The DAO Development Flaws: A Smart Contract That Crashed Shortly After A Promising Take-off

A smart contract is a self-executing Ethereum-based contract with the conditions of an agreement between two parties directly written into computer lines of code. Smart contracts are the building blocks of Distributed Autonomous Organizations (DAO) – a set of smart contracts existing as a governance mechanism.

This article looks into “The DAO Attack” – One of the most infamous incidences involving smart contracts. It uncovers the story behind the attack including details of how it started, why, and its ongoing impact on the blockchain industry.

The DAO Project

“The DAO” was a decentralized autonomous organization developed as open-source by a German startup — the company behind the smart locks. The project was launched on 30th April 2016 and aimed at operating as a venture capital fund for the cryptocurrencies.

The DAO allowed people to exchange Ether for DAO tokens during the project’s creation period. You could send Ether on a specific wallet address and receive DAO on a scale of 1-100.

For whatever reason, the success of The DAO crowdfunding during the creation period was overwhelming. Over $100 million was raised within 15 days of the creation period and a total of 12.7 million Ether (then $150) from over 11k passionate user making. This was the biggest crowdfunding ever recorded.

How It Works

The idea of the DAO was to give control to the investors through:

  • The DAO tokens bought by investors during the funding period are pooled.
  • DAO begins its operations and investors can submit proposals (pitches) to become contractors using their DAO funds.
  • Once an investor submits a proposal, a curator picked from trusted Ethereum community members would conduct an identity verification of the proposal.
  • On passing the check, investors would vote on the proposal. If 20% of investors approve the proposal, the DAO will automatically release Ether to Contractor’s smart contract address.  

Ethers generated from the DAO-funded proposals were distributed to participating nodes as rewards. Unfortunately, the DAO’s dream was cut short on 16 June 2016 by the attacker(s) who exploited a loophole in The DAO split function.

The DAO Split Function

The DAO split function was an “exit door” for minority users to leave the organization whenever they felt wrong decisions were made in accepting a proposal. Investors could use the split function to reverse Ether sent to the DAO.

Splitting from the DAO required that the investor creates a Child DAO – A minor DAO with the same structure and policies like the main DAO. On approval of a special proposal, an investor and other token holders supporting them would send their Ether into the child DAO.

Problem with the DAO Split Function

The split function was a good policy that protected minority token holders from decisions of the majority token holders. However, the function had two weaknesses hiding in its code:

  1. Disordered execution – Once a split function was initiated, the program retrieved the Ether first and updated the balance later.
  2. Recursive call exploits – The code didn’t check for recursive calls i.e. functions that call themselves during execution.

The DAO Exploit

On 18 June 2016, Ethereum community members noticed an abnormality where the ETH balance of the DAO was going down. Unknown to them, a hacker was recursively calling the split function to retrieve funds multiple times before the DAO could update the balance.

The attacker(s) managed to retrieve a total of 3.6 million Ether (worth $70M then) within hours. The price of ETH dropped from above $20 to below $13 during that period.

The hacker stopped draining the funds at the sixth hour of the attack in what appeared as a voluntary withdrawal.

Luckily, the hacker could not access the funds until the 28 days of initial funding were over. Besides, every user could see the ETH in this “child DAO.” A solution needed to be developed in the next 27 days.

The Solution

The DAO attack attracted the attention of the Ethereum community since it contained about 15% of all ETH. An open letter from the “attacker” addressed to the Ethereum community would later follow to justify their deeds.

A line on the letter read, “I have made use of this feature (split function) and have rightfully claimed 3,641,694 ether, and would like to thank the DAO for this reward.” And another, “I am disappointed by those who are characterizing the use of this intentional feature as ‘theft’.”

These developments called for a great strategy to solve the problem. With only 27 days left to come up with a solution, the community had three options.

  1. Initiate a soft-fork – Collaborate with miners to invalidate calls made by transactions to reduce the funds in the child DAO with the stolen Ether.
  2. Initiate a hard-fork – Overwrite the history of the blockchain to restore the stolen ETH to The DAO. From there, token holders can redeem them automatically, therefore, ending the child DAO.
  3. A third option was to do nothing assuming Smart contracts are laws and everything the law allows is legitimate.

These options got equal opponents and proponents. Voting was done on 22 June where the majority went for a soft-fork. The exercise that was to be activated on 30 June could however be discarded a few hours before release after a team pointed security flaws it could pose. The team, therefore, settled on the hard-fork which was completed on 20 July with investors receiving back their funds.

Ongoing Impacts of The DAO Attack

It’s now four years since The DAO Attack. The impacts are still alive within the blockchain community. Rarely will any smart contract hit the market today without tests guided by The DAO Attack.

The US Security and Exchange Commission (SEC) and other blockchain regulatory bodies have since tightened the requirements of crypto venture capital fundings. These regulations are inclined towards avoiding security breaches with SAFT methods been the most adopted by blockchain startups.

Also, many crypto court cases today use The DAO case as their foundation. This is also true for blockchain security courses and boot camps.

Bottom Line

Marketing and innovation generate revenue, all other activities are costs. The DAO team must have known this. A perfect marketing strategy made its crowdfunding the biggest in history. However, all was not good with their innovation. A slight loophole on the DAO’s design caused its downfall.

Luckily, the Ethereum community came to the rescue of The DAO Investors and they were quick enough to recover the stolen funds.

Things have never been the same in blockchain since the incident. Four years down the line and the impacts of The DAO are still felt. Perhaps a verdict that the rule of law still reigns over the rule of codes.

This UrIoTNews article is syndicated fromDzone