Did Ethereum Learn Anything From the $55M DAO Attack?

Daniel Kuhn
·10-min read

Up until it collapsed, The DAO represented the highest technological achievement – and the coming wave of innovation – that the Ethereum blockchain has enabled. 

The smart contract and blockchain were interlinked ideas. In Vitalik Buterin’s early writings detailing the network of computers that would become Ethereum, the world’s second largest by blockchain by market cap but largest by developer activity, he put forward the idea of fully decentralized, autonomous corporations or organizations (or, DACs and DAOs). 

The DAO, which got that name for being the first encoded version of the concept, was the proving ground that the disruptive world of venture capitalism could itself be disrupted. Approximately $150 million in ether was contributed to the project, and more than 50 projects were teed up to possibly be funded by a smart contract that no one person owned.

Related: 'We Blew It.' Douglas Rushkoff's Take on the Future of the Web

See also: The $55M Hack That Almost Brought Ethereum Down

Then it was attacked. On a Friday morning in June 2016, a still-anonymous hacker (or hackers) exploited a vulnerability in the code and confiscated tens of millions of dollars in cryptocurrency. Copycats soon followed. Investors withdrew their funds, a “dark DAO” was spun up to protect the remaining and a serious debate raged over when it might be appropriate to hard fork or roll back events on a blockchain. 

Four years after The DAO hack, Matthew Leising, a veteran Bloomberg News reporter, is unsure of what it all meant. The obvious lessons around market exuberance and security went mostly unheeded, as evidenced by the ICO bubble that popped years ago and rise of DeFi today. 

“It goes back to the vision Vitalik laid out for a decentralized platform where people could do whatever they want,” Leising said. “When you give people that flexibility and creative license, you’re going to get crazy projects.”

Related: Bitcoin and Ether in Biggest Slump Since Sept. 3 as Stock Markets Sink

In his latest book, “Out of the Ether: The Amazing Story of Ethereum and the $55 Million Heist That Almost Destroyed It All,” Leising traces the events leading up to and following the pivotal moment (excerpt here). CoinDesk caught up with him to discuss The DAO’s legacy and what Leising thinks will come next in blockchain. 

What do you think the most lasting legacy of the DAO hack has been? 

I think it had a short living effect. At the time, I think people realized that the smart contract should have been capped, that it shouldn’t have been allowed to grow to $150 million in ether, especially for being so new. Ethereum was only a year old at that time. There should have been some emergency stop button or safety hatch, to some way take control if anything went wrong.

I love the idea of decentralized governance, but when you’re writing in a language like Solidity, which was also less than a year old, you have to have a failsafe. Especially considering the amount of bugs that were already found in The DAO before the hack.

When you’re dealing with other people’s money – you have to be careful. I wish I could say these lessons were learned, I don’t think they have. I think we’re seeing the same mistakes made in DeFi now. The money sloshing around is just insane. It’s even worse in some respects, with people announcing they haven’t audited the code. 

See also: DeFi Lender bZx Loses $8M in Third Attack This Year

At least with The DAO they did security audits, but there were still problems. When you compile in a language like Solidity, you’re going to have problems. There needs to be much more vetting when these projects come out so real people don’t lose money. 

This seems like it gets to the fundamental enthusiasm in crypto. People are attracted to risk and volatility. 

You definitely can’t cap enthusiasm, and I don’t think you’d want to. It goes back to the vision Vitalik laid out for a decentralized platform where people could do whatever they want. When you give people that flexibility and creative license, you’re going to get crazy projects. The only thing you can do about it is to not participate. 

I think interesting things are being done to address this issue. Fabian Vogelsteller is exploring “reversible ICOs.” He’s the guy that wrote the ERC-20 code that allowed for ICOs, and is now trying to address that. He’s created a fundraising mechanism that allows people to pull their money out whenever they want. So it’s not like you dump ETH in a pool and the dev team can go out and buy lambos. 

I’d trust someone like Fabian over some anonymous guy like Sushi Chef. These are questions you have to ask. Who are the people behind the project? Are they known quantities? Have they been in Ethereum for a while or are they coming out of the woodwork? 

You decide not to determinitively call out the DAO hacker in the book and write throughout that multiple sources you’ve met with have their suspicions but are also reticent. Do you think crypto respects pseudonymity to a fault?

I want to make clear that there were several different DAO attacks, which is a point that not many people realize. The $55 million Friday attack is probably what people think of when they’re talking about the DAO attack. 

Then there was an attack on the following Tuesday. That’s where I was able to get some leads, do some reporting and track down somebody I think was involved. I believe it was a copycat. The code for the attack contract was already circulated.

