DAO under attack: a hacking war has begun in the Ethereum network!

This is a real story. It is happening right now and you may follow it in real-time. I'm serious. It is indeed a true story.

On Friday, June the 17th of 2016 a major event took place in the Internet. It was a theft of more than sixty million dollars, enough to buy two hundred appartments.

It is noteworthy that the value is not the shocking aspect of this story. Actually it is but the tip of the iceberg. Trully amazing are the victim, the contex, the plot and the consequences.

Please, follow along with me and keep an open mind because nothing in this theft is trivial.

The victim

Let us start talking about the victim. The victim is a DAO known as "The DAO". DAO was until recently the acronym for a purely theoretical concept, that is, the Decentralized Autonomous Organization). It is an organization whose rules are written in computer code and are automatically executed in a decentralized network of computers. In other words, it is an autonomous software that acts as an institution.

You may take a moment to grasp this concept.

The DAO is an advancement upon the concept of "smart contracts", i.e, contracts written as softwares and auto executed. Their clauses are executed by the decentralized network in which the contracts exist.

Well then, DAOs are no longer an hypothetical concept. They are quite real. Real enough to be stolen from. As a matter of fact, "The DAO", the victim in our theft story, is some sort of an Investment Bank. It is an organization with rules that stablish that the shareholders will vote on proposals sent to the DAO and decide to finance them or not. When "the DAO" was created it started it's life in a fundraising stage, during which whoever invested in the DAO got tokens representing shares that could be used to vote on the proposals. Lot's of people invested lot's of money and the DAO raised more than a hundred and fifty million dollars, enough to make it the largest project of collective financing in all times. The money raised would be enough to build a whole stadium.

Let's focus. Someone stole more than sixty million dollars from The DAO. Keep this in mind, because there is a lot more. As a matter of fact the money stolen was not dollars. The DAO is a software after all and software do not have dollars. The DAO had Ethers. An ether is a cryptocoin, a new type of money. Now a single Ether is worth $15 dollars.

The context

I'm aware that the reader may not be familiar with this idea, but in 2009 someone called Satoshi Nakamoto, tired of governments and banks playing around with the economy and the financial system, created a concept that may revolutionize the world as we know it. He invented a decentralized money that is not managed by anyone in particular, is not controllable by any government or banks and that rely on mathematical algorithms to stablish it's security: Bitcoin. The innovations brought by Bitcoin resulted in a major innovation boom in the world of finance. Ethereum is a part of that. Both Ethereum and Bitcoin are cryptocurrencies, a form of money that is almost completely secure. Ethereum is the network upon white the Ether fed DAOs live.

I sincerely congratulate you for reading so far. This is a lot of new concepts involving not only technology but also economy and politics. I think Bitcoin is one of the greatest inventions of all time and that the large public will take a while to see it's full potential. Let's go back to our story now: there was a theft against the DAO in the Ethereum Network.

The main virtue of the cryptocurrencies is it's security. How could there be such a large theft, then? The problem is that the theft is not due to a flaw in the Ethereum network, but to a flaw in the DAO's rules, that is, a bug in The DAO. In a world in which contracts are softwares, the breaches in the law not only continue to exist but they are now autoexecutable. The thief used one of such breaches to perform his theft. I am not able to explain all the technical details but in layman words the hacker took advantage of a flaw in the sequence of the rules for DAO subdivision. According to such rules any shareholder could create a subdivision and move his funds there, leaving the DAO in that proportion. It happens that the rule said that a new DAO will be created, the funds will be transferred and the amount sent will be deduced from the shareholder's balance. There you are. Notice the order: first the funds are transferred, then the balance is deduced.

The attacker would create a new subdivision, move the funds and then cancel the command, leaving the balance untouched. Then he would do it again and again in a loop. Here is another interesting element to this puzzle: it was not a flaw in the system, but a flaw in the institutional rules that allowed the hack.

The consequences

Let's move on. The attack could only be done by one of the investors. The attack is some sort of account withdrawal and therefore you needed to be a part of the DAO to launch it. Moreover, there are not so many cryptocurrency specialists in the world. It is quite possible that the hacker is someone known and influential in the cryptocurrency world.

after the attack someone published a message in the name of the hacker claiming that he had done nothing illegal and that any attempt to change the Ethereum Network to undo what he had done would be a rupture in the rules of the network. Here is another polemical aspect of this theft: it did not violate any rules. It was indeed a violation of the expectations but no institutional rule was broken. Institutions are usually created to prevent damages but in this case as in many others they are used against there intentions. We are left with a moral dilemma: to follow the rules mean benefiting the thief and breaking them means to make the protection to everyone weaker. If the rules are changed to undo this theft, in what others circumstances this could happen to undo payments?

The plot goes on. The team that developed The DAO knows that other attacks may continue to be done and decided to create a "Robin Hood" team that will steal the remaining resources from The DAO and move them to a new sub DAO to stop this or other hacker to steal the remaining ethers. The initiative was successful. Now we have the hacker subDAOs and the white hat subDAOs that will allegedly return the ethers to their owners. To invest in the Ethereum network you need to have ethers, so you need not only hackers, but also shareholders to build a white hat team.

Today, Wednesday, the fight is still going on. The WhiteHat DAOs were created subdivisions of the DAO from which few shareholders were part, almost all of them personally identifiable, except only two. This was done to prevent the hacker to be a part of the new subDAO and redo the attack. Today, however, the subDAOs started loosing their funds, revealing that the original hacker or a new one is among the shareholders of the subDAOs. There you are: we have a hacking war going on with a two hundred million dollar prize.

This attack raises questions in philosophy, law, economics, strategy, programming, math and all of this inside a web of libertarian ideology, ego disputes, fierce competition and a huge prize. I can't wait to watch all of this in a Netflix documentary. For now though we will need to stick to reddit to follow the story: reddit.com/r/ethereum