A real-life cryptocurrency heist from the early days of Ethereum that shook up the crypto world
While many people might not know what it is, a DAO, or “decentralized autonomous organization,” is an extremely powerful, interconnected, and modern way for investors to make a difference in the world while capitalizing on businesses they believe in.
Conceptually and financially, they represent a wellspring of great potential; however, a significant heist and series of fraudulent actions have spooked many, even ardent proponents.
But what was the famous DAO Heist? And in the aftermath, how did the community that created it come together to right the wrongs and repair the damage?
In 2016, the first DAO was launched on the Ethereum blockchain. Commonly called the Genesis DAO because it was the first one, many were excited by the possibilities it presented to the community. This development was a cutting-edge and forward-thinking project that was previously unthinkable.
The basic premise behind the DAO was that it could directly fund companies and projects that members of the organization believed in. Anyone who bought into the DAO and invested money into a pool would be granted a “token” representing their share of the DAO and permission to vote on capital deployment.
So, in essence, a DAO would act as a virtual crowdfunding cooperative where profits would be shared amongst the DAO members.
The concept was brilliant and revolutionary, but a famous heist soon cast doubt over its validity and viability and caused widespread investor fear.
A decentralized autonomous organization is a collection of funds run by numerous decentralized individuals worldwide. The cooperative is run by a series of computer programs and rules established and voted upon by those in the organization.
All the rules, regulations, and funds deposited into the DAO are safely maintained on a blockchain. Blockchain-based security, correctly applied, is typically seen as “unhackable” and provides an avenue for disenfranchised younger or smaller investors to invest in alternative assets.
When anyone bought into the DAO and invested their virtual currency (backed by cash), their token represented potential capital gains and involvement in community affairs, including capital allocations to investments.
Business pitches would be heard from all the investors, and a voting process would either approve or deny the proposal. For the Genesis DAO, if the project received more than 20% of all tokens as proxies for approval, the DAO would automatically transfer the cryptocurrency Ether to the winning proposal. Any excess Ether that was later created by the funded proposal (as profit or similar) would be given back to the investing parties as capital gains.
Those who created the Genesis DAO also wanted to ensure that minority voters were protected. Since 20% was the bare minimum needed to approve a proposal, there could be many investors who didn’t approve of it despite its passage.
The developers of the Genesis DAO created a way for minority investors to get their funds back if the DAO approves and funds a project they don’t support. The minority interest would split their tokens into a “child DAO.” After 48 days of waiting, they would get their Ether back. The concept of a child DAO would later become a critical part of the heist.
With the Genesis DAO up and running, it began to drum up much interest and an equal amount of investment cash.
The DAO was hugely successful immediately, generating over USD150 million worth of Ether, and soon had more than 11,000 investors by May 2016. Initially, the tokens sold to investors would be held for 28 days before the DAO began formal operations.
Around this time, some began to speculate that there was possible hacker infiltration. They saw weaknesses in the system and pointed them out to DAO developers and leadership. But before developers could fix the security holes concerned investors highlighted, a group of hackers broke into the smart contracts built into the system.
The hack let the bad actors steal more than 3.6 million coins of the total 12.7 million Ether that had been raised. At the time, that amount was the equivalent of USD70 million[1].
How did the black hats do it? The hacker or hackers took advantage of the ability to split into a child DAO and two loopholes in the faulty smart contract. The first vulnerability in the coding of the smart contract was that the programmers did not consider the possibility of a recursive call exploit, which is a type of function where it calls part or itself directly again and again.
The other vulnerability that the hacker or hackers took advantage of was that the smart contract would send out ETH funds first and then update the balance remaining afterward.
The attacker was able to initiate a split into a child DAO where the smart contract would move the Ether from the Genesis DAO and move it into a child DAO first and then check the balance later. Combined with a recursive loop, the hacker was able to retrieve the funds multiple times before getting to the step where the smart contract code would check the balance, resulting in the loss of the 3.6mm Ether.
Inexplicably, the hacker stopped their attack without draining the entire 12.7mm Ether raised.
When the community noticed the heist, those invested weren’t sure what to do. Part of the indecision was due to the relative newness of the Ethereum network, which powered Ether. Additionally, about 17% of the total amount of Ether was tied up in the DAO. This served to heighten the tension and fear caused by the heist.
Vitalik Buterin, the founder of the Ethereum network, attempted to reassure investors by suggesting a “soft fork” and coding that would prevent the hackers from moving the funds to their hidden accounts.
Things got even tenser when a letter from the alleged hacker group was released to the Ethereum community. It stated that everything the hackers did was legitimate and that the funds waiting for them were rightfully theirs. The hackers went as far as to threaten legal action if the DAO attempted to get the funds back. Additionally, the miners who ran the blockchain system were allegedly offered a collective reward of 1mm Ether and 100 BTC to NOT comply with any soft forks.
Thankfully, as the funds had been siphoned into the child DAO, the hacker needed to have enough time pass before he could request that the Ether be transferred into an account that he controlled. Before this could happen, the majority of the Ethereum community agreed that something needed to be done. After much deliberation and debate, eventually, the community decided on a hard fork to overwrite the blockchain history and restore the stolen Ether to the original investors, reversing all the transactions done on the entire Ethereum blockchain.
Not all nodes followed the main branch, so the hard fork created a new blockchain and crypto, Ethereum Classic.
At the core of it all, this attempted heist was a consequence of the smart contracts that were part of the Genesis DAO. The loopholes inside the system were the problem, and they were noted, but the fixes to repair them weren’t created fast enough.
The damage done by this major hack and heist was immediate. It was the first time that the world saw the vulnerability of blockchain and potential issues with cryptocurrency systems. It created a slew of nasty headlines, speculation, and rumors about how hackers could get ahold of funds after breaking through loopholes.
Additionally, the DAO heist attracted the attention of regulators to this sort of crowdfunding and created a huge amount of embarrassment for the fledgling Ethereum; the hard fork also changed the perception that cryptocurrencies were immutable.
Thank you for reading CFI’s guide to The DAO Heist. To keep learning and developing your knowledge base, please explore the additional relevant resources below:
An introduction to cryptocurrencies and the blockchain technology behind them.
This course explains one of the most important cryptocurrency networks, Ethereum, and how it is poised to lead the charge for decentralized finance (DeFi).
Access and download collection of free Templates to help power your productivity and performance.
Already have an account? Log in
Take your learning and productivity to the next level with our Premium Templates.
Upgrading to a paid membership gives you access to our extensive collection of plug-and-play Templates designed to power your performance—as well as CFI's full course catalog and accredited Certification Programs.
Already have a Self-Study or Full-Immersion membership? Log in
Gain unlimited access to more than 250 productivity Templates, CFI's full course catalog and accredited Certification Programs, hundreds of resources, expert reviews and support, the chance to work with real-world finance and research tools, and more.
Already have a Full-Immersion membership? Log in