The DAO Hack: $60 Million in Ethereum Stolen, Forcing a Blockchain to Rewrite Its History
What happened
The DAO raised 12.7 million ETH (~$150 million, 14% of all Ether in existence) from 11,000 investors in the largest crowdfunding event in history. On 17 June 2016, an attacker exploited a recursive call vulnerability in the smart contract to drain 3.6 million ETH (~$60M). The community faced a stark choice: let the theft stand as consistent with 'code is law', or hard-fork the blockchain to reverse it. Ethereum executed a hard fork — splitting the network into ETH and Ethereum Classic (ETC).[1]
What went wrong
The DAO's withdrawal function sent Ether to the caller before updating the internal balance — a re-entrancy vulnerability. The attacker called withdraw recursively, draining funds before the contract recorded each withdrawal. This bug type was known to Solidity developers and multiple commentators had flagged risks before launch. The deeper flaw: immutable blockchains cannot correct bugs in deployed code. The community debate exposed that 'code is law' is only viable when the code is bug-free — which is rare for novel financial instruments.[1]
Lesson learned
Smart contracts are software, and software has bugs. Formal security audits of financial smart contracts are not optional. Re-entrancy is among the most dangerous vulnerabilities in contract design. The hard fork demonstrated that blockchain immutability is a social rather than technical property: communities can and will override it when losses are large enough.
Sources
- [1] Ethereum Foundation The DAO Hack: $60 Million in Ethereum Stolen, Forcing a Blockchain to Rewrite Its History