The DAO Chronology of a daring heist and its resolution

Similar documents
EVERYTHING YOU NEED TO KNOW ABOUT DIGITAL LEDGER TECHNOLOGY, THE BLOCKCHAIN AND CRYPTOCURRENCIESÓ (Part I June 2018)

3Three examples. of blockchain smart contracts Internet of Things, commercial paper and daos

chainfrog WHAT ARE SMART CONTRACTS?

Blockchain 2.0: Smart Contracts

BOS Platform Foundation Donation and BOS Allocation Terms and Explanatory Note

Deloitte EMEA Blockchain Lab Blockchain Fundamentals 28 th September 2017

Introduction. No Offer

ICO C O N S T R U C T O R

DEx.top Technical White Paper (V1.0)

A.J. Bahou, LLM, MSECE Bahou Miller PLLC

TOKEN SWAP AGREEMENT DATAVLT is a proud product of XYPHER Pte. Ltd. Token Swap: Explanatory Note & Terms and Conditions

CONTENTS DISCLAIMER... 3 EXECUTIVE SUMMARY... 4 INTRO... 4 ICECHAIN... 5 ICE CHAIN TECH... 5 ICE CHAIN POSITIONING... 6 SHARDING... 7 SCALABILITY...

XWIN CryptoBet SUMMARY

White Paper. Bizanc Blockchain

A smart cryptocurrency trading assistant service

Legal aspects of Blockchain Technology. Martin von Haller Grønbæk, Partner Bird & Bird LLP, Copenhagen DIKU Business Club 11 January 2017

Table of contents. 2

L3. Blockchains and Cryptocurrencies

Assurance in a blockchain world How you can prepare to address the risks

Deloitte Brexit Briefings 1Part EU Referendum: Brexit and the consequences for German companies

Tezos Contribution and XTZ Allocation Terms and Explanatory Notes. 1. Principles

LEVERAGE. Whitepaper v1.0.5 (April 2018)

Editor's Letter. Initial Coin Offerings. Introduction. Blockchain

Redan. Peer To Peer Crypto Exchange

Blockchain for financials

In the future, many kinds of cryptocurrencies will be born, and service competition will increase.

Blockchain Technology & Transportation

Crypto & Forex. Three-Way concept for a profitable future! Whitepaper 1.0

Technical Line. A holder s accounting for cryptocurrencies. What you need to know. Overview

SECRET COIN WHITE PAPER

The Blockchain Trevor Hyde

Initial Coin Offerings

What Blockchain Means For Your Organization s Insurance Program

Blockchain Developer TERM 1: FUNDAMENTALS. Blockchain Fundamentals. Project 1: Create Your Identity on Bitcoin Core. Become a blockchain developer

Insurance And Regulatory Hurdles To Blockchain Adoption

IFRS (#) Accounting for crypto-assets

Cybersecurity Tech Basics: Blockchain Technology Cyber Risks and Issues: Overview

RISK FACTORS RISKS RELATING TO PARTICIPATION IN THE TOKEN SALE

TERMS AND CONDITIONS Contribution to PRIVATE PLACEMENT and MICROSHARE token allocation.

Smart Investment Platform

Digital Transformation A Focus on Blockchain

Initial Coin Offerings

ICO Review: Republic Protocol (REN)

Blockchain and smart contracts an introduction

MAVRO Token ( MVR ) Sale Token Sale Agreement

Blockchain: An introduction and use-cases June 12 th, 2018

Bitcoin (BTC) C$4,943 (US$3,745) November 26, 3:15 pm

SUMMARY OF TERMS OF THE SIMPLE AGREEMENT FOR FUTURE TOKENS ISSUED BY BLOXABLE, INC. [Month] [Day], Background Information

Harbor Token White Paper

THE SOFEROX PROJECT THE TWIN-CHAIN BLOCKCHAIN

Appendix A - Risk information

Product Overview. Version October 2, 2017 thetoken.io Page 1 of 9

ABSTRACT. There is a limited number of tokens available, and it is advised that you take advantage of the ICO discounts.

