$50m Ethereum heist had no easy answer

This was not a drill. A week before the Brexit panic, panic gripped users and developers of the Ethereum blockchain when flagship application “The Dao” came under attack. The Dao is an example of a DAO: Decentralised Autonomous Organisation, a business whose rules are specified in a program running on the Ethereum blockchain, which can […]
$50m Ethereum heist had no easy answer

Written by Laurence Kirk

Jul 5, 2016

This was not a drill. A week before the Brexit panic, panic gripped users and developers of the Ethereum blockchain when flagship application “The Dao” came under attack.

The Dao is an example of a DAO: Decentralised Autonomous Organisation, a business whose rules are specified in a program running on the Ethereum blockchain, which can own crypto currency and assets, and make decisions about how it will operate. The autonomy and transparency of these organisations are unique and attractive features but any problems in the program are difficult to handle.

The Dao was launched in May immediately attracting huge publicity. Security concerns were raised, and a moratorium suggested, but the project went ahead. The crowdfunding became the largest ever, raising over $150 million in the form of a crypto currency Ether, all of which was owned and controlled by the program running The Dao. Given the size of this fund it is no surprise that it became a tempting target for attackers.

The attack started early on the morning of Friday 17th June with $50 million being syphoned from the main fund into an account controlled by an unknown attacker. The actions carried out by this attacker were all valid actions according to the code running The Dao.  It is important to understand that there was no flaw in the Ethereum platform, it was The Dao application that behaved in a way that its developers didn’t intend.

A few days later the Ethereum community, considering a response, had their hands forced by signs of another impending attack, and so struck back in what was termed a ‘white hat attack’, draining the remaining at risk funds from The Dao into friendly accounts. This was mostly successful, though it is possible the attacker may have interfered with the process and some funds may still be at risk.

To fork or not to fork
Although the episode is far from over, it is believed that the initial attack stopped when a hard fork of Ethereum was proposed. A hard fork could rollback the malicious transaction, returning the stolen funds,  but this requires outside interference to change the blockchain and goes against the principles that the blockchain is immutable and censorship free.

Many in the Ethereum community feel that such a move would set a bad precedent. The majority view however is that a hard fork should be performed before the attacker has a chance to moves his funds to an exchange. If this view forms a consensus in the Ethereum community then after a hard fork The Dao is likely to shutdown returning its funds to the investors.

When developing applications in the future the blockchain should be seen as an unforgiving environment, and I hope that this episode will lead to more careful development and rigorous testing. Rather than taking a big bang approach to application development it is safer to build large applications from tried and tested smaller components.

The attack and response have also illustrated that the Ethereum platform should be considered in a wider sense than just a blockchain and its applications. It also includes a community of users and developers, producing a system whose behaviour is less autonomous than initially thought.

Click here for a set of slides covering an introduction to Ethereum and the hack issue.

About Author

About Author

Laurence Kirk

Laurence Kirk runs Extropy, a consultancy in Oxford helping startups develop blockchain applications. After a career in the City of London he became excited by the potential offered by the Ethereum platform, becoming an evangelist, educator and developer for Ethereum and blockchain technology.

You may also like

Crowdfunding For Causes Does More Than Raise Money

Crowdfunding For Causes Does More Than Raise Money

The crowdfunding platform GoFundMe recently announced it had broken the $30 billion barrier for the total amount of money people have raised on it. We are all quite aware of the multitude of individuals who have asked for donations to help pay medical bills, education...

How To Predict Crowdfunding Success Through Data Analysis

How To Predict Crowdfunding Success Through Data Analysis

Predicting crowdfunding success is a rapidly evolving field, and analysis of big data from various sources is becoming increasingly powerful for this purpose. An academic study concluded that the success of crowdfunding projects can be predicted by measuring and...

Speak Your Mind

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.