The DAO Chronology of a daring heist and its resolution The DAO | Chronology of a daring heist and its resolution
“[the] Digital currency Ethereum is cratering because of a US$50 million hack” Business Insider on 17.06.2016
2 The DAO | Chronology of a daring heist and its resolution
It has been the saga of the summer for anyone interested in digital currency and beyond. Within hours the value of the ETH plunged as a result of a hack which relieved the DAO, a massive blockchain-based crowdfunding project, of ETH worth US$50 million.
The heist was covered by a number of mainstream journals which published the Decentralized Autonomous news with a varying amount of technical Organizations detail, mostly highlighting the risks A commonly accepted definition involved in dealing in digital currencies. of DAOs some times also referred to as DACs (Decentralized What happened was – of course – a Autonomous Companies) has not severe setback for one of the best-known yet evolved. Usually the terms blockchain-based business applications. refer to a more or less complex It is therefore important to understand interacting set of smart contracts exactly what happened and draw the being able to resemble the necessary consequences in order to fundamentals of organizations, improve the technology. interacting with individuals and dealing with some sort of In order to grasp the whole story about property. the hack of the DAO, it is important to understand what a DAO is and on what Smart contracts can be platform it was deployed: the blockchain seen as the simplest form of platform Ethereum. decentralized automation, following rules triggered by predefined conditions.
3 The DAO | Chronology of a daring heist and its resolution
The Ethereum project and the DAO
Ethereum is a decentralized ledger The only prerequisite was that network like the well-known digital participants needed to buy Ether tokens currency Bitcoin. However, unlike Bitcoin, (ETH: Ethereum currency). Each token it is not only a digital currency. Ethereum’s represented the right to vote in which main purpose is to serve as a platform investment proposals the fund should for running decentralized applications by invest its money. How much weight each using what are known as smart contracts. vote depended solely on the amount Smart contracts are computer protocols of tokens owned. As in an ordinary that facilitate, verify, or enforce the investment fund, the money collected was negotiation or performance of a contract, intended to be used to invest in different or that make a contractual clause projects, except in this case the decision unnecessary. was subjected to the votes of the token holders, thereby basically democratizing The combination of several smart investment. contracts can even replicate certain functions of a company. Maintained on The idea caught on not only with a blockchain, these combinations of blockchain enthusiasts, it received a broad replicated business functions are called media echo. Gathering approximately Decentralized Autonomous Organizations US$150mn within a few weeks, “the DAO” (DAOs). created the largest crowdfunding project ever. In May 2016, the German start-up Slock.it released a white paper going public with their idea to build a Decentralized Simplified overview of the participation process in the DAO Autonomous Organization (DAO) named “the DAO”. The idea was to create a The DAO �nvestors DAO that would basically work like an �n�est �ther in investment fund in order to fund Slock. the ��� it and other projects. Anyone interested could participate and voting rights were available on the open Ethereum platform. Voting right holders could even float their �e�ei�e ��� to�en own funding proposals. ��� �a�es in�est�ent �ro�osals
��� to�en holders �ote for or against �ro�osal �nvest�ent �ro�osa�
4 The DAO | Chronology of a daring heist and its resolution
Chronology of a heist
Three months later, on June 16, 2016, In the first days following the attack, the DAO was the object of an attack. The several actions and discussions took place attacker (it is still not known whether it to retrieve the stolen funds. was a single person or a group of people) used an inbuilt split function to withdraw In order to gain time, the first action was money from the DAO by transferring it to exploit the same function to transfer to a separate wallet. The split function the remaining funds into sub-accounts. used was originally created to permit the This resulted in two sub-accounts (called withdrawal of Ether and return the tokens child DAOs), both under (mainly) friendly owned in the event of someone wanting to control. Since the attacker succeeded in leave the DAO. taking part in at least one of those child DAOs, the Ether transferred were still not This particular function was the weak link. in safety. The hacker(s) could just restart the process, as long as they were still part The hacker spotted an error in the code of the DAO. and repeatedly called the split function, each time starting a new request before At this time, several solutions were the end of the previous one. Due to the discussed in the blockchain community. error, the function could not detect that the sum had already been withdrawn by The first, proposed by the founders of the preceding split function. Slock.it, was a soft fork, freezing the amount stolen before the attacker could Repeatedly abusing this inbuilt function, withdraw the money. This would have the hacker(s) withdrew Ether worth enabled the community to conduct a US$50mn at that time. The theft caused counter-attack and retrieve the Ether an outcry in the Ethereum community and from the hacker’s split DAO, now a massive crash in the value of the digital named “darkDAO”, and refund it to the currency. owners. Although the idea was initially well received by the community, its implementation was dropped, due to the associated risk for market security.
�h�������� �� �he DAO
3���4�2��6 �6��6�2��6 2���7�2��6 ��� ��� �� ���� ��� ��� �� ���� ���� �������� ���������
�5��5�2��6 �7��6�2��6 ��� ��� ������ ����� �������� �� ���� ������� ������� ��� ������ ���� ���� ���� ��� �������� ������ ������������ ��� �����
5 The DAO | Chronology of a daring heist and its resolution
Evaluation of solutions
The second major idea proposed to “… imagine that the ATM retrieve the stolen ETH was to conduct a hard fork. The hard fork would transfer didn’t record your new all Ether in the DAO, the child DAOs, and balance until you ended the “darkDAO” into a new smart contract. The original holders would then be able to the session. You could use this contract to exchange their DAO keep requesting $50 again tokens for Ether at a pre-defined exchange rate of 100 DAO tokens for 1 Ether. But and again until you finally to be able to do so, all users would have told the machine you to update their software to a new version which included this feature. didn’t want to process any more transactions – or the The third possibility was simply not to act at all. At first sight, this might seem harsh machine ran out of money.” and hard to understand for someone new The Wired – calling the DAO a never to crypto-currency, but two arguments ending ATM spoke in favor of this option: first of all, a fork is not free of risk, it can be difficult to implement due to the required consensus of the network participants, and its consequences are hard to predict (more details later).
Simplified overview of the attack and the hard fork process
The DAO
DAO attack and counter attacs
”Dark DAO� ”Child DAOs” �3�6�� �7�6�� ��� ���
����2�� ��� �nvestors Hard fork
Withdrawal contract
6 The DAO | Chronology of a daring heist and its resolution
Secondly, and more importantly, the initial After a pre-defined period of discussion idea of blockchain technology was not and despite the doubts of parts of the supposed to allow such actions. This can community, a hard fork was decided on be seen as a more philosophical point by 97% and was implemented before the of view and can best be summarized hacker could withdraw the stolen ETH by a comment from one community from the “darkDAO”. participant: As a result, all funds were transferred to "The involvement of the Ethereum the withdrawal contract and the original Foundation in the DAO has been and is a DAO token holders started to withdraw mistake. As I see it, Ethereum is supposed their ETH. to be the foundational infrastructure upon which a flurry of projects and experiments are supposed to blossom, and in order for them to blossom they need a foundation Miners, lottery players who that is strong, and that has integrity in the validate the system face of challenges. The hard fork proposal Miners on a blockchain are a is a compromise that ruins that integrity single person or group of persons and signals that projects like the DAO can who verify transactions and add influence the underlying foundation to them to the ledger. For this they their own advantage. To me that is totally use dedicated computers to unacceptable and is a departure from the resolve computationally difficult principles that drew me to Ethereum." puzzles. The first miner to find Reddit forum – Critical Update regarding the answer receives a reward DAO vulnerability in the form of a transaction fee. Due to their role, they were the ones who were able to carry out the hard fork on the DAO and transfer the funds back to their original holders.
7 The DAO | Chronology of a daring heist and its resolution
Lessons learned and next steps
•• The attack clearly teaches an important In the long term, and considering the lesson for blockchain technology: the development of blockchain technology, system is stable in itself but the human the creation of a precedent every time being remains its weakest link. The the technology does not benefit its smart contract was programmed by a users should be avoided. As several human being and despite review still members of the community emphasized contained a loophole enabling a hacker during the discussions, a hard fork is and to perform the heist. should remain an exception, as nobody can ensure that a consensus can be •• A ray of hope can be derived from the reached in future or predict all possible fact that the community has proved its consequences of such an action. ability to handle problems. In spite of this turmoil the community remained calm and balanced the pros and cons of all proposed solutions within a short "Throughout this whole period of time, succeeding in creating experience we have a consensus and implementing the solution chosen. learned a great deal and
In an environment in which code is will carry on learning […] the basis of all functionalities, special Applying those lessons emphasis needs to be placed on the code’s development, review, testing, we have learned we can and implementation. Created as open- now move into a bright source, the responsibility for code quality in a blockchain needs to be borne by the future of decentralized whole community. Especially in the case of applications and carefully DAOs, it is the view of many stakeholders in the community that – like reading a planned out DAOs." contract before investing money – the Christopher Jentzsch | Founder & CTO code needs to be reviewed and its related of Slock.it – Slock.it blog, risks assessed by everyone taking this August 24. 2016 journey.
Evaluating the hard fork – ex post – as a positive action, it is interesting to look at the unexpected consequence of this decision: the co-existence of two currencies.
In the short term it will be interesting to see how the community will be able to adjust to this situation by motivating users who have not yet triggered the exchange of their DAO tokens to do so. As of today (22.09.2016), approximately 13% of the Ether has not yet been withdrawn.
8 Your Contacts Dr. Dirk Siegel Peter Wiedmann Blockchain Institute Deutschland Blockchain Institute Deutschland Tel: +49 151 5800 2835 Tel: +49 151 5800 5232 [email protected] [email protected]
Jens Hermann Paulsen Leo Tacke Blockchain Institute Deutschland Blockchain Institute Deutschland Tel: +49 151 5800 1977 Tel: +49 151 5800 3360 [email protected] [email protected]
Arnaud Michelet Financial Services Business transformation Tel: +49 151 5800 5462 [email protected]
For more information, please see our website www.deloitte.com/de/blockchain
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/de/UeberUns for a more detailed description of DTTL and its member firms.
Deloitte provides audit, risk advisory, tax, financial advisory and consulting services to public and private clients spanning multiple industries; legal advisory services in Germany are provided by Deloitte Legal. With a globally connected network of member firms in more than 150 countries, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex business challenges. Deloitte’s more than 244,000 professionals are committed to making an impact that matters.
This communication contains general information only not suitable for addressing the particular circumstances of any individual case and is not intended to be used as a basis for commercial decisions or decisions of any other kind. None of Deloitte Consulting GmbH or Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the “Deloitte network”) is, by means of this communication, rendering professional advice or services. No entity in the Deloitte network shall be responsible for any loss whatsoever sustained by any person who relies on this communication.
Issued 9/2016