Local Trade. A decentralized peer to peer exchange with escrow support for Crypto Traders. White Paper

Fin Tech in Serbia: Legal Overview

Blockchain & Bitcoin. Länsstyrelserna David Bauman

Alethena. 14 May Abstract

Blockchain and Risk ISACA Northern UK, April 20 th, Mike Small CEng, FBCS, CITP Senior Analyst Kuppinger Cole

Blockchain and Smart Contract for Contract Management (Dispute Prevention and Generation) - Paper

UNITED STATES OF AMERICA before the SECURITIES AND EXCHANGE COMMISSION

Blend whitepaper V 1.0

Spectre Token Sale. Token Sale Agreement

DEMOCRATIZIED SOCIAL TRADING PLATFORM

Blockchain: from electronic cash to redefining trust

Operated from European Union Helsinki Finland

European Supervisory Authorities Recommend EU-wide Approach on ICOs and Crypto-Assets

White Paper on WithCoin 2018/01/15. <Table of Contents> #1 Introduction. #2 Overview of casino industry. #3 Overview of WithCoin system

Pottery Research is an organization that uses knowledge of law and financial markets, where it interacts, to assist investment and business stability

Accounting for crypto assets mining and validation issues

SME Banking: Financing & Digital Banking

WHITE PAPER. Smart Investments Into Crypto Technologies and Blockchain

Energy Web Foundation blockchain and digital security in energy. OECD workshop, 15 February 2018

Investing in the Blockchain Ecosystem

MAXIMUM E X C H A N G E W H I T E P A P E R

Blockchain made Simple

DECENTRILIZED CRYPTOCURRENCY EXCHANGE Fast, Reliable and Simple

November 2018 Abstract

A block chain based decentralized exchange

THE MOST INNOVATIVE AND LUCRATIVE WAY TO EARN BITCOIN.

BLOCKCHAIN: IN SEARCH OF A BUSINESS CASE

Loyalty program on the Credits blockchain platform Building a program with blockchain and smart contracts. Issuing tokens as loyalty points.

FOLLOW COIN 1. Tokensale Terms

Aworker.io Terms of Token Sale

Blockchain Disrupting Trust Services. Jacob Boersma 17 June 2016

RISK FACTORS: SIMPLE AGREEMENT FOR FUTURE TOKENS ( SAFT )

QuickLaunch University Webinar Series Initial Coin Offerings: Recent Developments and Legal Considerations for Startups

Safe Harbour FORWARD-LOOKING STATEMENTS

IFRS Discussion Group

Bitcoin and Cboe Bitcoin XBT Futures

IBFS.world. Initial Coin Offer Project

Bulls. Hedge. Fund WHITE PAPER. Version

Boon Coin Terms and Conditions

Blockchains and the future of finance

Blockchain Technology: Concepts. Whitepaper 1

Index. 1. About Us 2. Types Of Insurance. 3. Technical Aspects 4. Coin Distribution. 5. Conclusion

OFNOG TOKENS SALE AGREEMENT TERMS OF SALE

Bitcoin, Blockchain Technology, Block Chain Ecosystem : What You Need to Know?

Bitcoin (BTC) C$8, (US$6,308.36) October 29, 3:15 pm

CMR White Paper THE ICO STARTER

EtherJack.io is the first fully smart contract based jackpot game. The core game process is safe and secure, running completely on-chain, operated by

Transcription:

The DAO Chronology of a daring heist and its resolution

[the] Digital currency Ethereum is cratering because of a US$50 million hack Business Insider on 17.06.2016 2

The DAO Chronology of a daring heist and its resolution It has been the saga of the summer for anyone interested in digital currency and beyond. Within hours the value of the ETH plunged as a result of a hack which relieved the DAO, a massive blockchain-based crowdfunding project, of ETH worth US$50 million. The heist was covered by a number of mainstream journals which published the news with a varying amount of technical detail, mostly highlighting the risks involved in dealing in digital currencies. What happened was of course a severe setback for one of the best-known blockchain-based business applications. It is therefore important to understand exactly what happened and draw the necessary consequences in order to improve the technology. In order to grasp the whole story about the hack of the DAO, it is important to understand what a DAO is and on what platform it was deployed: the blockchain platform Ethereum. Decentralized Autonomous Organizations A commonly accepted definition of DAOs some times also referred to as DACs (Decentralized Autonomous Companies) has not yet evolved. Usually the terms refer to a more or less complex interacting set of smart contracts being able to resemble the fundamentals of organizations, interacting with individuals and dealing with some sort of property. Smart contracts can be seen as the simplest form of decentralized automation, following rules triggered by predefined conditions. 3

