The DAO, a decentralized autonomous organization built on the Ethereum blockchain, has been the subject of a continued hack today that has seen the theft of over 3.5 million Ether, which was valued at more than $50 million at the time of the heist.
The DAO was created as a utopian decentralized venture capital-style smart contract, enabling individuals to gain voting shares in exchange for the virtual currency Ether. Naturally, the fund has attracted huge attention in the digital currency world, with more individuals jumping on board, raising more than $150 million worth of Ether during its crowdsale.
Early Friday morning, however, the DAO was hit by as yet unidentified attackers appearing to take advantage of a recursive calling vulnerability, draining millions of Ether into a Child DAO where the hacker(s) will gain control of the funds when it opens after 27 days unless the Ethereum community adopts a proposed soft fork which would prevent the funds from moving. Since the discovery of the hack, the value of Ethereum has dropped dramatically from trading at $21.50 to $13.35 at its lowest. Only a few days ago, Ethereum was soaring, nearing $20 for the first time.
One Ether wallet identified by members of the community as a recipient of the apparent stolen funds currently holds more than 3.5 million Ether. At a current exchange of around $14/ETH that brings the total to $47 million; however, at the pre-theft valuation of $21.50/ETH, the amount is significantly more: $79 million.
Griff Green, a spokesperson for Slock.it, said that there is a conversation with the miners to create a soft fork, which would block the Child DAO and the DAO from making any further transactions of any kind.
“After the immediate soft fork, there are discussions about preparing for a hard fork that will, on a certain block in the future create a smart contract that all the ETH in the DAO and the Child DAO will be sent to,” Griff said on the DAO Slack channel. “This smart contract will allow the holder of any DAO tokens to claim their fair share of ETH.”
Former Ethereum CCO and Slock.it founder, Stephan Tual, said on the DAO slack channel:
“In summary, a hard fork will retrieve all stolen funds from the attacker. If you have purchased DAO tokens, you will be transferred to a smart contract where you can only retrieve funds. Since no money in the DAO was ever spent, nothing was lost.”
Commenting about the hack, Peter Van Valkenburgh, director of research at Coin Center, said:
"DAOs are an important experiment in community governance—governance by code rather than law or norms. Experiments come with risks and rewards and we only learn from the process by letting them run, succeed or fail."
"It looks like The DAO is failing, but there are some bright spots and the community is already learning critical lessons."
"For one thing, it's good to see that delays were built into the code so that even though funds are being "stolen," they are stuck in limbo for at least 27 days because of the code that governs the system. That will give the community of users, miners, and developers time to decide what to do. It could mean that we accept the loss, or that changes are made to Ethereum's protocol to return the funds. But those decisions will be made by a decentralized community that votes."
"This is a laboratory for community governance, and it won't always be pretty. But it's important we let the process play out, and take a longer view of the evolution of these fantastic new tools."
The Known Exploit
Interestingly, five days ago, the DAO posted a blog reportedly stating that the exploit used by the hacker had been fixed. In the post, Tual said that the problem had been taken care of:
“We issued a fix immediately as part of the DAO Framework 1.1 milestone. The important takeaway from this is: as there is no ether whatsoever in the DAO’s rewards account – this is NOT an issue that is putting any DAO funds at risk today.”
It seems, however, as though the issue to fix the DAO Github did not match up with the recommendations in this blog post, choosing the non-recommended approach to deal with the issue.
Unlike other high profile hacks that were reversed in a hard fork, it seems as though the Ethereum community and the DAO holders have a bit of time to consider their options and will need to make a big decision in the next few days.
Should a hard fork be put into place that will prevent the hacker from gaining around over $50 million, which would be the equivalent of a major heist on a financial institution, or should the DAO and potentially Ethereum simply crash and burn?