Earlier this week, I revealed in Forbes that, in the course of reporting and writing my book "The Cryptopians: Idealism, Greed, Lies, and the Making of the First Big Cryptocurrency Craze," my sources and I figured out who we believe the "DAO attacker" is.
The reason this was such big news was that the DAO attack had been the biggest, most consequential event in Ethereum’s life. The DAO, short for decentralized autonomous organization, was the first major app on Ethereum to get any traction, and it was structured as a decentralized venture capital fund. The DAO crowdsale was the highest-crowdfunded event in history, raising $139 million, bringing in just shy of 15% of all [ether] at the time. The hacker had siphoned about a third of that locked ETH, giving them significant control over the young network.
A month later, because of the enormity of the hack, and due to the impossibility of other potential solutions, Ethereum ended up hard forking, a contentious decision. Because not everyone agreed with it, the fork – a backwards compatible upgrade – ran the risk of creating a second, competing version of Ethereum. And that is exactly what happened, giving birth to Ethereum Classic.
In this excerpt from my book, taken from the scenes almost immediately after the hack began, we see the exchange operators and the Ethereum team begin to try to address the issue – right as news begins percolating out to the community. Almost immediately, it becomes apparent that the various players had different incentives, which prevented them from aligning on a single course of action – a prescient theme for how the rest of The DAO saga would play out.
CHRISTOPH JENTZSCH DECIDED THAT with God and his wife, he could handle anything. The chief technology officer for Slock.It, the organization that built The DAO, got up from his office floor to notify the Ethereum Foundation and corral Stephan Tual and Griff Green, the company's chief operating officer and community manager, respectively, and megaphones to the world. He, Slock.It CEO Simon Jentzsch and technical engineer Lefteris Karapetsas, tried to figure out how the attack worked and what could be done.
In Shanghai, Vitalik Buterin got a Skype message from an Ethereum community member about the attack at around 3 p.m. local time, about an hour after Green woke up. The community member asked if this could be a hack. Buterin thought, 99% chance it’s totally fine. But then he saw the smart contract's balance was 9 million ETH and change, down from 11.7 million.
Meanwhile, at 8:15 a.m. Berlin time, Green posted in the DAOhub forum, “@channel EMERGENCY ALERT! IF YOU HAVE A SPLIT OPEN PLEASE DM A SLOCK.IT MEMBER ASAP!!!” He posted a similar message in the Slack channel.
The responses were not promising:
Eventually, [MyEtherWallet founder] Taylor Van Orden explained, “Shhhh. If you have initiated a split and it’s currently open, message @griff. If you don’t know what a split is then don’t worry.”
Meanwhile, Christoph, Simon, Buterin and the others hopped on Skype calls and created a few Skype groups with all the old faces – Karapetsas, Vitalik, Gavin [Wood], Aeron Buchanan, Péter Szilágyi, Christian Reitwießner, Alex Van de Sande, Taylor Gerring, Fabian Vogelsteller and so on. They tried to discern the method of attack to be able to counterattack and recover the coins.
Several of them jumped into a Skype group with exchange operators, where Buterin wrote possible mitigation strategies are:
Buterin was referring to the fact that The DAO attacker had used a split DAO to perform the attack – exploiting the way all withdrawals from the DAO were made. It was as if, had The DAO been a ship, the attacker had launched his or her attack from a lifeboat in the water. If developers trying to fight the attacker could find another lifeboat to enter, they could perform a similar attack so as to drain the funds themselves and keep them away from the attacker. Since it took a week from initiating a split DAO to being able to put tokens in one, they were looking for one either already open or about to open.
An Ethereum communications team member, George Hallam, wrote, “ALL EXCHANGES: please pause ether trading as soon as possible.”
This was a serious measure. It would stop the attacker from being able to cash out his or her stolen ETH but punish ETH traders who wanted to sell, costing them the ability to take profits before the ETH price dropped based on the news. But Dino Mark, an Ethereum insider, posted, “The ethereum foundation can reimburse exchange losses. Without a hard fork and rollback this damage will be permanent and the ecosystem will die.”
The mention of a rollback put the exchange operators on alert.
A rollback was like an undo – reneging on the inviolable blockchain principle of immutability. This principle made a blockchain different from any old database. Bitcoin, the blockchain with which many people were most familiar, was a time-stamped ledger chained to earlier versions of itself by cryptography. It was impossible to change a past transaction without breaking the mathematical link between older versions of the ledger and more recent ones.
But Mark defended himself: “This happened with Bitcoin in 2013. Exchanges rolled back trades.” (He was referring to an incident in 2013, when an upgraded version of the Bitcoin software was incompatible with the previous version, causing the chain to fork in two.
To resolve the issue, developers decided to support the older version, the path of least resistance; they had to contact exchanges, mining operators, merchants and other large Bitcoin operators to resolve it.)
Mark had also mentioned another term, “hard fork,” that could be innocuous or controversial, depending on the circumstances.
See also: Did Ethereum Learn Anything From the $55M DAO Attack? | Opinion
A hard fork was an upgrade to the software that was not backward compatible. This meant that if a significant portion of the miners and other nodes on the network chose not to upgrade to it, the Ethereum chain would split in two, creating a new chain that shared a history up to a point before it branched off, creating a second ether currency. Although Ethereum used hard forks to add features to the network, these were system-wide upgrades that faced no opposition from the community and were as carefully planned and publicized as space launches. However, a hard fork to bail out only The DAO token holders would likely not have the support of the entire Ethereum community, such as, among others, the exchanges that sold ETH – and that could create a competing Ethereum blockchain with its own currency. And the attack was on The DAO, not on Ethereum. If Ethereum hard-forked because of the DAO attack, it would be like Apple doing something potentially harmful to itself because of an attack on its most popular app.
In that scenario, some portion of the other apps and users would likely refuse to go along. But with Ethereum, there was no CEO who would decide; the community, as a group, would have to. Someone else cautioned everyone, keep the big picture in mind: What we are facing is a crappy smart contract and careless investors. This is their risk of investing without proper due diligence. Don’t risk the reputation of Ethereum as an independent, decentralized platform because of it by taking hasty measures like hard forks or roll backs. Doing so will create a highly dangerous precedent, giving political authorities an entry whenever required in the future!
As another executive, Philip G. Potter, at the exchange Bitfinex put it, this is problem with DAO not ETH.
Mark insisted Bitcoin’s 2013 rollback was precedent. Phil asked, “[I]f you screw exchanges, will ETH survive?” Mark said yes and asked the exchanges yet again to freeze trading. Phil wrote, “f**k this coin.”
Mark insisted Ethereum would not recover if the DAO theft was allowed to happen and the hacker sold millions of ETH on exchanges. “The price will be $0.50,” he wrote. “Think logically. Irrecoverable PR disaster.”
But as Tristan D’Agosta of Poloniex pointed out, “It is much more likely to cause market panic if the blockchain is considered unreliable.”
In addition, as Phil wrote, “if any government entity realizes that they can potentially pressure a ‘leaderless’ DAO (or ETH for that matter) into a rollback, the consequences will be far reaching, I promise you.”
See also: Calling a Hack an Exploit Minimizes Human Error | Opinion
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is an award-winning media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. In November 2023, CoinDesk was acquired by Bullish group, owner of Bullish, a regulated, institutional digital assets exchange. Bullish group is majority owned by Block.one; both groups have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary, and an editorial committee, chaired by a former editor-in-chief of The Wall Street Journal, is being formed to support journalistic integrity.