The DAO Story: Decentralized Crowdfunding, Reentrancy Attack & Hard Fork
One of the most disruptive innovations allowed by blockchain technology is the concept of Decentralized Autonomous Organization, abbreviated as DAO. DAOs are entities that take decisions and operate automatically using smart contracts – that’s the “autonomous” part – where all the rules (typically votes or financial transactions) are stored on a blockchain, eliminating the need for a central authority – that’s the “decentralized” part. “The DAO”, also known as “Genesis DAO”, was one of the first instances of such a structure and was created by members of the Ethereum community in April 2016 as a kind of VC fund for the crypto-space and decentralized projects in general. During the creation phase, investors could exchange ETH (Ethereum tokens) for DAO tokens, which would have allowed them to vote on investment decisions and also to receive rewards from investments’ profits. It quickly became one of the most successful crowdfunding campaigns in history, raising over the equivalent of $150 million in just a few weeks.
However, on June 17, 2016, a hacker exploited a coding loophole in The DAO’s smart contract, stealing approximately one-third of it’s funds i.e. 3.6 million ETH worth about $70 million at the time. The hack was due to a reentrancy attack, a bug-related type of attack in which a faulty function within a smart contract can be executed repeatedly; in this case, it allowed the hacker to drain funds from the contract by making a small contribution and then processing refunds multiple times recursively (before the contract could update its balance because of the bug). By the way, if you want to know more about Smart Contracts, check our previous article on the topic.
In addition to revealing a major technical flaw in The DAO’s smart contracts, the hack had a major impact on the blockchain industry. It sparked a tense debate about how to respond within the Ethereum community, torn between trying to mitigate the financial losses or following the principles of blockchain technology: the ethical choice on one side – an intervention to prevent people’s savings from being stolen and the public’s opinion about blockchain from being damaged, and the ideological choice on the other side – blockchains are cryptographically immutable and tamper-resistant, and any external intervention goes against this, even for the right reasons… Ethereum founder Vitalik Buterin first suggested a “soft fork” to add a small code snippet in the protocol rules to blacklist the hacker from performing any further operations. The change would have reduced the total amount of ETH (by artificially burning the stolen amount), but it would have stayed compatible with the previous versions of the blockchain making it a more consensual solution, both concretely and ideologically. Interestingly, in response to this proposal, the attacker claimed they had done nothing reprehensible from a legal point of view, having only executed functions already written (which is technically correct) and they actually threatened to take legal action! How ironic. For the record, the miners voted massively in favor of this proposal (almost 80%), but before it was applied a bug was again discovered in the code… and the decision was withheld! Then followed the “hard fork” proposal, which essentially consisted in creating a new blockchain that rolled back the transactions leading up to the hack – and therefore returning the stolen funds to their original owners. 89% of the voters opted for the hard fork, and on July 20, 2016, two Ethereum blockchains started to co-exist in parallel: the pre-forked one, Ethereum Classic, and the now more renowned Ethereum chain which reached a market capitalization of over $500 billion in November 2021 – check the total market cap online, maybe it’s more now!
Although it was seen as a necessary step to prevent further damage to the community, the hard fork was controversial as it violated the principle of immutability that underpins the blockchain world. The technical bugs also strongly highlighted the importance of code review and security auditing for smart contracts, paving the way for this whole new part of the industry. However, there was another unforeseen consequence of The DAO attack. In 2017, the United States Securities and Exchange Commission (SEC) released a report on its investigation into The DAO and ruled that tokens offered by The DAO were securities and as such, subject to federal securities laws. This ruling had a far-reaching impact, as it showed the following blockchain-related projects what not to do! As a result, most of them found ways to avoid regulation. One such method is the Simple Agreement for Future Tokens (SAFT) framework, which allows companies to raise funds through the sale of tokens that will only be issued once the platform is fully developed and operational. The idea is that these tokens will have legitimate utility value on the blockchain platform later, rather than being solely for investment purposes. This utility value “trick” is how companies can argue that they are not securities and, therefore, not subject to SEC regulation, which is a big deal from regulation perspectives. One thing to note though: as we flash-forward to 2023, this is still a topic of debate and the SEC eventually took enforcement actions against some companies that have used the SAFT method.
In the end, and despite its ultimate failure, it is fair to say that The DAO creation was a significant event in the history of the blockchain industry, as well as its hack and the resulting series of decisions. On the technical side, it taught developers the importance of building and maintaining secure blockchain platforms. On the legal side, it prompted startups to find ways to avoid SEC regulation. Without The DAO, it’s hard to say what other lessons the industry would have needed to learn.