The Story Behind The DAO Hack

6 min read

Learn how the attacker caused The DAO hack using reentrancy attack to siphon off 3.64 million ETH.

TL;DR#

In 2016, The DAO had raised $150 million worth of ETH through a token sale, the majority of which was subsequently drained by a hacker who exploited the vulnerability using a Reentrancy attack.

Introduction to The DAO#

The DAO, or Decentralized Autonomous Organization, was founded to coordinate human effort through smart contract execution using decentralized decision making on the community's protocols.

Vulnerability Assessment#

The primary cause of the attack was the ability of the hackers to exploit the flaw in the DAO smart contract using a reentrancy attack.

In a reentrancy attack, an attacker can continually call an external contract from within a contract, forcing the contract to enter an infinite loop and allowing them to drain the contract's funds or interfere with its operation.

In this case, the attacker was able to repeatedly invoke a contract function, allowing them to transfer funds from the DAO to a child DAO.

Steps#

The DAO:

  • On April 30, 2016, the DAO was launched, beginning with a token sale that distributed DAO tokens in exchange for ETH.
  • The DAO raised $150 million from 11,000 investors in three weeks of the 28-day token sale, making it one of the largest crowdsourcing initiatives in history.
  • During the event, suspicions regarding a vulnerability in The DAO's wallet smart contract, which would drain their funds, were on the rise.

Attack Event:

  • While the developers were trying to address the issue, an attacker started to exploit the vulnerability to steal funds from The DAO.
  • The DAO contracts held almost 14% of the ETH that was in circulation at the time of the incident, therefore the hack not only could cause the investors to suffer a substantial financial loss but also had severe ramifications for the Ethereum community.
  • The hacker stole 31% of the ETH in The DAO, totaling 3.64 million ETH, or around 5% of all outstanding ETH at the time.
  • To put things into perspective, the hacked amount was worth $70 million at the time of this event, and at the current trading price of $1,268 per ETH, the 3.64 million ETH are worth around $4.61 billion, while at its all-time high price of $4,891, the same were worth $17.8 billion.

Remedy:

  • Vitalik Buterin initially suggested a soft fork of the Ethereum network that would blacklist the attacker and forbid them from moving the stolen funds.
  • However, shortly after receiving this notice, the attacker published an open letter to the Ethereum community, claiming that the funds were obtained legally and in accordance with the rules outlined in the smart contract.
  • A bug was found in the updated code that made it vulnerable to attack, at which point a hard fork was suggested as a fix and eventually carried through.

Implementation:

  • The Ethereum hard fork was implemented on July 20, 2016, at block 192,000, when miners, exchanges, and node operators agreed to update their software following the execution by Ethereum developers.
  • Blockchains are meant to be immutable and censorship-proof. The cost of decentralized tamper resistance is that a truly trustless and tamper-resistant system would require no intervention, even if the consequences were severe.
  • However, the hard fork allowed investors to withdraw their funds and reset the Ethereum network's history to before The DAO hack, which resulted in the redistribution of The DAO's ETH to another smart contract.
  • The modification led to the creation of two distinct Ethereum blockchains: the pre-forked version, now known as Ethereum Classic (ETC), which continued to be used by people who rejected the hard fork, and Ethereum, which is currently the hard forked upgrade of its original version.

Attack - Explained:

  • The reentrancy attack takes advantage of the way fallback functions operate. Fallback functions are unique Solidity constructs that are activated in particular circumstances.
  • When ETH is sent to a fallback's enclosing contract without any accompanying calldata and the declaration of a receive function, the fallback can be triggered. However, in this case, the fallback must be marked payable in order to receive the ETH. A fallback function may also contain arbitrary logic.
  • The DAO's smart contract kept track of each investor's investment in The DAO via a state variable called “Balances”. This is clearly different from the ETH balance of the smart contract, which is not stored in a state variable.
  • The hacker set up a smart contract that acted as the investor, depositing some ETH into The DAO. This gave the hacker the ability to subsequently invoke the withdraw function in The DAO's smart contract.
  • The DAO's contract transferred ETH to the hacker when the withdraw function eventually got called.

The DAO Reentrancy Attack Explained (Source)

  • However, the hacker's smart contract purposefully lacked a receive function; as a result, the hacker's fallback function was activated when it received ETH via the withdraw request. This fallback method could have been empty and received ETH regardless, but it contained malicious code.
  • This code immediately upon execution called the withdraw function of The DAO's smart contract. This initiated a loop of calls because the initial call to withdraw was still running at the time.
  • It would only stop executing when the hacker contract's fallback function completed, but the withdraw function has been re-called, initiating a cycle of calls between the hacker contract and The DAO's smart contract.
  • Each time the withdraw function was invoked, The DAO's smart contract attempted to send the hacker ETH equal to the hacker's deposit. However, it does not alter the hacker's account balance until after the ETH transfer has been completed.
  • However, the ETH transaction cannot be completed until the hacker's fallback code has completed execution. Therefore, the DAO's contract continued to supply more and more ETH to the hacker without decrementing the hacker's balance, ultimately draining The DAO's funds.

Aftermath#

As a result of the hard fork, the hacker was left with Ethereum Classic instead of ETH. After the heist, the perpetrator made an effort to hide some of their actions by transferring funds using the privacy-mixers Wasabi Wallet.

Researchers were able to identify the exchanges that subsequently received the funds stolen from accounts allegedly managed by Toby Hoenisch, co-founder and chief financial officer of the Euro-pegged stablecoin project Mimo Capital, thanks to a tool created by Chainalysis that de-mixed these transactions.

Solution#

The simplest method to mitigate the Reentrancy attack in this situation would be to flip the order of operations in The DAO's withdraw function so that the caller's balance would be adjusted before The DAO contract could send them their ETH via a function call. As a result, when the callback function would attempt to reenter into the withdraw function, and since the hacker's balance would have been reduced at the time of reentry, the “require” validation would evaluate to false, finally reverting the transaction. The function call would return a response indicating that it had failed to withdraw the sender’s balance as a result of the revert.

Neptune Mutual safeguards the Ethereum community from cyber threats, but we were not available as a marketplace at the time of the event, thus users and investors who were victims of the The DAO hack probably had no way of recovering their funds. We may not have been able to prevent this hack from occurring, but we could have reduced or mitigated the aftermath of the attack. We offer coverage to users who have suffered a loss of funds or digital assets occurring as a result of smart contract vulnerabilities owing to our parametric policies.

Users who would have then purchased the available parametric cover policy for The DAO need not provide loss evidence in order to receive their payout. Payouts would have been made as soon as this type of incident was resolved through our governance system.

Neptune Mutual's security team would also have evaluated the platform for DNS and web-based security, frontend and backend security, intrusion detection and prevention, and other security considerations.

Reference Sources ChainLink, Forbes, Bloomberg

By

Tags