They were sloppy enough for me to trace them. That to me says they weren’t very careful, whereas the Friday attacker covered their tracks really well. You should see the ways he scrambled the ether and bitcoin. They knew what they were doing and were very careful. 

I’m moving the ball forward here a little bit, but I wasn’t able to get very far with identifying anyone involved in the $55 million theft. 

If anything, the frequency and scope of attacks has only picked up – but they’ve seemingly become less and less important. Do you think the industry has accepted that attacks are just one of the risks we have to live with?

If you’re talking about people losing significant amounts of their money, I think people are just as concerned today as in 2016. I can’t speak for the industry, but given the frequency at which these things happen, it does seem like there’s a part of the industry that downplays security. 

Everyone who is trading crypto at this point should know not to leave your coins on an exchange – that’s the dumbest thing you can do. 

Despite all the politics and backstabbing, the idea was so good and valid that Ethereum survived.

Despite all the politics and backstabbing, the idea was so good and valid that Ethereum survived.

I’m not sure if people just coming into the space know that. Coinbase and Gemini are like a hackers dream. You need to have your funds in a wallet on a blockchain. There are just basic things that people should be doing. But is there enough education about that? Is there anyone telling them to take these steps? Coinbase certainly isn’t telling people, “Now that you’ve bought your BTC, move it off our exchange and put it in your wallet.” That’s not in their interest. 

People make fun of the SEC and CFTC on the regulatory front in the U.S., but they are great about educating potential investors about how to keep their money safe when they’re buying and selling in markets. 

What were you most surprised to learn about Vitalik while researching the book? 

Vitalik really clicked for me after his dad shared some of this document he wrote when he was seven called the encyclopedia of bunnies. It was this 20-page Word document that he wrote because he was absolutely obsessed with bunnies. It’s really impressive.

For some people, you find a certain detail about their life that sort of unlocks them, or encapsulates them. I felt like that was the bunny book for him. We all know he’s brilliant, but he’s also really funny and meticulous. He poured all this energy into this thing as a seven year old. Once I had that, it helped me see him as a person. 

I also didn’t know that behind the scenes of the Ethereum Foundation was such a shi*tshow. There were people fired after six months, a reorganization, and then more people fired. They tried to straighten out by bringing in a board of directors and executive director – but they were at each other’s throats from the beginning. 

I love the story of all the people that came together to create Ethereum, and the mismanagement of it since the beginning. It never really got better. Despite all the politics and backstabbing, the idea was so good and valid that it survived all of that. 

Do you think they’re going to be able to successfully manage shifting to Eth 2.0? 

I think so. It’s been a long time coming. I interviewed Vitalik at a Devcon3  in 2017, where he said proof-of-stake would be here by the end of the year. Another thing I learned about Ethereum is that it has never delivered on time. They thought they would be able to do their crowdsale the Tuesday after the Miami Bitcoin Conference. It was six months late. They’ve always had a problem with timelines. 

That being said, I’ve started to see signs that Eth 2.0 is coming closer to fruition. I don’t have any reason to suggest that they won’t be able to deliver. 

See also: The ‘Hot Swap’ Plan to Switch Ethereum to Proof-of-Stake Explained

It seems like you’ve really bought into the vision of Ethereum. What are you most excited about?

I’m interested in all the Web 3.0 applications being developed on Ethereum that are allowing people to take control over their data and privacy. We’re starting to see that mature. Metamask has gone mobile. There are truly decentralized web applications being put in place. 

It gets to the heart of the idealism that folks like Gavin Woods, Vitalik and Neha Nerula had from the beginning. These people really thought they could change the world and they’re doing the work to help make it come about. 

It’s slow and piecemeal. But that vision is clearer now than at any time in the past. Ethereum, DeFi, Web 3.0 will be alternatives, but they won’t replace anything. Bitcoin isn’t going to replace the U.S. dollar as the global currency, but it’s an alternative. 

All of these things, if they’re done well, can be a stable alternative for those who want to have greater privacy. Most people want convenience over privacy, and that’s up to them. But right now, there isn’t much choice. 

That promise will propel this forward. It almost seems like a return to something the internet had at the beginning. Andreas Antonopoulos says we need to redecentralize the web – that feels like what’s happening here. Google isn’t going away, but I want an alternative. 

What do you think the subject of the next great crypto book will be? 

I think the Tether saga – if someone could really tell that story and get all the details. I tried. It’s very hard. I still think there are bitcoins stories to tell. But the space moves so fast, it’s hard to say.

Related Stories