The Ethereum DAO Hack

Today on Malicious Life, tens of thousands of people get robbed.  Then a community gets together to ask: should we take our money back, or let the hacker walk with it?

Hosted By

Ran Levi

Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 12 million downloads as of Oct. 2018.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

Episode transcript:

Ran Levi here, welcome back to Malicious Life. The hacking of the DAO–a popular decentralized application from 2016–is a story somewhat different than those generally covered on Malicious Life. Instead of the types of attacks we’ve become accustomed to, the DAO hack occurred over Ethereum, a blockchain technology. Blockchain is quite unique–it operates differently from normal computer networks, and therefore the security protocols associated with it are quite different as well.

Actually, scratch that: blockchain isn’t just different, or unique – it’s strange.

Consider this: when the platform got hacked, everybody–not just the security experts, but everybody–knew how to thwart the hacker. So the question, really, was never about how to stop the hacker. It was whether to do so in the first place! I mean, think about that for a second. It’s like a bank getting robbed, and instead of trying to get the money back, the customers of the bank all get together and debate: should we try to get our money back, or just forget about it?

Today on Malicious Life, tens of thousands of people get robbed. Then a community gets together to ask: should we take our money back, or let the hacker walk with it?

How Blockchain Works

To begin to understand why thousands of people might prefer to see a hacker pocket millions of dollars than return that money to its rightful owners, you first have to know a bit about how blockchain works.

Ethereum is, arguably, the world’s most successful blockchain platform to date. It’s what you’d call a “second generation” iteration of blockchain tech, the first being Bitcoin. Bitcoin was invented back in 2009, and Ethereum was first conceived of by Vitalik Buterin–a mere teenager at the time he came up with the concept.

What distinguished Ethereum from Bitcoin is the separation of application and infrastructure layers of the network. If this sounds complicated, it’s not. Think about it like this: you can construct a building to house a store, or construct an outlet mall that many different stores can come and use. Bitcoin is a store built for itself–a cryptocurrency which runs over its own blockchain. Ethereum is a mall: a blockchain over which many different applications–cryptocurrencies, consumer apps, and more–can run.

Bitcoin may be more broadly famous than Ethereum, but within blockchain communities Ethereum is where it’s at. Developers have built countless cryptocurrencies that run over the Ethereum network, as well as other applications and even games. Cryptokitties, arguably the most famous Ethereum application, is a game where users can take care of and trade digital kittens. Cryptokitties was a huge success–so popular that the entire Ethereum network slowed down in the days after its release. Today, developers are trying to come up with new ways to create fun applications on Ethereum. And you’d figure that if trading digital cats is the standard here, they’ll come up with something better before long.

The DAO

The DAO, like Cryptokitties or any other cryptocurrency, is an Ethereum application. And, like Cryptokitties, it was hugely popular immediately. It began its initial investment period–called an “initial coin offering”, or ICO–at the beginning of May, 2016, and just three weeks in, had already raised over 150 million dollars from over 11,000 investors. This wasn’t just astronomically more than the DAO’s creators had anticipated–it set the record for the largest crowdfunding project, of any kind, in history.

You can think of the DAO as an investment fund, operated by everyone and no one in particular. Individual owners of Ether–the default cryptocurrency of the Ethereum network–invest their personal Ether into the fund. Investors earn voting rights in proportion to their amount of investment. So, for example, contributing two Ether will earn you twice the voting rights of contributing just one. The collective investors of the DAO then get to vote on new projects to fund elsewhere on the Ethereum network. Everything, from here on, is the same as with any other investment firm in the outside world. Approved projects are given seed money and the return on that stake is then handed down to individual DAO participants in accordance with their original contribution amount–again, two Ether earns you twice the profit, or twice the loss, of one.

Perhaps you can see the appeal of such an application. It’s the community investing in itself, through a democratic process. All the DAO participants are in it as a team, with nobody dictating from the top-down. It works without a central authority because applications in blockchain run as what we call “smart contracts”. Smart contracts are just digital contracts that dictate the operation of any blockchain application. It follows, then, that every blockchain application is its own decentralized autonomous organization, or “DAO” for short. What we’re calling “the DAO” is simply one example of this type of program: an investment fund that, instead of being owned and operated by humans, automatically runs according to mathematical functions dictated in computer code. It’s a really exciting, utopian idea, that represented a whole new world for decentralized applications.

