Imfamous Ethereum DAO hack

1. introduction-

For the cryptocurrency world, code is law and the code which governs the cryptocurrency token is called a smart contract. The smart contract is immutable piece of code when deployed, cannot be changed further. All the users holding tokens should abide by the rules set by the smart contract. In this space, a hack generated by the poor coding of smart contract is not considered a hack, as the hackers abide by the rules set by the smart contract to act upon it. It is considered somewhat bad but for the decentralisation, but rule is true.

2. Background-

On April 30th 2016, leveraging the Ethereum Blockchain platform, a group of programmers launched a crowd-funding effort for a project known as the “The DAO (Decentralized Autonomous Organization). The mission of The DAO was to act as a self-directed venture capital fund, with contributors voting directly on proposed projects. In other words investors would exchange Ethers, the native cryptocurrency associated with the Ethereum platform, for tokens during an Initial Coin Offering (ICO), and then projects would receive approval or rejection in a democratic fashion as directed by the votes of token holders.

The DAO Smart contract was written by the community and put on the github for the community to test the major exploits. One reddit user pointed the bug present on line 666 where a normal user could do unlimited ATM like withdrawals with holding just $10 amount of ether in their wallet. However the smart contract was deployed foreseeing the bug.

Fig 1. The bug is present in function withdrawRewardFor. The hacker manages to call the second if statement recursively as paidout function is just after it, this made hacker siphon unlimited Ethereum without updating their wallet balance on smart contract
Fig 2. This bug could be eliminated if paidout function is called before the smart contract, further updating the balance of the user.

The hacker started calling the withdrawRewardFor() function recursively getting about 8000 ETH per Hour

The above swap of 2 lines of code could have prevented this hack .

The above hack made the would Ethereum community shocked as the code was audited by the most professional auditors. Soon the white hat hackers joined in and started to siphon back the ether from the smart contract much faster than the hacker. This hack last for about 4 days and team of white hat hackers managed to save about 50% or 7.2 Million ETH.

But after that incident, hackers managed to hack about 5% of total ETH supply or about 3.6 Million ETH, which was roughly $65 Million at that time.

Fig 3. The wallet of hacker

Solution for the hack-

After the hack, the community stood upon straight and came up to the 3 feasible solutions-

1. Revert all the Transactions which took place for the DAO hack. As the transactions are recorded on blocks of blockchain, this means that a side chain would create orphaning the previous blocks, which could result in all the revert of normal transaction which took place at that time.

2. Second solution is to do nothing, this would make Ethereum foundation liable for about loss of $75 Million for the investors.

3. The third option is to fork the whole blockchain, This would create 2 blockchains side by side where one would contain reverted transactions and other contains the hacked transactions.

However the whole Ethereum community was divided into two groups which demanded different decisions.

The first group demanded to revert all transactions as blockchain was very new at that time and a hack of that much magnitude would result in distrust for the investors and builders.

The second group demanded to do nothing as reverting transaction would void the fundamental rule of blockchain- the transactions are irreversible and immutable. Reverting transactions would ruin the image of blockchain and create a distrust among the developer community.

Final Solution-

At last a voting among the community was made with 1 ETH = 1 vote. The final verdict was made to revert all the hacked transactions and recover all the stolen funds. This made miners to update their copy of blockchain and continue their operations.

However the second group was not happy with the decision. They stood against it and miners associated with them didn’t update their copy of blockchain. This made 1 transaction appear on 2 different blockchains. At last the two blockchains were made independent and later the cryptocurrency associated with it named as “Ethereum classic”

This made hacker’s fund only appear on Ethereum classic blockchain and hacker could only liquidate it as Ethereum classic.

Fig 4.. Ethereum and Ethereum classic
Fig 5. Fork of Ethereum. The original block would be named as Ethereum classic while forked would become the original ethereum

Was This hack Illegal?

It is the common belief that an hack is always considered illegal as most of the times hacker send malicious object into an website/ server to perform a hack. But in this hack, as the hacker hacked the DAO as per the norms of the smart contract, therefore most people stood in favour of the hack, as reverting hacked transactions would be illegal, but hack dosen’t

At the last moments of the Ethereum fork, an mail came from the hacker to the developers saying about the negative implications of the fork and how he could file an court case against the Ethereum foundation as they are reverting their transactions, not as per the norms of smart contract

But the mail was soon identified and it was not sent by the hacker.

Fig 6. An unknown mail came with the name of the hacker

Conclusion-

After 7 days of intense battle between the hackers and community, the hackers won. Although they got their hack in form of Ethereum classic, which had quite low value as compared to Ethereum. This hack confirmed that a small bug could cause havoc like situations. At that time, people become sceptical for giving money to a piece of code governed by itself and started telling crypto and blockchain as a big fraud, which then proven wrong after the crypto summer of 2017 and DeFi summer of 2020. Group supporting to do nothing would be proven wrong as after the hack, many DAO appeared on Ethereum ecosystem and many investors invested in it.

Deep dive into blockchain