- Tiena Sekharan
What was "The DAO Debacle"?
Updated: Jul 22, 2020
Decentralized Autonomous Organization (DAO) are entities that operate through smart contracts. No central entity or person controls DAOs. they are controlled by the rules coded into the DAO smart contracts.
'The DAO debacle' refers to a particular DAO. 'The DAO' was a Venture Capital Fund. One might wonder what a Venture Capital Fund has to do with Blockchain? Well, one of the core principals of blockchain is decentralization. Just like Bitcoin is a currency that functions without a central authority or regulator, the DAO was a Venture capital fund that ran without a central portfolio manager managing the funds or regulator watching over its activities.
It created by the Slock.it team in the form of a smart contract run on the Ethereum blockchain. One could buy DAO tokens in exchange for Ether, the native currency of Ethereum blockchain. The funds raised would be used to finance various ventures. Anyone with a project needing funding (typically a blockchain-based idea) could pitch their idea to the DAO token holders. Token holders would vote on whether they believed the idea should be funded and would be entitled to a share of profits from the project. There was a provision that if one disagreed on the ventures being financed, one could trigger a split function and send one’s tokens to a child DAO.
The fundraising was a huge success. The DAO raised 12.7mn Ether (when Ether was trading around $20) making it the biggest crowdfund at the time.
However, the DAO code had several flaws. The biggest of which was with the child DAO mechanism and led to its demise. A hacker found that flaw which helped her drain millions from the DAO. Let's see if you can figure out what the flaw was.
The DAO code was written in Solidity, the programming language for Ethereum. Translated to plain English, the code said- "When a token holder applies to withdraw tokens, check how many tokens have been awarded to the holder. If the number of tokens she wants to withdraw is equal to or less than the tokens awarded to her, transfer the tokens to a child DAO."
Think about it for a few minutes. Maybe you too can find the flaw.
Answer- The code checks for how many tokens were awarded and not how many tokens are left in her name after the previous withdrawal. So if I was awarded 10 tokens and make a request to withdraw 10 or fewer tokens, then 10 tokens will be transferred to the child DAO. If I again make a request to transfer 10 tokens, then another 10 tokens will be transferred to the child DAO and the process will continue.
A hacker realized this and sent multiple requests to send tokens to a child DAO, all of which were honored. She managed to send 3.6mn ether ($70mn- That is almost a 6th of the entire ether on the network at that time) to the child DAO. The reason the hacker stopped at 3.6mn ether was not the goodness of her heart. A group of benevolent hackers used the same vulnerability to drain the rest of the ether to another child DAO with the intention of returning it to the original token holders.
The hacker was not actually able to withdraw the money from the child DAO as it had a 21-day holding period. During this time the Ethereum community implemented a hard fork to send the money back to an account available to the original token holders.
The DAO experience led to some big learnings for the blockchain community:
1. Immutability vs Fairness:
The solution of creating a hard fork was less than ideal as it went against the basic principle of blockchain of functioning as an immutable record. This fix shows that the blockchain can be altered and appended. When the options to hard fork or not were put to vote, 97% of voters voted in favor of a hard fork. However, only 4.5% of ether holders actually voted which meant that the decision had limited credibility. The DAO led to the Ethereum blockchain breaking into two. Those who believed that the immutability of the blockchain was more important than the loss of a few million ether continued to allocate their mining power to the original chain (now called Ethereum Classic). The altered chain is called Ethereum.
2. Are Tokens Securities? The DAO brought ICOs and Smart Contracts to the attention of the SEC which pointed out that DAO tokens fulfilled the characteristics of a "security" and hence were subject to securities law. Any tokens sold on a blockchain or DLT platforms must, therefore, register and be regulated as securities. Since the DAO debacle, blockchain startups have found a way to avoid securities registration by making the tokens eligible to be used to buy products of the company thus giving it utilitarian value.
3. Are you sure that your Smart Contract does what you think it does? Smart contracts execute their code automatically. In the case of an immutable blockchain, if there is a problem with the code, no central authority or regulator can step in to correct the wrong. Therefore, get your Smart Contract peer-reviewed be doubly sure that there are no bugs in it.
=> It is important to point out here that the bug was in the DAO code and not in the Ethereum blockchain code.