In the world of cryptocurrency, seven-figure heists are a rite of passage. And today, Ethereum, a much-hyped blockchain currency and autonomous software platform, has come of age. This morning, participants in a lavishly-funded investment vehicle called The DAO woke up to an onslaught of alarm bells when it was discovered that a hacker had utilized a vulnerability in the code to drain the fund.
At 4 a.m., Griff Green, a developer for Slock.it, a company based in Germany that is building on the Ethereum blockchain and created The DAO, sent out this alert on the community’s Slack channel:
“The DAO is being attacked. It has been going on for 3-4 hours, it is draining ETH at a rapid rate. This is not a drill.”
By midday, the attacker had stolen over 3 million Ether (Ethereum’s native currency), which at the time was worth more than 60 million U.S. dollars.
The DAO is a public investment fund that exists as a bundle of software on the Ethereum network. In a sale this spring, participants signed up for the fund by using their Ether to buy DAO tokens. This, in turn, gave them proportional ownership as well as the right to vote on investment proposals. The DAO software was intended to autonomously coordinate and enforce voting and fund allocation, thereby creating an investment vehicle that could operate without third-parties. The sale was much more successful than anyone expected, and by the end of May, Ether holders had dumped more than $150 million worth of their cryotocurrency into The DAO.
A day before the fund opened for business, a group of researchers identified critical flaws and biases in the process whereby participants vote on spending proposals. There was an appeal for a moratorium until fixes could be made, but today’s losses were caused by a bug that had gone unnoticed until now.
The DAO software gives token holders the ability to take their contributions and split from the larger group into their own identical DAOs. Once the split occurs, the person who created the new DAO has full control over what happens to the tokens, and after 27 days he or she is free to sell the tokens on an exchange to recoup the investment. People who choose this route should be able to leave with only as many tokens as they rightfully own. But late last night, someone found a way to split off with more than their fair share. According to sources, the hacker who did this now controls a satellite DAO that contains 100 times the amount of tokens that he initially invested.
Already, Ethereum developers are proposing ways to fix the situation. The easiest, and least controversial solution is for the network to adopt a new version of the Ethereum software that blacklists the address holding the hacker’s stolen funds, making it impossible for him to cash out on the heist.
But this would do nothing to recoup the losses sustained by The DAO. In order to return the funds back to their rightful owners, the Ethereum community would have to agree to a radical maneuver called a “hard fork” which would essentially roll back Ethereum’s historical record of transactions to a point in time before the heist occurred. This option will inevitably inspire heated debate as it calls into question the immutability of the Ethereum blockchain, which is one of the defining characteristics of the technology.
There is no telling yet whether The DAO will survive this hack. But the theft has undeniably harmed the reputation of decentralized financial instruments and the Ethereum project in general. Since Ethereum went live in the spring of 2015, developers have rushed to build autonomously functioning services on the platform. It is now becoming apparent that properly implementing these applications requires expertise in both coding and game theory.
When contracts are not properly vetted, we now know that it is not only the people using that particular application that suffer. The plaform as a whole also takes a hit. In the hours following the heist, the price of Ether has dropped by over 30 percent on online exchanges.