David Siegel is a blockchain strategist and speaker, founder of Kryptodesign.com and curator of DecentralStation.com, a place to learn about blockc
David Siegel is a blockchain strategist and speaker, founder of Kryptodesign.com and curator of DecentralStation.com, a place to learn about blockchain.
In this piece, Siegal attempts to help journalists understand the DAO attack and what happened when The DAO collapsed and why he believes it’s important for the press to get the story right.
The article will be updated on Medium as the situation develops. Disclaimer: Siegal owns a small number of DAO tokens.
The basics
The ethereum network is a network of computers all running the ethereum blockchain. The blockchain allows people to exchange tokens of value, called ether, which is currently the second most popular cryptocurrency behind bitcoin. ethereum also allows people to write and put on the network smart contracts – general-purpose code that executes on every computer in the network (currently over 6,000 computers). People then execute these programs by sending ether to them.
A DAO is a Decentralized Autonomous Organization. Its goal is to codify the rules and decisionmaking apparatus of an organization, eliminating the need for documents and people in governing, creating a structure with decentralized control.
Here’s how a DAO works:
- A group of people writes the smart contracts (programs) that will run the organization
- There is an initial funding period, in which people add funds to the DAO by purchasing tokens that represent ownership – this is called a crowdsale, or an initial coin offering (ICO) – to give it the resources it needs.
- When the funding period is over, the DAO begins to operate.
- People then can make proposals to the DAO on how to spend the money, and the members who have bought in can vote to approve these proposals.
It’s important to understand that great care has been taken not to make these tokens into equity shares – they are more like contributions that give people voting rights but not ownership. In most cases, a DAO is not owned by anyone – it’s just software running on the ethereum network.
The very first DAO is bitcoin itself, which is governed by consensus among its core team and its mining network. All other DAOs have been launched on the ethereum platform.
“The DAO” is the name of a particular DAO, conceived of and programmed by the team behind German startup Slock.it – a company building “smart locks” that let people share their things (cars, boats, apartments) in a decentralized version of Airbnb.
The DAO launched on 30th April, 2016, with a 28-day funding window.
For whatever reason, The DAO was popular, raising over $100m by 15th May, and by the end of the funding period, The DAO was the largest crowdfunding in history, having raised over $150m from more than 11,000 enthusiastic members. The DAO raised far more money than its creators expected.
It can be said that the marketing was better than the execution, for during the crowdsale, several people expressed concerns that the code was vulnerable to attack.
Once the crowdsale was over, there was much discussion of first addressing the vulnerabilities before starting to fund proposals. In particular, Stephan Tual, one of The DAO’s creators, announced on 12th June that a “recursive call bug” had been found in the software but that “no DAO funds [were] at risk”.
At the time, more than 50 project proposals were waiting for The DAO’s token holders to vote on them.
It’s important to reiterate that the ethereum network has no such bugs and has been working perfectly the entire time. All networked systems are vulnerable to various kinds of attacks. The ethereum network, which supports (depending on the price) around $1bn worth of ether, has not been hacked and is continuously executing many other smart contracts.
Everyone who writes a smart contract knows that if it can move a large amount of cash it will be subject to attack. This particular vulnerability was discovered recently in another system, called Maker DAO, and was neutralized quickly because that DAO was still in testing.
Many people feel that testing and certifying smart contracts will be an important part of keeping the ethereum ecosystem safe. You’ll find several smart-contract validation services listed at DecentralStation.com.
The DAO Hack
Unfortunately, while programmers were working on fixing this and other problems, an unknown attacker began using this approach to start draining The DAO of ether collected from the sale of its tokens.
By Saturday, 18th June, the attacker managed to drain more than 3.6m ether into a “child DAO” that has the same structure as The DAO. The price of ether dropped from over $20 to under $13.
Several people made attempts to split The DAO to prevent more ether from being taken, but they couldn’t get the votes necessary in such a short time. Because the designers didn’t expect this much money, all the ether was in a single address (bad idea), and we believe the attacker stopped voluntarily after hearing about the fork proposal (see below). In fact, that attack, or…
www.coindesk.com