What, possibly, could go wrong?

“Recursive Call” Bug

While the DAO was brea king records for funding, some in the Ethereum community were expressing concerns over flaws in its smart contract code that, in theory, could expose it to security risks.

Over 50 project proposals were lined up for investors to vote on when one of the DAO’s founders, Stephan Tual, addressed in a blog post a “recursive call” bug that had been discovered in the code by community members. Here is how that post ended:

“We issued a fix immediately as part of the DAO Framework 1.1 milestone. The important takeaway from this is: as there is no ether whatsoever in the DAO’s rewards account — this is NOT an issue that is putting any DAO funds at risk today.”

It’s worth noting, of course, that Tual would’ve been one of the individuals with a vested interest in calming down the community, by ensuring that everything was alright.

Just two weeks earlier a group of researchers published a paper titled “A Call for a Temporary Moratorium on the DAO”, which caused enough of a stir to make the New York Times. This same “recursive call” bug that was now making news rounds had been seen previously in another program called “MakerDAO”. Those associated with MakerDAO were able to promptly address their bug, because that program was still in its testing phase when the bug was discovered. Our DAO, on the other hand, already had over 150 million dollars worth of Ether on the line. There was no time for delay.

The DAO Hack

While the community was building hype around the DAO, and some experts calling for caution, one DAO investor was brooding, in the background, preparing.

The code launched onto the DAO was quite complex under the hood, but it can be understood in quite simple terms. In fact, it can be represented in no more than a few dozen lines of code. What this malicious actor did was write a program to split the DAO, creating a child DAO with its same properties. The program would retrieve the amount of Ether located in the fund, which happened to expose another blatant programming flaw of the DAO: possibly because its creators didn’t expect so much funding at first, they created only one address through which the entire project’s funds could be found. In other words, this was a bank with all its money in a single vault, making it easier and quicker to target. The malicious program then called to retrieve some amount of Ether from the vault. Finally, the hacker built at the end of his code a recursive function, allowing the program to loop an indefinite number of times, taking more and more money at its master’s whim.

“The DAO is being attacked. This is not a drill.”

Those, the words of a community organizer from Slock.it, the organization responsible for building and deploying the DAO.

It’s Saturday, June 18th–not even one month into the fund’s operation–when this malicious code is deployed onto the DAO smart contract. Within almost no time at all, a third of the entire fund–50 million dollars worth of Ether–is siphoned into the hands of a single investor. The valuation of the coin plummets. Major news outlets break the story in the morning of the following day, before many investors are even awake to see it. Tens of thousands of investors open their computers and find their money gone.

A Majority Vote

But as the community descended into chaos, there was one key component to the attack that would come to be very significant. A catch.

Remember what I said about the malware: it was essentially a duplicate. The malicious program was itself a smart contract that, aside from the funny business that allowed it to siphon money, was essentially equivalent to its parent program in every other sense. Now, why is this important? This is a juicy one.

It’s the ICO period!

The first month of the DAO’s operation, if you remember, was its initial coin offering phase. Like any other decentralized application, funds could be added to the pot but not retrieved or acted upon in any way until the ICO period ended, after 30 days. Because blockchain smart contracts are, by necessity, immutable, the hacker and everybody else was stuck in a very awkward situation. Everybody could see the 50 million that had been stolen, but nobody–including the hacker themselves–could access it for 30 days.

30 days, then, was how much time the Ethereum community would have to decide what to do about their problem.

Luckily, there was a fix. And it had to do with the very fundamental way blockchain works.
In as simple terms as possible: blockchain networks are made up of individual nodes, which process data into discrete chunks, or “blocks”, that connect in a sequence to make a “chain”. New blocks get added to the chain when a majority of nodes agree on the validity of the data contained within. Past all the complicated code, the rules, the terminology, blockchain is really just a ledger of agreed-upon information by participants of a network.

