[column] The Consequences of DAO (Un)security

投稿日: 投稿者:

Author: Oguz Genc

Although DAOs have become popular within the past two years, the concept’s inception goes back a decade. Dan Larimer put forward the original concept in 2013, as he named Decentralized Autonomous Corporations (DACs) as a blockchain governance system that would be an improvement over the Bitcoin protocol. He founded the first DAC, Bitshares, an e-commerce platform to decentralize the authority between merchants and customers.

However, it was not until 2016 when DAOs made the mainstream news. The Ethereum Foundation decided to start a digital investment fund built on their blockchain. A third-party company (Slock.it) founded by former executives of the Ethereum Foundation wrote the code. Deployed as open-source code on a smart contract, anyone could retrieve DAO tokens at a 1 to 100 rate for Ether. The crowdsourced participation was an unprecedented success as 12.7 million Ether was sent to the unique address of The DAO. At its peak, these tokens were worth as much as $250 million [1].

The purpose of The DAO was similar to an ecosystem fund of any smart contract foundation like Ethereum. However, unlike an ecosystem fund, The DAO relied on community engagement rather than an executive team to manage the fund. Anyone could pitch their ideas and get funding from The DAO, while the token holders would be eligible to vote on who gets the funding. As we will see in the following article, this type of DAO that manages the treasure of a blockchain-based business has become ubiquitous.

The hack

By the summer of 2016, The DAO was giving signals for what would come next year in the ICO craze. There was a strong interest in crypto assets, and Ethereum was poised to make a breakthrough only after a year of its inception. However, what happened next became one of the most controversial events in the blockchain industry.

Less than three months after the launch of The DAO, an attacker found a vulnerability in the source code, which allowed repeated calling of the “split” function, named descriptively as the reentrancy exploit. [2] provide the vulnerability in code and summarize the exploit process in three steps.

  1. Create a new DAO by splitting the DAO.
  2. Withdraw funds into the new DAO.
  3. Repeatedly call the new DAO.

Source: Reproduced from Dillon et al. (2017)

Dealing with a harsh blow to the credibility of the nascent smart-contract business, the Ethereum core team made a tough decision. The attacker was a “blackhat” hacker, stealing about $70 million of the funds. A “whitehat” hacker group assembled to reproduce the attack faster than the original hacker so that the funds would be exploited into safe hands and returned to the investors [3]. Trust in DAOs was indeed shaken. Nevertheless, in a desperate attempt to save the user funds, the Ethereum core team decided to implement a hard-fork at block number 1,920,000. The fork’s function was moving the stolen funds to a ‘withdraw-only’ wallet, where the DAO token holders could retrieve their funds.

The hard fork stirred opposing arguments from different parties. To begin with, the hacker(s) published an open letter and argued that the right to exploit the vulnerability of open-source software is within the nature of this business.

Controversy ensues

However, a group of Ethereum miners thought that immutability and neutrality were fundamental aspects of blockchain-based governance as they continued to mine blocks on the original chain. The ideological split regarding the violation of immutability is the best summary of the political grift in the crypto assets ecosystem to this day. If the history of the blockchain is altered to bail out a particular group, then the core principles of blockchain are violated from a fundamentalist’s perspective. Thus, the same violations may happen in the future for other random reasons.

Desperate times bring desperate measures. Ethereum moved on from The DAO hack as miners sided with restoring user funds. The nascency of the ecosystem was an advantage for the Ethereum core team and the community regarding implementing such a swift fix. Essentially, DAOs have the objective of corporate governance would be replaced in a unique case where IT management would be the only management [4]. Lacking corporate governance and in-place organizational processes to manage such an attack has disadvantages. Nevertheless, the ability to move fast is another function of centralization, which is advantageous under such circumstances.

Are we getting the Web3 fundamentals right?

Future security or political events may stir further controversy about the significant governance decisions within the smart contract industry and the relevant disputes with the fundamentalist. However, an important lesson to learn from The DAO hack is that the terms such as “blockchain” and “decentralization” are used in misleading ways.

Blockchain refers to immutable ledgers. Meanwhile, decentralization vaguely refers to distributed forms of governance and security. The DAO hack taught us that these are not the case. For this reason, I tried to clarify the fundamental concepts of Web3 in our first article on DAO research series. Getting the fundamentals right is the key to avoid confusion in Web3 space.

Lastly, it is worth noting that it may be better that some human intervention is still possible when people’s money is at stake. With the recent meltdown of centralized finance platforms, most notably FTX, we have seen that the thing that matters the most is the customer funds when an outlier event that leads to the loss of funds occur. Otherwise, the confidence in the novel primitives such as DAOs and other Web3 applications are deeply shaken. Although decentralization fundamentalism sounds good in theory, once you are the one who is suffering from loss of funds, it may not be so attractive anymore. Yet, it is undeniable that such tradeoffs in decentralized system designs are likely to have other consequences sooner or later.

[1] Falkon, Samuel. 2018. “The Story of the DAO — Its History and Consequences.” The Startup (blog). August 12, 2018. https://medium.com/swlh/the-story-of-the-dao-its-history-and-consequences-71e6a8a551ee.

[2] Dhillon, Vikram, David Metcalf, and Max Hooper. 2017. “The DAO Hacked.” In Blockchain Enabled Applications: Understand the Blockchain Ecosystem and How to Make It Work for You, edited by Vikram Dhillon, David Metcalf, and Max Hooper, 67–78. Berkeley, CA: Apress. https://doi.org/10.1007/978-1-4842-3081-7_6.

[3] Pratap, Zubin. 2022. “Reentrancy Attacks and The DAO Hack Explained | Chainlink.” Chainlink Blog. August 31, 2022. https://blog.chain.link/reentrancy-attacks-and-the-dao-hack/.

[4] Morrison, Robbie, Natasha C. H. L. Mazey, and Stephen C. Wingreen. 2020. “The DAO Controversy: The Case for a New Species of Corporate Governance?” Frontiers in Blockchain 3 (May): 25. https://doi.org/10.3389/fbloc.2020.00025.

Disclaimer: All generated content is for research purposes only. The author does not and will not provide any investment advice.