The Ethereum DAO (or Decentralized Autonomous Organization), a unique code-governed business entity designed to work entirely with smart contracts, suffered an attack today that has stolen approximately $55 million USD worth of Ether (ETH). Ether is the underlying cryptocurrency token of the Ethereum blockchain and the primary payment currency of the DAO (which also has its own cryptocurrency token for voting and other operations). The community that funded and votes in the DAO governance is currently seeking a solution to the exploit that led to the attack, and is attempting to resolve the theft itself.

The funding and launch of the Ethereum DAO and its novel approach (as well as criticisms) has been covered in the past in SiliconANGLE’s Bitcoin Weekly, see that coverage for a beginner’s guide and history.

In immediate response to the attack, Ethereum co-founder Vitalik Buterin immediately went to the Ethereum subreddit and published a plea for cryptocurrency exchanges to suspend ETH and DAO transactions. In his post, Buterin wrote:

“<DAO ATTACK> Exchanges please pause ETH and DAO trading, deposits and withdrawals until further notice. More info will be forthcoming ASAP.”

Buterin also went to Twitter and issued a similar statement:

Exchanges please pause ETH and DAO trading, deposits and withdrawals until further notice. More info coming ASAP. https://t.co/dYJhW2UhQZ

— Ethereum (@ethereum) June 17, 2016

The attacker’s ETH address has been accumulating Ether since the initial attack (and continued to for some time since), and now currently holds over 3,641,694.242 ETH (approximately $55.4 million USD) all siphoned out of the DAO’s ETH address via an exploit in the DAO’s code.

According to Jon Holmquist, Head of Marketing at GoCoin (GoCoin Pte. Ltd.) and of Bitcoin Black Friday fame, and Charles Hayter, CEO of Crypto Coin Comparison LTD (CryptoCompare.com), the attacker used a key exploit in the DAO code in conjunction with the DAO’s splitting function. This exploit allowed the attacker to continuously split off a new DAO with what is called the “Ethereum smart contract recursive call” vulnerability. This allows the attacker to continue to split out and withdraw the funds available in a child DAO indefinitely—thus if a child DAO had 100 ETH, it could be split out, the funds withdrawn, and then the original could be split again (and again, and again…ad infinitam) for 100 ETH at a time.

With this attack ongoing, the community and developers are rushing to a solution, however, this is hampered slightly by the governance model of the DAO. Code changes and mechanisms can be tied up by the smart contract model and the communal governance of the DAO, although it’s possible for the developers and community to work together to provide a patch and a solution to the ongoing attack using a code fork.

Speaking to this solution, Buterin published his personal opinion on the possibility of a soft-fork (or a fork that would not require what is basically a rewrite of the entire history of the DAO to “reset” the attack):

“I personally believe that the soft fork that has been proposed to lock up the ether inside the DAO to block the attack is, on balance, a good idea, and I personally, on balance, support it, and I support the fork being developed and encourage miners to upgrade to a client version that supports the fork,” Buterin wrote. “That said, I recognize that there are very heavy arguments on both sides, and that either direction would have seen very heavy opposition; I personally had many messages in the hour after the fork advising me on courses of action and, at the time, a substantial majority lay in favor of taking positive action.”

One of the possible ramifications of this sort of reaction to a major theft due to a code exploit in the DAO is that the miners (people submitting computational power to the DAO blockchain) could use a similar method in the future to change the behavior of the DAO—but only given enough popularity as it takes a substantial number of miners to change the direction of any blockchain-based technology.

According to Holmquist, the community has approximately 27 days to decide what to do about the pilfered ETH as it cannot be moved out until that time is up (part of a precaution against rapid withdrawals). In the meantime, Hayter explained that actions are being taken to prevent the attacker from siphoning off more funds by spamming the network while a solution is hashed out.

For more information on the vulnerability, what allowed the attack, and comments from the community there is a Reddit thread named “Critical Update RE: DAO Vulnerability” dedicated to this discussion.

Market reaction for Ether generates downturn

As a result of this attack, ETH market value dipped suddenly as exchanges began to freeze trades and the situation was processed by the community.

CryptoCompare ETH market movement for 1 week. The effect of the DAO hack is visible as a sudden downward spike with increased trade volume. Screenshot courtesy of CryptoCompare.com.

According to CryptoCompare.com’s ETH tracking chart, ETH is currently down 22.44 percent against Bitcoin (BTC) and down 23.83 percent against USD. The initial notice of the attack and the reaction delivered some immediate volatility and currently people in the ETH market are probably concerned what will happen to the attacker’s ETH funds. CryptoCompare also hosts a chart for tracking the current health of the DAO that can be informative.

The outcome of this attack also has consequences for the future and underlying model of code-governed organizations that work in a distributed manner, such as distributed autonomous organizations. While regulation and social governance controls corporations (and similar entities) fully virtual and smart-contract governed entities are still experimental and the DAO is one example.

The direction that the Ethereum and DAO community take will decide the future and possible existence of the DAO and other projects like it.

Image credit: photo credit: one, two, tree… rain! ;-) via photopin (license)