Consider the implications of this, then. If a blockchain is simply a ledger, and its contents are dictated by a majority vote, then how do you reverse a hack?

A majority vote!

It didn’t take a security expert to figure out that all you needed to do, to reverse the DAO hack, was get 51 percent of the network to agree to it. You could then commit a network fork, diverting the entire Ethereum blockchain starting from the block just prior to the problem block–the one containing invalid transfer of funds to the hacker. It’s like stopping a bank heist by traveling back in time to the minute just before the criminals entered the vault – and fixing the faulty lock that allowed the robbery in the first place. Forks are designed to allow for changes to network protocol, but there’s nothing stopping them from influencing the transaction history itself.

Getting more than half the network to agree that a malicious hack is an invalid transaction would be the easy part…

Right?

The Aftermath of the DAO Hack

The aftermath of the DAO hack was, in a word, messy. Everyone who lost money was, understandably, not happy. But it wasn’t just they who lost out. 15 percent of all Ether in existence, at the time, was tied up in the DAO, meaning the stability of the coin itself was now threatened. The value of Ether itself dropped over 25 percent in a day’s time, meaning just about every one of the hundreds of thousands of individuals on the Ethereum network lost money as a result of that one hacker.

You’d think, at this point, everyone would band together to figure out how to reverse the effects of the event. Many people did that. There were, however, many, many others who took the exact opposite view on the matter.

It’s essential to understand a key distinction here: that what we’ve been discussing isn’t an instance of a blockchain network being hacked, but a blockchain application. It may have affected the entire Ethereum network, but the attack itself took place at just one point of contact. Just as you can hack a website but can’t hack the internet, you can hack a decentralized application but can’t realistically hack Ethereum on the whole.

Blockchains (at least the good ones) are designed with natural incentive structures that either dissuade malicious actors, or outright prevent them from breaking the network. The methodology behind these incentive structures are beyond the scope of this episode, but suffice to say: blockchain networks, when designed correctly, are inherently secure. Applications that run over the blockchain, on the other hand, are not so much different than applications that run over the internet. They may not be owned and operated by a centralized entity, but they’re certainly programmed by one. Blockchain engineers from Slock.it wrote the DAO program, and as humans are wont to do, made some key errors in doing so that left vulnerabilities in the program.

This, essentially, was the conflict for some Ethereum community members. The DAO was an app–it was to Ethereum what Yahoo.com is to the internet. If Yahoo got hacked, would you fix the internet? Why should their screw-up become everyone else’s problem? And if we bail out Yahoo, what about next time when Ask Jeeves gets hacked? You can’t bail out Yahoo and nick Ask Jeeves!

So maybe there is some sense to the argument that you shouldn’t reverse the entire future history of a blockchain network, simply to accommodate a single smart contract (no matter how popular that smart contract is). Investing in cryptocurrencies is different than investing in the stock market. When you put money into a company, you’re betting on the product, the operation, and the people of that organization. Crypto isn’t about any of that. When you invest in Ether, you’re essentially investing in the promise of an entirely new future. A whole new technology, a whole new way of doing things. So if we’re all collectively putting our money not just on any given coin but on the concept of blockchain itself, then we have to stick to the principles that made crypto successful to this point. And one of the most vital principles of blockchain is do not touch.

The Death of The DAO

It’s one of the most pivotal concepts behind decentralized networks: that you can build an entire system purely based in code. Not only are humans not needed, they’re not wanted here. Because the infrastructure runs entirely according to mathematical processes you don’t need governments to issue currencies, banks to hold that money, or lawyers to write and maintain contracts. That’s all people stuff.

A hard fork, to some, would be a betrayal of the blockchain concept. Even for the sake of justice, the ends wouldn’t justify the means, because it would prove everything blockchain is designed to avoid: that, no matter how good our tech is, we can’t shake the fact that people will always be the ones pulling the strings. People who tend to ruin things.

