LLMpediaThe first transparent, open encyclopedia generated by LLMs

DAO attack

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: Bitmain Hop 4
Expansion Funnel Raw 91 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted91
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
DAO attack
NameDAO attack
Date2016
LocationEthereum blockchain
TypeSmart contract exploit
OutcomeMajor fork of Ethereum; loss of ~3.6 million Ether

DAO attack

The DAO attack was a high-profile exploit of a decentralized autonomous organization implemented as a smart contract on the Ethereum platform that resulted in a major loss of funds and a controversial response by core developers, exchanges, and community stakeholders. The incident prompted technical, legal, and governance debates involving leading figures and organizations in the blockchain space, culminating in a contentious hard fork of the Ethereum ledger and ongoing discussions at courts, regulatory bodies, and academic venues. The episode influenced subsequent work by projects and institutions including Bitcoin, Consensys, Vitalik Buterin, Gavin Wood, Joseph Lubin, and major exchanges such as Kraken, Coinbase, and Bitstamp.

Background

The DAO project was launched by Slock.it, with founding roles filled by Gavin Wood, Vitalik Buterin, and Joseph Lubin as prominent voices in the Ethereum Foundation. It raised capital via a token sale involving investors like Andreas M. Antonopoulos, Roger Ver, Erik Voorhees, and venture entities associated with Andreessen Horowitz. The campaign drew attention from researchers at institutions such as Massachusetts Institute of Technology, Princeton University, Cornell University, Stanford University, and University of California, Berkeley, while legal advisors from firms interacting with SEC-advised counsel debated regulatory classification. Audits were performed by firms including Trail of Bits, Least Authority, and teams associated with OpenZeppelin and Consensys Diligence, while community governance discussions took place on platforms like GitHub, Reddit, and Ethereum Research forums. The DAO’s code used standards influenced by ERC-20 proposals and was tied to wallets produced by companies such as Parity Technologies and third parties like MetaMask, MyEtherWallet, and hardware vendors including Ledger and Trezor.

The Attack (2016)

In June 2016 an attacker exploited a vulnerability in the DAO contract to siphon funds into a child DAO, triggering alarms across exchanges including Poloniex, Bittrex, and ShapeShift. Core participants such as Vitalik Buterin, Gavin Wood, Joseph Lubin, Christoph Jentzsch (a DAO developer), and auditors at Trail of Bits and Zokyo coordinated emergency communication with operators of services like Infura, Etherscan, and node providers running Geth and Parity clients. The incident prompted listings and delistings by Kraken, Coinbase, Bitstamp, and market makers connected to Gemini and Circle, and led to proposals for intervention debated at meetups in Berlin, New York City, London, and San Francisco.

Technical Mechanism

The exploit leveraged a recursive call vulnerability in the DAO’s withdraw function, interacting with Solidity contracts and the EVM’s gas and call semantics. Attack vectors involved reentrancy patterns documented in prior work from researchers at Cornell University and ETH Zurich, and were later formalized in academic papers from University College London and Princeton University. Tools such as Mythril, Oyente, and symbolic execution frameworks developed at Imperial College London and ETH Zurich were later applied to analyze the flaw. The child DAO construct exploited state changes that occurred after external calls, a class of defects related to formal verification efforts by teams at Microsoft Research and Carnegie Mellon University. The attack illustrated weaknesses in contract design, Ethereum client implementations like Geth and Parity, and interaction patterns with wallets like MetaMask and hardware Ledger devices.

Consequences and Response

The immediate consequence was diversion of approximately 3.6 million Ether, igniting intense debate among participants including Vitalik Buterin, Gavin Wood, Joseph Lubin, Nick Johnson, and governance forums such as Ethereum Research and the Ethereum Foundation. The community split into supporters of a hard fork—implemented by many core developers and exchanges—to reverse the theft and restore funds, and supporters of immutability who preferred leaving the ledger unchanged, leading to the continuation of Ethereum Classic as a separate chain alongside the main Ethereum chain. The response involved coordination among miners running Ethash algorithm implementations, mining pools such as AntPool, F2Pool, and SlushPool, and infrastructure providers including Infura, Etherscan, and major cloud vendors. Legal notices and regulatory scrutiny came from bodies like the SEC and law firms engaged with affected investors, while insurers, custodians, and exchanges debated restitution and chargeback processes.

The event raised questions addressed by legal scholars at Harvard Law School, Yale Law School, Columbia Law School, and New York University School of Law about property rights, fiduciary duties, and securities regulation concerning tokens and DAOs. Policy discussions involved regulators including the SEC, CFTC, and agencies in United Kingdom, European Union, and Japan. Economists and market analysts at firms like Goldman Sachs, JPMorgan Chase, Morgan Stanley, and academic centers at London School of Economics and MIT Sloan School of Management studied the effects on market liquidity, price discovery, and exchange custody risk. Litigation and arbitration were pursued by investors with counsel from firms interacting with international courts and dispute resolution bodies in New York, London, and Delaware.

Lessons and Security Improvements

The DAO incident accelerated development of secure smart-contract patterns taught in courses at Massachusetts Institute of Technology, Stanford University, and Princeton University, and spawned tooling and standards from organizations like OpenZeppelin, Ethereum Foundation, Consensys, and academic consortia at ETH Zurich. Best practices such as checks-effects-interactions, use of pull-over-push withdrawal patterns, formal verification with tools from Microsoft Research and Draper Laboratory, and standards like ERC-20 improvements and EIPs were widely adopted. Security ecosystems matured with audits from Trail of Bits, Least Authority, OpenZeppelin, static analysis tools like Mythril and Oyente, bug bounty platforms such as HackerOne and Immunefi, and insurance products developed by firms including Nexus Mutual and protocols influenced by MakerDAO. The episode also informed governance research at Oxford University, Cambridge University, and Massachusetts Institute of Technology on decentralized coordination, fork politics, and emergent norms.

Category:Cryptocurrency incidents