAO token holders will get somewhere between 0 and 100% of their Ether back. It’s safe to say that the Slock.it guys have their hands full for a while, they may not get their project funded (I’m told they put quite a bit of their own money into The DAO), and they may be talking with lawyers for months.

Summary

I believe we can say that this event marks the beginning of a new era of Ethereum’s public blockchain. While the agile approach of “ready, fire, aim” generally works best with new software, it can be dangerous when $150 million gets loaded into the chamber. Ethereum was billed as a general-purpose computer and the harbinger of a new decentralized model for computing and for society. We will see, a bit sooner than we may have wanted, how all this plays out in the real world.

Latest Updates

Consensys has published an update. Hard fork likely. Please read.
There are several polls of whether people favor the hard fork or not. Here’s a good one that requires sending Ether to vote, which makes it more legitimate.

Resources

Videos

The DAO, The Fork, The Fallout — A group discussion

Articles

A supposed Slack interview with a representative of the hacker
Consensys’ DAO Hack FAQ
A guy named Fabian Vogelsteller wrote a few corrections to this article, most of which are technically sound, but the general gist here is still the same — see it if you care about the details.
Coindesk Summary of June 18th
Wired Article of June 18th
Reddit discussion of Vitalik’s proposal
The Reddit “DAO Heist FAQ”
Preston Byrne on Failing Fast vs Failing Unecessarily
The Legal Aspects of the DAO Hack, by Drew Hinkes

People to Contact

I’m not an expert, but you can contact me and I’ll do my best to help.
The Slock.it contact form.

--

--

Provocateur, professional heretic, slayer of myths, speaker of truthiness to powerfulness, and defender of the Oxford comma.

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
David Siegel

David Siegel

10.8K Followers

Provocateur, professional heretic, slayer of myths, speaker of truthiness to powerfulness, and defender of the Oxford comma.