The Ethereum project and the DAO Ethereum is a decentralized ledger network like the well-known digital currency Bitcoin. However, unlike Bitcoin, it is not only a digital currency. Ethereum s main purpose is to serve as a platform for running decentralized applications by using what are known as smart contracts. Smart contracts are computer protocols that facilitate, verify, or enforce the negotiation or performance of a contract, or that make a contractual clause unnecessary. The combination of several smart contracts can even replicate certain functions of a company. Maintained on a blockchain, these combinations of replicated business functions are called Decentralized Autonomous Organizations (DAOs). In May 2016, the German start-up Slock.it released a white paper going public with their idea to build a Decentralized Autonomous Organization (DAO) named the DAO. The idea was to create a DAO that would basically work like an investment fund in order to fund Slock. it and other projects. Anyone interested could participate and voting rights were available on the open Ethereum platform. Voting right holders could even float their own funding proposals. The only prerequisite was that participants needed to buy Ether tokens (ETH: Ethereum currency). Each token represented the right to vote in which investment proposals the fund should invest its money. How much weight each vote depended solely on the amount of tokens owned. As in an ordinary investment fund, the money collected was intended to be used to invest in different projects, except in this case the decision was subjected to the votes of the token holders, thereby basically democratizing investment. The idea caught on not only with blockchain enthusiasts, it received a broad media echo. Gathering approximately US$150mn within a few weeks, the DAO created the largest crowdfunding project ever. Simplified overview of the participation process in the DAO DAO makes investment proposals The DAO Invest Ether in the DAO Receive DAO token Investors Investment proposal DAO token holders vote for or against proposal 4

Chronology of a heist Three months later, on June 16, 2016, the DAO was the object of an attack. The attacker (it is still not known whether it was a single person or a group of people) used an inbuilt split function to withdraw money from the DAO by transferring it to a separate wallet. The split function used was originally created to permit the withdrawal of Ether and return the tokens owned in the event of someone wanting to leave the DAO. This particular function was the weak link. The hacker spotted an error in the code and repeatedly called the split function, each time starting a new request before the end of the previous one. Due to the error, the function could not detect that the sum had already been withdrawn by the preceding split function. Repeatedly abusing this inbuilt function, the hacker(s) withdrew Ether worth US$50mn at that time. The theft caused an outcry in the Ethereum community and a massive crash in the value of the digital currency. In the first days following the attack, several actions and discussions took place to retrieve the stolen funds. In order to gain time, the first action was to exploit the same function to transfer the remaining funds into sub-accounts. This resulted in two sub-accounts (called child DAOs), both under (mainly) friendly control. Since the attacker succeeded in taking part in at least one of those child DAOs, the Ether transferred were still not in safety. The hacker(s) could just restart the process, as long as they were still part of the DAO. At this time, several solutions were discussed in the blockchain community. The first, proposed by the founders of Slock.it, was a soft fork, freezing the amount stolen before the attacker could withdraw the money. This would have enabled the community to conduct a counter-attack and retrieve the Ether from the hacker s split DAO, now named darkdao, and refund it to the owners. Although the idea was initially well received by the community, its implementation was dropped, due to the associated risk for market security. Chronology of the DAO 30.04.2016 The DAO is live 16.06.2016 The DAO is attacked 20.07.2016 Hard fork completed 15.05.2016 The DAO raised over US$100m from more than 11,000 participants 17.06.2016 First proposal to counter the attack and retrieve the funds 5

Evaluation of solutions The second major idea proposed to retrieve the stolen ETH was to conduct a hard fork. The hard fork would transfer all Ether in the DAO, the child DAOs, and the darkdao into a new smart contract. The original holders would then be able to use this contract to exchange their DAO tokens for Ether at a pre-defined exchange rate of 100 DAO tokens for 1 Ether. But to be able to do so, all users would have to update their software to a new version which included this feature. The third possibility was simply not to act at all. At first sight, this might seem harsh and hard to understand for someone new to crypto-currency, but two arguments spoke in favor of this option: first of all, a fork is not free of risk, it can be difficult to implement due to the required consensus of the network participants, and its consequences are hard to predict (more details later). imagine that the ATM didn t record your new balance until you ended the session. You could keep requesting $50 again and again until you finally told the machine you didn t want to process any more transactions or the machine ran out of money. The Wired calling the DAO a never ending ATM Simplified overview of the attack and the hard fork process The DAO DAO attack and counter attacs Dark DAO ~3,6mn ETH ~7,6mn ETH Child DAOs Hard fork ~11,2mn ETH Investors Withdrawal contract 6

