The fall of a virtual company – The DAO, part 2

As I demonstrated in the previous part, following its crowdfunding success in May, The DAO’s owners were massively shocked on 17 June. An unknown hacker found a loophole in the smart contract regulating the decentralized company and exploited it to steal 3.6 million ether.

The hacker found the fault in the part of the contract that regulates splitting. Reminder: the shareholders of the company can decide at any time to split from it, in which case the assets of The DAO that proportionately belong to them are carried over to a new company. As a shareholder, the thief also initiated a split, but in a tricky way. They noticed that the code for the split function that implements the split first places the asset belonging to the person wishing to split into the new company and only then destroys this person’s The DAO shares. The hacker managed to invoke the split function again between the implementation of the two procedures. At this point, the asset belonging to the hacker had already been placed into the new company, but according to the program, they still had The DAO shares, since these hadn’t been destroyed. When the function is invoked again, the program only detects that a shareholder is completely rightfully requesting their share of assets to be transferred to a new company (since they own The DAO shares), therefore it performs the procedure for a second time, too. It goes without saying that the hacker won’t let the code run its course completely this time either and instead invokes the split function again and again at the appropriate moment in a recursive manner.

This is similar to when, after withdrawing money from an ATM, it asks if we would like to do anything else. However, the settlement program doesn’t work properly and only deducts the amount we withdrew from our account after we’ve answered “no” to this question. But if we answer “yes”, we can withdraw money again without the program having modified our account balance in the meantime. We can keep on doing this until the ATM runs out of money.

It’s interesting to note that the robbery that took a couple hours could be witnessed live on Ethereum’s public blockchain; it was like watching a bank robbery in real life and being unable to do anything about it. In all likelihood, the thief – whose identity of course remains unknown – could’ve transferred The DAO’s entire wealth, 12 million ether, to the new company, but they stopped on their own at 3.6 million. Maybe they thought that if they did too much damage, it would undermine trust in Ethereum once and for all, and ether’s exchange rate would completely collapse as well. At that point, it’s no use having 12 million pieces if they’re worth nothing. They’re fine with having less, which is actually worth more.

The danger, however, was not over, since anyone else could also try to siphon off ether from the virtual company by exploiting the fault described above. They did attempt to do so, but to use the method efficiently, first it had to be studied and understood properly. A race against time began and it was won by Robin Hood Group, a group consisting of good guys which was formed spontaneously by Ethereum developers. Avoiding further malignant attacks, they “stole” and thus secured the remaining ether. Their plan was to later give them back to their rightful owners in some form.

At this moment, The DAO was penniless and completely plundered, and a debate began about the way forward in Ethereum’s upset community. An important addition to the story is that although the hacker had moved the money to their new company, they couldn’t use it there yet, so they didn’t have complete control over the amount yet. Remember that in the previous part, I explained that splitting from a company is a prolonged procedure; the length of the procedure’s respective parts is determined by the smart contract, and not even the hacker can overwrite this. This meant that until the time lock was released and the thief gained access to their loot, the community had a few weeks to come up with something.

Many argued that before this happened, the situation should be managed by reprogramming Ethereum. Ethereum, like bitcoin, is a system based on consensus. If I have ether, it’s only because that money is in my account in every miner’s bookkeeping. If every miner conspires against me and they unanimously credit it to someone else’s account, that money will go into that account simply because of this and I can’t do anything about it. The fraud would be obvious, of course; everyone could see this by going through the public bookkeeping (i.e. the blockchain). But if everyone pretends in complete agreement that there’s no fraud, then actually there isn’t any. That’s because this can be thought of not as fraud but as rewriting the rules.

Luckily, the network of Ethereum or bitcoin is run by a large number of participants who can’t easily conspire, and it wouldn’t be in their interest to undermine trust in the system anyway. The arbitrary crediting of money from one account to another by miners has never happened. There must be a compelling reason for rewriting the rules.

The question is whether the plundering of The DAO is a compelling enough reason. Those who say it is argue that the loss generated by the incident was too big and the incident affected too many investors; in other words, the company is too big to fail. If it failed after all, which would cause lasting damage. Ethereum is an experimental project in an early phase anyway, so a similar special assessment is still permissible. Something similar happened to bitcoin in 2010, too (although in that case they were forced to fix a fault in the mining program, which was necessary anyway). And if the thief dumps their loot on the market, he could destroy ether’s exchange rate. Thus, besides the exchange rate loss suffered by the community, even the financing of the entire Ethereum project could be endangered, since the Ethereum Foundation that carries out the development keeps a significant part of its reserves in ether.

Opponents say, however, that Ethereum’s independence can’t be given up. If we intervene, we only prove that Ethereum’s unmanipulability is simply a myth. After this, no one could be certain that their smart contract or account balance wouldn’t be retrospectively and arbitrarily modified for one reason or another. Robberies or losses due to technical reasons have happened before and will continue to happen, yet no one has thought about retrospectively changing the rules because of them. Why would this one case be an exception? If we set a precedent, then from then on whoever is stolen from or makes a mistake can rightfully demand the systemic undoing of things in their interest. That is obviously nonsense and unfeasible. There have been numerous shocking robberies involving huge sums in the world of bitcoin too, yet the idea of playing with the system’s rules has never come up seriously. The administration of justice and running the system are tasks that are independent of each other. Let’s not administer justice by retrospectively modifying the rules, because that will only breed complication and distrust. Furthermore, bringing up the argument of “too big to fail” is a mistake, since saving the virtual company would only mean rewarding irresponsible behaviour. The huge risk of investing in The DAO was known, and one of the factors in that was precisely the complicated smart contract. We can’t undo everything immediately if a risk is activated and things go wrong. If people see that if they do stupid things in huge numbers, they’re always saved, that only encourages systemic excessive risk-taking, and that’s what led, among other things, to the crisis of 2008.

An interesting (although from a certain aspect not at all surprising) development in the story is that the supposed thief also supported this version in an open letter. Although it isn’t proven that the thief wrote it (I’d say they didn’t), it explains well a further argument for keeping the rules. The letter questions whether a crime even occurred.

It argues that The DAO’s conditions of use state that any kind of interpretation or explanation of the smart contract that defines the company is not authoritative; and these are made only for education purposes. If there’s a contradiction between the interpretation and the smart contract itself, then the latter is relevant. The code is the law. It follows from this that what happened was in line with the rules, since the program allowed its implementation. The hacker simply thoroughly studied the contract and, having considered the options, decided to invest in The DAO and then split in a special way. Moreover, the efforts urged by a part of the community to systemically change Ethereum would only serve to wrongfully take from them what they obtained legitimately. Therefore, the hacker wrote that legal action would be taken if this happened.

I definitely won’t be the judge in this issue; both sides have strong arguments. However, rewriting the rules could be done in several ways, so it’s best if we consider the options.

  1. Nothing needs to be done. The Ethereum Foundation doesn’t need to do anything in relation to the incident, since Ethereum itself functioned well the whole time and performed its task well. A private company did indeed write a faulty smart contract, but this has happened before and will happen again in the future.
  2. Soft fork, i.e. slightly rewriting Ethereum’s rules. Ether isn’t arbitrarily taken from one wallet and put in another, but the account containing the hacker’s loot is placed on a black list; no transaction involving this account can be performed in the future, because the network will refuse its implementation. Thus, although The DAO doesn’t get the stolen ether back, since they’re effectively frozen, the thief won’t have access to them either.
  3. Hard fork, i.e. retrospectively rewriting Ethereum’s state. The stolen ether is arbitrarily credited to another wallet from which The DAO’s shareholders can withdraw their original investment with the help of a smart contract.


The expression “fork” refers to the fork of the blockchain describing Ethereum’s state in terms of time. If we change the rules, most likely there will be miners who’ll continue building the chain according to the old rules as well as miners who’ll do so according to the new rules. These will differ, so the blockchain will diverge; a fork will ensue.

Most of the community backed the second version (soft fork), probably as a compromise between the two extreme positions. This solution could also have guaranteed more time regarding the final handling of the robbery. However, it soon turned out that, due to technical reasons we won’t go into here, a soft fork in Ethereum is not feasible. The remaining options therefore were option 1 (nothing needs to be done) and 3 (hard fork).

One way or another, both versions meant the death of The DAO. In the case of leaving the rules intact, this was because the virtual company remained plundered. Meanwhile, in the case of a hard fork, it was because (in order not to risk further complication) the ether was to be directly returned to the shareholders, not to the company itself. This was possible because the company hadn’t allocated money to any projects before it was plundered. Therefore it became certain then that The DAO, founded by the most successful crowdfunding in history, would come to a dishonorable end.

The Ethereum Foundation, which carried out the development, decided to include both versions in the mining program at the next upgrade; there would be no “official” position in the matter. When starting the program, each miner can decide whether to activate the old or the new set of rules. The calculating capacity of the supporters of either version will be precisely measurable, meaning there will be a kind of live voting. The 1,920,000th block will be the watershed; that’s where the blockchain will diverge and then it would be revealed which set of rules had a majority. They thought that if one of them – no matter which one – gets a comfortable majority, then, on a consensual basis, that will be called Ethereum from then onwards. They expected that the minority will sooner or later stop mining the other variant, since only worthless money could be mined there as opposed to valuable ether. Mining it is therefore unnecessary and expensive, thus it’s worth turning to the majority version. If this happens, the losing blockchain will soon die.

20 July came; the day when the creation of the critical block was expected. Events on the blockchain subsided, stock exchanges suspended the allocation of ether; no one wanted to do anything until it became clear which was the “real” Ethereum.

The fork happened without any problems, the blockchain diverged properly; there were no unexpected technical problems on any of the strands. The overwhelming majority favored changing the set of rules, and the calculating capacity of the supporters of the original version kept decreasing. It looked like everything was going according to plan.

Since then, we call the blockchain operating according to the new rules Ethereum; it started to “come alive” again and stock exchanges continued their allocations. The former shareholders of The DAO started to pick up their returned ether. On the chart below, we can see how the value of the shares converged back to its nominal value of 0.01 ether from the panic following the robbery, as the eventual victory of hard fork became increasingly certain.

However, supporters of the original rules didn’t concede defeat easily. Stressing the inviolability of the blockchain, they managed to get one of the stock exchanges to list their currency under the name of Ethereum Classic a few days later. With this step, the calculating capacity of the miners of the original chain gained strength, and although it was still a lot smaller than that of the rival chain, it was easily sufficient for stable operation. It became clear that, in contrast to the original plans, the losing strand wouldn’t die. Ethereum’s world thus ended up duplicated; parallel universes were born.

What exactly this means and what its implications are will be explained in the final part.

Original date of Hungarian publication: November 23, 2017