So while many DAO investors were pushing to get their money back, others in the Ethereum community took the “too bad, so sad” approach. These individuals had chosen to participate in the DAO, and they should’ve understood the risks involved. But it wasn’t always outside voices making this point. You may not believe it, but there were actually some DAO investors who believed so strongly in the principles of blockchain that they publicly argued against getting their money back. Many others were less romantic about it. “For 50 million dollars screw principles,” they said, “maybe I don’t want to be part of a technology that can’t accommodate this kind of crisis.”

In the end it would come down to a vote. Everyone on the network, DAO investors and not, would get a say. The event would be managed by the Ethereum Foundation, an organization for the promotion and support of the Ethereum network, founded by Vitalik Buterin.

So here we have two opposing teams–those who wanted the money returned to its rightful owners, and those who were willing to bite the bullet for the sake of principle–each with valid claims. The very concept of blockchain, here put to the test. Who would you side with?

In the end, the vote wasn’t very close. It went 89 percent to 11 percent in favor of…Forking the network.

Before 30 days had passed, the network committed a hard fork. The DAO died. The hacker–whose identity remains unknown to this day due to the anonymous nature of blockchain accounts–lost all the coin they’d stolen as it was returned to its rightful owners, albeit at a lower valuation than before. Today, two separate versions of the coin now exist: Ethereum, or ETH, and Ethereum Classic, ETC. Those who dogmatically stuck with the anti-fork philosophy continued to trade with ETC, where the rest of the network moved onto ETH.

As of this writing, Ethereum trades at around 115 dollars. Ethereum Classic: four dollars, fifty cents.

The end of the story–it’s nice, right? Investors get their money back. Not many people leave angry. The hacker fails, and everybody lives happily ever after.

…Except, the DAO hack wouldn’t be the last major incident to rock the Ethereum community.

The Parity Hack

Parity is another application running over the Ethereum network. It’s a digital wallet service, that adds layers of security to your network account. On July 19th, 2017, a hacker was able to steal 32 million dollars from Ethereum cryptocurrency investors by exploiting a vulnerability in the Parity smart contract. And that wasn’t even the worst part.

Four months later, on November 6th, 2017, an individual who came to be identified as “devops199” took control of the entire library of Parity multi-signature wallets. In other words, devops199 successfully took hold of every wallet from every Parity account holder. In total, 150 million dollars.

The second Parity hack was, in its own ways, even stranger than the DAO hack. The first Parity hack was a deliberate attack with the purpose of stealing money. The second Parity hack didn’t seem to be that at all. In fact, to this day we’re still not totally sure what in the world devops199 was trying to do. According to a postmortem published by the Parity team itself: “The user decided to exploit this vulnerability and made himself the ‘owner’ of the library contract. Subsequently, the user destructed this component.” According to their view, the act of taking hold of and deleting access to the Parity library was deliberate. But how does it make sense that someone would gain access to 150 million dollars worth of cryptocurrencies, and then choose to delete the money? What’s to gain? It’s also worth noting: the first person to alert Parity Technologies to the issue was devops199 themselves. They reported their own crime.

It appears, at least to some, that devops accidentally committed one of the most financially impressive hacks in world history.

And it only gets stranger from here. According to some reports, it may be that devops was actually attempting to fix the vulnerability in Parity’s code that allowed for that July hack to occur in the first place! The act of taking ownership over the library may have been unintentional and, presumably realizing what they’d just done, devops panicked, and killed the code. But doing so was an even more deadly mistake, as instead of undoing all that damage, they had accidentally locked all the funds away: from Parity, from its rightful owners…now devops199 themselves couldn’t even touch it.

Put in simpler terms: this person accidentally robbed a bank for 150 million dollars, freaked out, and in trying to undo their heist, burned all the cash.

Months passed without anyone able to reverse the damage. In the time since they’d lost access to their money, the price of Ether ballooned–now that same amount of Ether, instead of being worth 150 million, was worth 320. Everyone’s stolen money doubled.

After much deliberation, and proposals from Parity and community members, the issue finally came to a vote. According to the precedent set by the DAO incident, the Ethereum community was set to vote on the fate of Parity’s 320 million. Unlike with the DAO, though, this vote went against. There was to be no fork, and no funds restored to their owners.

It seemed, in the end, that everyone had learned their lesson.

X

Interested in a bonus episode?