A decade after the Ethereum DAO hack, a new attempt is warranted

(SeaPRwire) –   A decade has passed since I urgently composed a warning letter titled The DAO Moratorium. The situation was so critical that we published the document live before it was finished, enabling real-time reading for anyone interested. As my two colleagues and I added the final touches, hundreds of viewers, appearing as Google’s anonymous wombats, aurochs, and chupacabras, arrived to read our global alert about severe early flaws in an Ethereum project’s code that put nearly $200 million at risk from hackers.

Our directive was unambiguous: avoid using The DAO. This acronym for Decentralized Autonomous Organization described a then-novel, crypto-based governance model largely pioneered by the Ethereum community. This specific DAO provided a crowdfunding platform intended to let anyone contribute to a capital pool and share in a new token allocation.

Back then, numerous people viewed the Ethereum DAO as a promising venture capital alternative. That was the theory. In reality, however, it appeared to me as a system with a significant potential for collapse.

By the time the vulnerabilities we highlighted were exploited, the attacker controlled a wallet containing 5% of all ether, with an additional 10% remaining under threat.

How it unfolded

When the DAO attack occurred, I was a Cornell University computer science professor teaching a cryptocurrency class in the industry’s early days. The total bitcoin market capitalization was merely around $10 billion, a stark contrast to today’s $1.4 trillion.

One spring evening in 2016, I had dinner with Ethereum researcher Vlad Zamfir at a small French restaurant in downtown Ithaca, New York. Vlad introduced me to a new concept: a radical capital-raising experiment.

The initial warning sign I identified was not technical but related to governance.

Firstly, DAO participants could not simply withdraw their funds. They were required to create a “child DAO,” navigate multiple waiting periods and voting rounds, and then try to retrieve their capital. I feared such a complicated voting mechanism would create perverse incentives and disastrous results.

As early as August 2014, two years before the DAO launch, my colleague Andrew Miller had warned about so-called reentrant contracts in its underlying code, which could let attackers siphon funds. We concluded the dangers were too grave to remain private.

Consequently, that May we started drafting the document, A Call for a Temporary Moratorium on The DAO, to detail the vulnerabilities. Just three weeks later, the attack altered the course of crypto history.

What happened

Consider an ATM that verifies your balance, gives you the cash, and then subtracts the sum from your account. A standard ATM would handle this without issue. However, the DAO hacker found a method to execute repeated withdrawals before the balance was adjusted. A smart contract flaw tricked the blockchain into thinking the user still had available funds even after many withdrawals.

Approximately $60 million in ether was extracted from The DAO.

After the attack, Phil Daian, a Cornell PhD student and member of the Initiative for CryptoCurrencies and Contracts (IC3), released a comprehensive explanation of the events. With Ethereum’s market cap at only about $1.5 billion, the attacker possessed sufficient crypto to disrupt the entire ecosystem.

The Ethereum community opted to reverse the transaction.

On July 20, 2016, a hard fork was executed during the inaugural IC3 boot camp. I celebrated with Ethereum creator Vitalik Buterin and my fellow IC3 co-founders, Professor Ari Juels and Professor Elaine Shi, by opening a bottle of champagne.

However, the hard fork also divided the network into two. The chain that refunded the funds kept the “Ethereum” name and the majority of blockchain developers. The original, unaltered chain was named Ethereum Classic, which persists today with a market capitalization vastly below 1% of Ethereum’s.

The incident was tumultuous, distressing, and highly polarizing. Yet it also compelled the industry to grow up.

Lessons learned…and not

Prior to The DAO, most blockchain development followed what I term “YOLO engineering.” Developers relied on gut feeling, coded rapidly, and presumed everything would be fine. That methodology fell apart instantly.

Audits became commonplace. Entire firms dedicated to smart contract analysis emerged. Formal verification techniques from aerospace and military applications started to be incorporated into blockchain research.

For me, the episode fundamentally influenced my subsequent career: when software manages substantial value, correctness is essential. Years later, I constructed new blockchain systems with these lessons deeply ingrained.

Nevertheless, many users still place trust based on minimal information.

The advent of artificial intelligence brings fresh risks. AI systems will identify vulnerabilities more quickly than humans can patch them, leading to far more frequent exploits.

Still, I am convinced the world is prepared to construct another DAO on the Ethereum blockchain. Not the naive 2016 version, but an improved one. The blockchain’s creator, Vitalik Buterin, appears to share this view.

We now possess superior security protocols, stricter engineering standards, and ten years of academic study. Institutions currently require more dependable infrastructure.

Above all, we learned that popularity cannot replace technical accuracy. Technology is indifferent to social consensus. It only responds to code.

A decade after the failure, I believe we at last have the expertise to build it correctly. This time, we must succeed.