$50m Ethereum heist had no easy answer

Written by Laurence Kirk

Jul 5, 2016

$50m Ethereum heist had no easy answer

This was not a drill. A week before the Brexit panic, panic gripped users and developers of the Ethereum blockchain when flagship application “The Dao” came under attack.

The Dao is an example of a DAO: Decentralised Autonomous Organisation, a business whose rules are specified in a program running on the Ethereum blockchain, which can own crypto currency and assets, and make decisions about how it will operate. The autonomy and transparency of these organisations are unique and attractive features but any problems in the program are difficult to handle.

The Dao was launched in May immediately attracting huge publicity. Security concerns were raised, and a moratorium suggested, but the project went ahead. The crowdfunding became the largest ever, raising over $150 million in the form of a crypto currency Ether, all of which was owned and controlled by the program running The Dao. Given the size of this fund it is no surprise that it became a tempting target for attackers.

The attack started early on the morning of Friday 17th June with $50 million being syphoned from the main fund into an account controlled by an unknown attacker. The actions carried out by this attacker were all valid actions according to the code running The Dao.  It is important to understand that there was no flaw in the Ethereum platform, it was The Dao application that behaved in a way that its developers didn’t intend.

A few days later the Ethereum community, considering a response, had their hands forced by signs of another impending attack, and so struck back in what was termed a ‘white hat attack’, draining the remaining at risk funds from The Dao into friendly accounts. This was mostly successful, though it is possible the attacker may have interfered with the process and some funds may still be at risk.

To fork or not to fork
Although the episode is far from over, it is believed that the initial attack stopped when a hard fork of Ethereum was proposed. A hard fork could rollback the malicious transaction, returning the stolen funds,  but this requires outside interference to change the blockchain and goes against the principles that the blockchain is immutable and censorship free.

Many in the Ethereum community feel that such a move would set a bad precedent. The majority view however is that a hard fork should be performed before the attacker has a chance to moves his funds to an exchange. If this view forms a consensus in the Ethereum community then after a hard fork The Dao is likely to shutdown returning its funds to the investors.

When developing applications in the future the blockchain should be seen as an unforgiving environment, and I hope that this episode will lead to more careful development and rigorous testing. Rather than taking a big bang approach to application development it is safer to build large applications from tried and tested smaller components.

The attack and response have also illustrated that the Ethereum platform should be considered in a wider sense than just a blockchain and its applications. It also includes a community of users and developers, producing a system whose behaviour is less autonomous than initially thought.

Click here for a set of slides covering an introduction to Ethereum and the hack issue.

About Author

About Author

Laurence Kirk

Laurence Kirk runs Extropy, a consultancy in Oxford helping startups develop blockchain applications. After a career in the City of London he became excited by the potential offered by the Ethereum platform, becoming an evangelist, educator and developer for Ethereum and blockchain technology.

You may also like

How Crowdsourcing Supports Entrepreneurs

Crowdsourcing supports entrepreneurs by helping them to be more efficient, effective and successful in developing and growing their businesses. It supports entrepreneurship in several valuable ways, including validating and improving an initial idea, generating...

Countries With CBDCs, Or At Least Testing

The issues associated with central bank digital currencies, for good or for worse, are far from a universal one-size-fits all. Different central banks, and their national governments, have a range of different priorities of what they want CBDCs to resolve. The needs...

The Risks and Returns of Crowdfunding

The higher the returns anyone wants from making an investment, the more uncertainty (or risk) they need to expose their money to. This is certainly true in crowdfunding. This article looks at the risks and returns involved in reward, debt and equity crowdfunding, with...

Speak Your Mind


Submit a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Join Our Global Community

You have Successfully Subscribed!