Secondly, and more importantly, the initial idea of blockchain technology was not supposed to allow such actions. This can be seen as a more philosophical point of view and can best be summarized by a comment from one community participant: "The involvement of the Ethereum Foundation in the DAO has been and is a mistake. As I see it, Ethereum is supposed to be the foundational infrastructure upon which a flurry of projects and experiments are supposed to blossom, and in order for them to blossom they need a foundation that is strong, and that has integrity in the face of challenges. The hard fork proposal is a compromise that ruins that integrity and signals that projects like the DAO can influence the underlying foundation to their own advantage. To me that is totally unacceptable and is a departure from the principles that drew me to Ethereum." Reddit forum Critical Update regarding DAO vulnerability After a pre-defined period of discussion and despite the doubts of parts of the community, a hard fork was decided on by 97% and was implemented before the hacker could withdraw the stolen ETH from the darkdao. As a result, all funds were transferred to the withdrawal contract and the original DAO token holders started to withdraw their ETH. Miners, lottery players who validate the system Miners on a blockchain are a single person or group of persons who verify transactions and add them to the ledger. For this they use dedicated computers to resolve computationally difficult puzzles. The first miner to find the answer receives a reward in the form of a transaction fee. Due to their role, they were the ones who were able to carry out the hard fork on the DAO and transfer the funds back to their original holders. 7

Lessons learned and next steps The attack clearly teaches an important lesson for blockchain technology: the system is stable in itself but the human being remains its weakest link. The smart contract was programmed by a human being and despite review still contained a loophole enabling a hacker to perform the heist. A ray of hope can be derived from the fact that the community has proved its ability to handle problems. In spite of this turmoil the community remained calm and balanced the pros and cons of all proposed solutions within a short period of time, succeeding in creating a consensus and implementing the solution chosen. In an environment in which code is the basis of all functionalities, special emphasis needs to be placed on the code s development, review, testing, and implementation. Created as opensource, the responsibility for code quality in a blockchain needs to be borne by the whole community. Especially in the case of DAOs, it is the view of many stakeholders in the community that like reading a contract before investing money the code needs to be reviewed and its related risks assessed by everyone taking this journey. In the long term, and considering the development of blockchain technology, the creation of a precedent every time the technology does not benefit its users should be avoided. As several members of the community emphasized during the discussions, a hard fork is and should remain an exception, as nobody can ensure that a consensus can be reached in future or predict all possible consequences of such an action. "Throughout this whole experience we have learned a great deal and will carry on learning [ ] Applying those lessons we have learned we can now move into a bright future of decentralized applications and carefully planned out DAOs." Christopher Jentzsch Founder & CTO of Slock.it Slock.it blog, August 24. 2016 Evaluating the hard fork ex post as a positive action, it is interesting to look at the unexpected consequence of this decision: the co-existence of two currencies. In the short term it will be interesting to see how the community will be able to adjust to this situation by motivating users who have not yet triggered the exchange of their DAO tokens to do so. As of today (22.09.2016), approximately 13% of the Ether has not yet been withdrawn. 8

Your Contacts Dr. Dirk Siegel Blockchain Institute Deutschland Tel: +49 151 5800 2835 disiegel@deloitte.de Jens Hermann Paulsen Blockchain Institute Deutschland Tel: +49 151 5800 1977 jpaulsen@deloitte.de Peter Wiedmann Blockchain Institute Deutschland Tel: +49 151 5800 5232 pwiedmann@deloitte.de Leo Tacke Blockchain Institute Deutschland Tel: +49 151 5800 3360 letacke@deloitte.de Arnaud Michelet Financial Services Business transformation Tel: +49 151 5800 5462 armichelet@deloitte.de For more information, please see our website www.deloitte.com/de/blockchain Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ( DTTL ), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as Deloitte Global ) does not provide services to clients. Please see www.deloitte.com/de/ueberuns for a more detailed description of DTTL and its member firms. Deloitte provides audit, risk advisory, tax, financial advisory and consulting services to public and private clients spanning multiple industries; legal advisory services in Germany are provided by Deloitte Legal. With a globally connected network of member firms in more than 150 countries, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex business challenges. Deloitte s more than 244,000 professionals are committed to making an impact that matters. This communication contains general information only not suitable for addressing the particular circumstances of any individual case and is not intended to be used as a basis for commercial decisions or decisions of any other kind. None of Deloitte Consulting GmbH or Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the Deloitte network ) is, by means of this communication, rendering professional advice or services. No entity in the Deloitte network shall be responsible for any loss whatsoever sustained by any person who relies on this communication. Issued 9/2016

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback