In recent days we have written extensively about a radical new experiment taking place in the nascent world of crypto-currency. The Decentralized Autonomous Organization, or DAO, is a group of ‘smart contracts’ that, when working together, can act as a virtual company that requires no directors or managers. The first DAO, built by German programmer Christoph Jentzsch earlier this year, generated high levels of excitement among the crypto-currency community. Indeed, it proved to be one of the most successful first-time fund-raising campaigns in history, with over US$ 130m accumulated in just four weeks.
The DAO concept is of great interest to technology enthusiasts and libertarians (of course, there are many who count themselves within the ranks of both groups). The DAO could, in theory, change the way that we think about the company as a legal structure. Its by-laws and operating principles are written within its source code, which by design is open-source and reviewable by all. And a well-crafted DAO can disburse funds as directed by that source code, and should be impervious to the all-too-common human influences of corruption, inefficiency and graft.
But last Thursday those human influences hit the DAO, and hit it hard. It was hacked by a ‘bad actor’ – coincidentally on the same day that a British MP was killed during the Brexit campaign. Both events have effectively brought freedom-seeking movements to a screeching halt.
The global media machine has generated much speculation about what has occurred – and no small amount of unmistakable schadenfreude from establishment figures who harbour dislike toward the DAO’s founding principles. While I am distressed about what just happened, I am massively encouraged by the DAO community’s energetic response to this hack and believe that the concept will emerge stronger than before.
So What Just Happened?
In very simple terms, a bug in the DAO source code allowed the attacker to exploit a ‘split’ proposal. This measure was intended to allow holders to proportionally withdraw their contribution if they disagree with new proposals advanced by the majority. Split proposals work by transferring the ether (the ‘currency’ of the Ethereum protocol upon which the DAO was built – equivalent to US$ 12 at current values) of the ‘splitters’ to a new, or ‘child’ DAO, which they then control and which is detached from the main DAO in due course.
In this case, the attacker’s split proposal contained a ‘recursive call’ that effectively programmed the main DAO to send multiple amounts of currency to a child DAO again and again in a loop – without the main DAO realizing that its funds were being depleted. The end result is that over 3.6m ‘ether’ – equivalent to nearly US$ 53 million – was drained from the main DAO to the attacker’s child DAO by exploiting the terms of the smart contract.
In the ensuing frenzy of activity, the creators of the DAO and of Ethereum have come up with a solution that firstly freezes the ether held in the DAO (preventing it from being withdrawn) – known as the soft fork – and secondly reverses the specific transaction relating to the child DAO – the hard fork – restoring the full ether balance to the main DAO. These solutions depend on Ethereum miners’ approval so they may not happen. But if this is accomplished then all ether will be returned to the original DAO token holders – and the attacker will get nothing.
As a result the attacker has now taken to the airwaves parading his cleverness, and has offered a bribe of 1 million ether if the soft fork-hard fork solution is voted down by Ethereum miners, enabling him to keep the rest of the loot. He has even had the audacity to suggest that he is rightfully entitled to the ether that has been extracted on the basis that the code of the smart contract, as written, enables him to withdraw the funds.
And What Will Happen Next?
In the immediate term, there is no doubt that this attacker has engineered a significant setback to the DAO. There is some comfort in knowing that he will most likely never be able to take possession of his ill-gotten gains, but the best possible outcome now is for all of the DAO’s stakeholders to recover their ether. This DAO will be shut down – but some hard lessons have been learned and I am confident that the community will move on quickly.
I am also encouraged by the community’s vigilant reaction to this crisis. We have witnessed an enormous outpouring of positive energy and cooperative goodwill as its members – many of whom are normally in direct competition with each other – collectively sprang into action to implement solutions that will benefit the entire community. This proves that we are witnessing a new way for people to collaborate and bring forward projects that can be funded via this new technology.
The case for crypto-currency remains indisputable, particularly in emerging markets where blockchain technology is rapidly expanding available services while reducing the ability of large banks and institutions to charge excessive fees for simple financial products like bank accounts or cross-border money transfers. Likewise, the concept of the DAO poses a similar threat to many service providers that now occupy Western legal and financial systems. The ramifications for trade finance, contract law, and corporate governance (to name just a few disciplines) are enormous. While this latest setback is unfortunate, the technology behind this critically important innovation will be strengthened and I look forward to the next round of its development.
Adam Cleary is an entrepreneur, digital currency investor and investment manager. Adam runs Cavenham Capital Limited, which advises investors on digital currency investment. Follow him on twitter @adc555