Ethereum is a network of computers running Ethereum blockchain to exchange a token of value called ether. Ethereum blockchain also allows users to build and place smart contracts – a self-executing contract containing the agreement between buyer and seller.
Another concept that has been successfully implemented on Ethereum is DAO (Decentralized Autonomous Organization). The main aim of DAO is to codify the rules and terms amongst organizations on the blockchain, eliminating the need for any central authority to control or govern the decision-making apparatus. Hence the name ‘decentralized’ and ‘autonomous.’
This is how DAO works:
- People write the rules in the smart contract that will govern the organization.
- An ICO is conducted to provide the organization with the resources it needs.
- When ICO completes, DAO starts its operations.
- People who invested in the DAO poll to take decisions on how to spend the money.
DAO Attack
The first DAO was built in May 2016 as a smart contract and managed to raise over $150m before the end of the funding period. Though it became the largest crowdfunding in history; it was plagued with vulnerabilities. Before starting the fund proposal, many users raised concerns about the code vulnerabilities.
Stephan Tual, one of the creators of DAO, announced in the month of June that a “recursive call” bug has been found in the DAO. At that time, he also assured that the funds in DAO were safe. Unfortunately, while testers and programmers were working to fix the issues, an anonymous hacker used the fallback function and attacked DAO to drain half of the money collected.
A fallback function is an unnamed function which is executed whenever a contract receives plain Ether, i.e. when no data is supplied.
The Hack
To start, the thing to keep in mind is that in Ethereum, there are two types of accounts, namely:
- Externally owned accounts controlled by users and
- Contract accounts which are controlled by codes.
It is worth mentioning here that only contract accounts have associated code, hence, can have a fallback function. When a contract calls another contract, the call function provides specific function data, however, when money is sent to another contract, the call function provides the amount but no data, thus, triggers the fallback function.
On 17th June 2016, the hacker managed to find a loophole in the software coding that allowed him to drain 3.6 million ETH from the DAO which was around $70 million at that time. He withdrew the attack when he stole the intended amount.
In this DAO attack, the hacker first transferred a said amount of Ether to the smart contract. After that he was able to “ask” the smart contract to provide the money back multiple times, triggering the fallback function, before the smart contract could update the token balance.
However, the rest of the funds were placed into a wallet which had a holding period of 28-days to protect the people’s money.
Now, to refund the lost money, the developers hard forked Ethereum blockchain to transfer the hacked amount to another wallet available to the original owners. The ETH tokens were then transferred back to the owners at the same rate.
The Reason
There are two major issues that probably made this DAO attack possible:
- The fact that coders didn’t take security measures into considerations properly and left loopholes in the software codes. Moreover, they didn’t consider the possibility of a recursive call.
- The fact that the smart contract took time to update the balance after sending Ether. The smart contract first sent Ether and then updated the token balance.