Crypto-heist threatens to tank blockchain-based future

The DAO stands for the “Distributed Autonomous Organization,” and while that could very well refer to anything from a blockchain car-share app to a hive of honey bees, this rather boring title stands for something truly remarkable: the first unmanned investment portfolio. It is a proof of concept for what many believe will be the future of finance, with software organizing and overseeing an investment strategy developed through semi-democratic input from the collected investors. It’s secured by the much-ballyhooed Ethereum platform, using a cryptocurrency called Ether as its trading currency, and at first everything seemed to be proceeding according to plan. It was a confirmation of the promise of the blockchain, and proof that the future really is near at hand!

Then, just days after that DAO’s public launch, a lone hacker managed to digitally make off with more than $50 million-worth of Ether, or roughly a third of the overall capital the DAO had raised. More than a setback, this was an existential problem: This was the one, specific thing that was supposed to be impossible under the supervision of the blockchain. Despite all the efforts detailed below, make no mistake: the DAO is dead. What’s important now is containing the damage, and stopping it from tanking Ethereum as a whole.

The blockchain-based smart city might not be far away.

Reports indicate that this hack took the form of a recursion glitch, which allowed infinite repetition of the otherwise legitimate command to ‘split’ your Ether out of shared wallet that’s gearing up for investments you don’t support, and into a different DAO account — or potentially a wallet of your own. The recursion algorithm was used to call on the donating fund for this Ether, over and over, without updating the balance after each withdrawal. This allowed the target accounts to be completely drained, in maximum increments of the thief’s own investment in DAO. At the time of the hack, the attacker got control of about 3.6 million Ether, out of about eight million overall.

As you might imagine, the response from both current and potential DAO investors has been strong — so strong that many are wondering whether the DAO or even Ethereum itself might have been struck a fatal blow. Ethereum is an almost absurdly ambitious idea, and at this early stage it’s buoyed almost entirely by public and investor interest; if public opinion begins to sour, and its early wins don’t lead to better, more ambitious projects to follow, Ethereum is still very capable of folding under its own weight.
Now, the worst part: it’s possible to undo this transaction, but a large proportion of the DAO and blockchain community think the cure could end up being worse than the disease. If all the participants in the DAO agree, they can collectively implement a “hard fork” in the software, in principle forcing a new reality into existence. This isn’t quite the same as hitting rewind, since the stolen funds don’t end up back in victims’ wallets directly, but are all deposited into a publicly accessible fund where investors can withdraw the amount they lost.

None of this saves the DAO. By de-legitimizing such a huge transfer of funds, the organization knowingly cut its own throat. Other DAO’s and DAO-like entities will spring up, but they will be second shots at a previously tried and failed mission: to prove that the blockchain is both useful and safe for our most sensitive jobs and information.

We should take a moment to go over just what actually had to occur to make this “fix” possible: the users hosting the blockchain software all had to download and run the new, “forked” version of the blockchain. By the time it the change was ready to go, polling of investors had made clear their preference for reimbursement, but there was still always a chance of disaster. If some non-trivial portion of the hosts decided to keep running the old version of the blockchain, the result would be two identical versions of the software. The thief’s ability to trade or redeem his or her ill-gotten Ether for cash would then be dependent on which of these versions of the blockchain the other user or currency exchange happened to be using — which obviously introduces all kinds of cascading problems as the recipients of those sometimes-respected coins then go out and try to do more business.

Graph of Ether remaining in the withdrawal account. Source: Ether.camp

One interesting facet of this reimbursement: a lot of people have yet to collect their funds, totaling millions of dollars of unclaimed money. Some of this could be investment by the DAO team itself, and almost certainly some of it belongs to clueless investors who remain blissfully unaware of all this, but some users have also expressed frustration with the length of the withdrawal process. Since the blockchain-based wallet containing these funds can and will outlive (has outlived) the DAO itself, an investor could withdraw their funds five or 10 years from now, and it ought to make little difference. Assuming that crypto-investment is here to stay, it will take economists a while to fully wrap their heads around just how the peculiarities of digital currency affect how it flows through society.