The DAO Hack
YOGYAKARTA – Last month, a decentralized venture capital fund called The DAO, or Decentralized Autonomous Organization, closed a $160 million funding round. Investors from around the world sent either to a specific address, with the intent that the cryptocurrency would be held and then distributed to various projects via smart contracts and decentralized member voting. The idea is that rather than leave decisions to a handful of partners, anyone who invests would have a say in which startups to fund.
However, the mechanism and code for this project were poorly designed and contained a fatal flaw – which was exposed last weekend when someone exploited the code and stole $60 million from the DAO.
Built on Ethereum, a system designed for developing decentralized applications, the DAO was set up in a way to rely completely on code via smart contracts. In fact, in its terms and conditions, there is a stipulation that states that anything which contradicts the code would be considered null and void. The hacker who took the $60 million essentially exploited the code to create a “child” DAO and used the “Send” function within Ethereum to receive the money. However, the DAO’s smart contract as it is coded allows for the creation of a child DAO. And since the smart contract is the DAO’s only legal contract, this makes the hacker’s actions legal!
The hacker himself has also rejected the characterization of his actions as theft. In a letter to the Ethereum community, he thanked them for the incentive to “rightfully claim” the $60 million.
Obviously, a lot of people stand to lose their money, even though the thief still has several weeks to go before he can withdraw from the child DAO. As such, Ethereum’s developers, namely lead developer Vitalik Buterin, are looking for ways to mitigate the loss.
There is a lot of talk about whether Ethereum should be “hard forked” to roll back the amounts of ether in each wallet to a state before the theft took place. This would effectively void the theft transaction (and all other transactions from the time of the attack until present).
But doing so would have potentially damaging implications. The network would have colluded to defend the interests of a few people, thereby possibly creating a “too big to fail” system that sounds oddly like the real-world financial systems it is designed to replace! While it is true that a decision to roll back the state of the network would be made not by one person, but by Ethereum’s miners collectively, a critical fork in the road has been reached. Rolling back the theft transaction would demonstrate that under certain circumstances, the network can and will collude to reach a certain result. Such central control would be damaging to the DAO’s reputation because it means the system is no longer truly immutable.
It may be a good thing that the network is able to collude to reverse a rogue transaction. But this raises the question: when does a system become too big to fail? This is an interesting question to pose to a community of anonymous libertarians who are skeptical of financial systems.
If Ethereum rolls back the transaction, then they are hypocrites. They will have averted short-term disaster, but in doing so created questions as to the underlying motivation and philosophy of the token, as well as their fearless leader.
If they don’t roll back, a lot of people will lose a lot of money, and the Ethereum community will have to learn an expensive lesson – that code cannot be entirely relied upon. You need laws to back it up. And sometimes, especially when you are dealing with storage, transfer, and deployment of hundreds of millions of dollars, the law isn’t all that bad of a thing.