The DAO hack - Thomas' digital garden

>[!abstract] >**The DAO hack** was the June 2016 exploit of an Ethereum smart contract underpinning a venture fund named The DAO. The community response to the exploit led to a contentious hard fork of the Ethereum blockchain. ## History ### Incident In April 2016, The DAO venture fund was formed as a decentralized autonomous organization using a smart contract. It raised ~12M ETH (USD ~150M at the time), or ~14% of all ETH then in existence, in one of the fastest crowdsourcing events in history. The DAO's contract contained a function named *splitDAO()* that allowed investors to exit by splitting into a child DAO and withdrawing their ETH before burning them in the parent DAO. A reentrancy condition existed in the code by which the smart contract would send ETH *before* updating a user's balance. On 17 June 2017, somebody exploited that loophole to recursively call the withdrawal function and partially drain the contract. They siphoned ~3.6M ETH (USD ~45M at the time) to their own child DAO. ### Response However, the design of the contract was such that withdrawn ETH remained locked for 28 days, which gave just enough time for the community to decide on a response. An intense debate ensued between: 1. Doing *nothing* despite the financial cost to DAO participants and credibility risk to the fledgling Ethereum project, on the basis that the smart contract had been executed as written, just not as intended (see [[code is law]]). <div style="font-size: x-large; text-align:center;">∴</div> 2. Doing a *soft fork* to blacklist the child DAO, so that miners would reject the attacker’s withdrawal transactions after the lockup period. The funds would still be lost, but at least the attacker would not be able to cash out. Unfortunately, this proposal had to be abandoned due to a denial-of-service vector. To comply with Ethereum's architecture, the proposal called for miners to process the transaction first, and *only then* compare the origin address against the blacklist. Unlike normal transactions that failed, a blacklisted transaction followed a different logic and would *not* pay any gas. In turn, this new loophole would have created the opportunity for malicious actors to spam the network with many computationally-intensive transactions at zero cost; forcing miners to spend electricity for nothing, mine empty blocks, and drop out to unsafe levels. To avoid that denial-of-service attack would have required rewriting core gas accounting rules or moving blacklist checks earlier in the execution, which at this point could have introduced more critical bugs and was similar enough to a hard fork anyway. <div style="font-size: x-large; text-align:center;">∴</div> 3. Doing a *hard fork* to roll back Ethereum's state and return the stolen ETH to a refund contract. This option, which required a coordinated protocol upgrade, gained enough traction that it was eventually executed on 20 July 2016 at [block 1920000](https://etherscan.io/block/1920000). The hard fork resulted in a chain split which broadly coincided with two antagonistic ideologies: - *Pragmatists* who supported manually reverting the unintended contract behavior broadly aligned with the new chain (which took over the name “Ethereum”). <div style="font-size: x-large; text-align:center;">∴</div> - *Purists* who defended the immutability of code and outcomes broadly aligned with the original chain (which was renamed “Ethereum Classic”). ## My views >[!tip] Disclaimer >I had invested in The DAO's project and thus had a personal stake in both the incident and its resolution. My investment was small enough^[ETH was only worth USD ~12 back then.] that I could gracefully withstand the loss and move on. While I like to think otherwise, it is possible that my views expressed below would be different had my stake been much higher. I cannot revisit history to test that hypothesis. ### On the naming of the incident I consider the expression "The DAO hack" to be somewhat misleading, in that the term "hack" is broad and *could* imply, in some lay interpretations, that the system was *caused to fail* (as happens in denial-of-service attacks) or *broken into* (as happens through social engineering). Neither is true. The smart contract's code was executed as written (just not as intended). I find "The DAO exploit" to be more specific and thus a preferable name for the incident. ### On the community's response My view (which I expressed on forums at the time) was that the *immutability* and *trustlessness* properties of Ethereum were too valuable to be compromised by (respectively) rolling back the state and imposing a social override. But I also understood that doing nothing might be a near-term death sentence the fledgling Ethereum project. From a game-theoretical standpoint, I recognized the dilemma as a lose-lose proposition, and was glad I was not the one having to make that difficult call. Accordingly, had the community opted to do nothing, I was prepared to gracefully lose my investment. Likewise, once the community chose to fork, I pragmatically followed the new chain as I was not *enough* of a purist to remain attached to the original chain, which I considered a technological dead-end as soon as the core development team abandoned it. That position is broadly consistent with my [[strong opinion, loosely held (SOLH)]] of [[hang on tightly, let go lightly]]. ### On personal responsibility In 2016, The DAO's smart contract code was (and [still is](https://etherscan.io/address/0xBB9bc244D798123fDe783fCc1C72d3Bb8C189413#code)) publicly available, but I (and most people at the time) lacked the technical ability to review it. Yet, I still decided to invest in the project, which means that I was willing to risk up to my entire investment despite having no technical due diligence to rely on. I was essentially playing a game of [[Complete and perfect information|perfect information]] above my skill level, and lost because I was unable to process that information fully. Accordingly, it would have been disingenuous of me to expect a fork bailout from the community. In fact, I find [[caveat emptor]] to be one of the most paradoxically empowering and endearing features of "being your own bank", and worth asymmetrically more than the traditional safety nets it foregoes (at least for some narrow use cases of financial sovereignty). ### On the exploiter(s) An interesting implication of the "code is law" position is as follows: *if* executing a smart contract as written is axiomatically always acceptable, *even when* that execution takes advantage of ("exploits") an unintended loophole in the contract, *then* the behavior of the exploiting agent should also be deemed acceptable. *[[Reductio ad absurdum]]*, it makes little sense to hold the person exploiting the contract morally or legally responsible, when the exploit itself is deemed equivalent to calling any other instruction contained in the code. Now, I make that provocative assertion only in a very specific context — that of Web3, which is a rather contained experiment in alternative ways of achieving global consensus through trustless means. The space is, presumably, mostly filled with somewhat technically-inclined individuals who generally understand the risks involved. I *do not* extend that assertion to, say, the [[meatspace]] in which someone might also abuse a very obviously unintended loophole in a wet ink contract to bankrupt you. Outside of Web3, there is *no expectation of either immutability and trustlessness*: - To the former, courts are a social override mechanism that reviews contracts in their context and renders human judgements accordingly, up to discarding non-enforceable clauses. The spirit of the law matters just as much as the letter of the law. <div style="font-size: x-large; text-align:center;">∴</div> - To the latter, society operates on pragmatic trust, such that your bank will not run away with your money, based on their [[Lindy effect|Lindyness]] and social reputation, even though there is no mathematical guarantee otherwise. In other words, outside of Web3, it is still perfectly reasonable to resist and roll back any unethical attempt at exploiting loopholes, and there are legal avenues for doing so that are backed by state power. Code isn’t law in meatspace; law is law, and it is subject to reasonable interpretation by lawyers and judges. Back to Web3, I would have preferred for the DAO exploiter(s) to either notify the project team of the vulnerability, or at least return the funds after proving the reentrancy exploit vector. But that again assumes a degree of trust and white-hatness which is *antithetical* to what Web3 aims to build: *a consensus mechanism resistant to even a dark forest filled with greedy and exploitative agents.* For me, the main takeaway of The DAO’s exploit is that proper [[dogfooding]] in crypto also entails accepting the occasional loss. <div style="font-size: x-large; text-align:center;">❧</div> >[!related] >- **North** (upstream): — >- **West** (similar): — >- **East** (different): — >- **South** (downstream): [[Code is law]]