The DAO
April 2016 - July 2016
Lore
The DAO was launched in 2016 by Christoph Jentzsch (opens in a new tab) and his brother Simon Jentzsch (opens in a new tab), who had previously founded Slock.it (opens in a new tab), an IOT company that aimed to build smart locks using Ethereum contracts. With the DAO, the aim was to build an investor-directed venture capital fund. The goal was to allocate DAO tokens to the investors and use them to vote on proposals to arrive at collective decisions. These decisions would lead the dispersal of funds to potential projects from which the profits are rewarded back to the investors. The DAO crowdsale (opens in a new tab) had caught the eyes of more than 11,000 investors and collected more than US$150 million, accounting for 14% of the circulating supply of Ether then.
As the sale was happening, a computer scientist at Cornell pointed out a "recursive call" (opens in a new tab) bug in the contract. This meant that an attacker could drain tokens out of the DAO contract into a "child DAO" endlessly. Meanwhile, the concerns over the vulnerabilities in the DAO contract were being discussed on GitHub by Ethereum developers. On June 17, 6, while some were working on fixing the bug, the contract was attacked and a third of the contract's Ether was drained out to an unknown address. The huge loss suffered by the investors put Ethereum in an existential threat as the belief in the promising blockchain technology started to dwindle.
The Ethereum community debated how to make amends. While many believed that the hack was not ethically right, it was still legal by the rules of the contract. The initial idea was to create a soft fork blacklisting the hacker's address. But this was discarded as it induced new vulnerabilities. On July 20, 2016, Ethereum hard forked, to move the funds back to a different contract. This ensured that the hacked tokens could be redeemed by the original owners. However, the debate over the ethics of the fork remained. The hard fork went against the philosophies of a blockchain being censorship-resistant and immutable. This led to some members of the community continuing to run the original chain under the name "Ethereum Classic" (opens in a new tab).
This was a critical point in the history of Ethereum and blockchain applications. The vulnerability came from the contract code and not the Ethereum chain itself. Though the DAO project shut down right after, Ethereum houses more than 4,200 DAOs today, which goes to say that we've effectively learnt a lesson on what not to do. In retrospect one could say that the hard fork was crucial to Ethereum's survival in the long run.
Lessons
Start small. The scale at which the DAO's crowdsale happened was unexpected, even by the founders. Starting small and running through the testnet phases is always the safer way to launch applications on blockchain.
Smart contract audits are important. Smart contracts are irreversible and the chain is immutable. Security audits are offered by firms to eliminate security vulnerabilities in contracts. While it may not ensure all vulnerabilities being caught, relying on a team of experts can minimize potentially fatal flaws.
Public goods thrive on the strength of the community. While many skeptics believed the hack to be the end of Ethereum, the community has evolved since then and attracted a high volume of developers. This holds Ethereum as the most popular smart contract platform.