Bloomberg deeply restores The DAO robbery: How hackers cut the hard fork of ETH and ETC

Summer colds are the worst, and Emin Gün Sirer caught a naughty bug from his 1-year-old son. It was Monday, June 13, 2016, and the Cornell University associate professor of computer science was working from his hospital bed with tears and a stuffy nose. Gün couldn't leave his laptop, he had another bug to fix, and he was worried that a mistake in a line of code could lead to the theft of $250 million.

These codes are not ordinary. They are the core of the latest and most groundbreaking software design in the blockchain industry. This novel combination of decentralized computing and encryption system has given new life to the world of Bitcoin, which was born in 2009. Since its birth, the prospect of blockchain applications in the financial industry and medical industry has begun to capture the imagination of enterprises and governments. And the Turkish-born professor is exploring the next leap of Bitcoin, which is the Ethereum blockchain.

The truth came out

Whereas bitcoins move from one user to another, the Ethereum blockchain can host computer programs called smart contracts — essentially agreements enforced by code rather than courts. That means it could automate the lifecycle of bond payments, for example, or ensure that pharmaceutical companies can verify the provenance of their drugs. Smart contracts are new, however, and like all software, the reliability of the software code depends on it, and Gün was convinced he had discovered a big problem.

In an email to one of his graduate students, Philip Daian, Gün pointed out that the smart contract he was working on might have a problem on line 666. Gün was concerned that hackers could exploit the bug to withdraw millions of dollars without limit, like an ATM.

The funds involved total $400 million, a staggering amount within a decentralized autonomous organization DAO plan. The DAO is a decentralized venture capital fund that runs on the Ethereum blockchain in the form of a smart contract. It is also a for-profit DAO (decentralized autonomous organization) that will use the Ethereum funds under its control to create value for its members by investing in applications on Ethereum. During the creation of The DAO, anyone can send Ethereum to its crowdfunding contract to obtain DAO tokens.

This is the crowdfunding of The DAO. The DAO is not controlled by any person or organization, and members who hold DAO tokens vote on whether to invest in Ethereum applications. This is real money, $400 million, which means that every penny is at risk in order to build a better world.

Gün has been tracking and publicizing flaws in The DAO’s design, and a few weeks ago, on May 27, he and two colleagues urged investors to stop buying into The DAO until the security issues were resolved.

But it’s too late now. Smart contracts like The DAO are built entirely on their code, and once published on the Ethereum blockchain, The DAO’s code cannot be modified. Peter Vessenes, co-founder of the Bitcoin Foundation, also pointed out security flaws in this smart contract, but Gün appears to be the first to clearly point out the dangerous flaws. The problem is that the code is so new that no one knows what problems will occur.

Gün also had doubts. This wasn't even his job, he was just doing it for fun. He and his students were not sure whether the code bug would cause any real problems.

“We don’t sound the alarm every time we find a suspected bug,” Gün said. So he went to bed—to cure his cold.

Four days later, