One of the most notable concepts that has been successfully implemented through the blockchain technology is the DAO — aka a Decentralized Autonomous Organization. These organizations operate exclusively on smart contracts. Everything, starting from the financial transactions to rules are encoded on a blockchain. This removes the need for a governing authority which is why they are described as “decentralized” and “autonomous”.
The First DAO was launched on 30th April, 2016. The DAO was popular instantly and raised over $100 million by 15th May. Infact, by the end of the funding period, the DAO was the largest crowdfunding in history. It raised over $150 million from eleven thousand members. The funds collected exceeded the expectations of the founders.
It can be concluded that the marketing made up for the execution, as during the crowdsale many people expressed their worries about the vulnerability of the code to attacks. A lot of discussions surrounded the to addresses these vulnerabilities. On 12th June, Stephen Tual, one of the founders, said that a “recursive call bug” has been detected in the software but it does not pose any risk to the DAO funds.
Why Did The First DAO Fail?
Fast forward to 17th June, the DAO was subjected to an attack exploiting a combination of vulnerabilities, including that one concerning a recursive call bug. An approximate value of $50 million assets were drained.
The DAO had a “split DAO” function which was identified and published as a vulnerability days prior to the attack. This function was designed to enable participants of the DAO to transfer account balance and branch off to a new DAO, called the “child DAO” in case they decided to go in a different direction after the conclusion of the vote. The process was simple, the network would check the participant’s balance and then transfer it to the child DAO. When the split is finished, the participant’s balance in the original DAO will be zeroed out.
However, this function had an issue. While the function itself worked perfectly fine, it allowed the participant to perform another split before the first one was completed. The balance was not zeroed out until the end of the split, the attackers used this vulnerability to their advantage. They were able to perform this split over and again for about two hundred times leaving the DAO almost empty.
What Can We Learn From This Incident?
Based on the publicly available information, this incident could have been avoided. By establishing secure blockchain platforms. The hack was possible not due to any problem on the ethereum blockchain itself but from a flaw in the coding. The code needed to be written correctly and a thorough formal review was needed before it went live. Formal assessments, reviews and testing activities are important keeping in mind the cyber threat landscape.
WACEO as a non-profit organization helps blockchain organizations to be legally compliant. It enters into contracts on behalf of blockchain organizations with service providers. It also provides support to stakeholders in the form of contracts, policies and procedures.
For more information on WACEO and our work and to keep yourself updated on the latest developments in blockchain organizations, visit our website.
