Home Blockchain Emin Gün Sirer of Avalanche (AVAX) Recollects the Past where Hackers Made Multiple Withdrawals

Emin Gün Sirer of Avalanche (AVAX) Recollects the Past where Hackers Made Multiple Withdrawals

AVAX hackers

Emin Gün Sirer:  Five years ago today, we started a fateful chapter in the history of cryptocurrencies. A hacker began a $55M heist from The DAO, and the ecosystem forever changed. With so many new people in crypto since 2016, let’s dive back into the episode and what we learned.

A DAO, or Decentralized Autonomous Organization, is a way of coordinating ownership, decisions, and capital with coded governance, rather than a central authority. These organizations have enormous potential for changing how internet-native businesses function.

The DAO, an implementation of the concept, was engineered to support a decentralized venture capital fund. Users bought DAO governance tokens with ETH, and would use the tokens to vote on potential investments with the pooled funds.

It raised over $150M – 16% of the total supply of ETH then – in its 28-day funding window, as everyone aped into the DAO before apeing was really a thing. Crypto was much, much smaller in those days, and it set records for crowd funding.

By any measure, The DAO was proving to be a success: Big raise? Validating the power of decentralization? Token listed on major exchanges? And then, the bug happened.

The smart contracts controlling The DAO’s wallet had multiple vulnerabilities. I co-authored a paper called “A Call for a Moratorium on The DAO,” to warn the community that these serious issues would interfere with manifesting of the token owners’ will.

Specifically, The DAO tokens controlled an investment vehicle, and it is crucial for the investments to be performed in line with the wishes of the token holders. We identified 9 distinct problems that would lead to outcomes that contradict the token holders’ opinions.

In addition, The DAO also suffered from a reentrancy problem, which allowed an attacker to make multiple withdrawals when only one should be allowed.

Philip Daian and I had come across this issue, but we had incorrectly dismissed it as being exercisable. The attacker exercised that very issue, and also used one of the nine vulnerabilities we had identified to pursue people who tried to retrieve their money from the parent DAO.

The DAO hack led to a lot of discussion around whether code is law, and under what conditions a mistake on a blockchain can be undone. After all, every chain has had episodes where unwanted events took place. Do you undo, or do you live with the consequences?

The vast majority of the Ethereum community decided to undo the DAO hack and return the funds to the original depositors. A minority disagreed and the network was forked into Ethereum and Ethereum Classic.

Along the way, there was an interesting discovery. A high school student pointed out that the proposed “soft fork” fix to The DAO was flawed, and in fact, censorship on the EVM is harder than censorship on coins that only implement asset transfers.

The soft fork had been reviewed and vetted by every technical person we knew, so this blog post by a high-schooler caught everyone by surprise. Our blog post led to a $100m drop in the market cap of ETH, which was $1B at the time. I’m proud to say that the high-schooler is now a Cornell alumnus.

Read more about:
Share on

Maheen Hernandez

A finance graduate, Maheen Hernandez has been drawn to cryptocurrencies ever since Bitcoin first emerged in 2009. Nearly a decade later, Maheen is actively working to spread awareness about cryptocurrencies as well as their impact on the traditional currencies. Appreciate the work? Send a tip to: 0x75395Ea9a42d2742E8d0C798068DeF3590C5Faa5

Crypto newsletter

Get the latest Crypto & Blockchain News in your inbox.

By clicking Subscribe, you agree to our Privacy Policy.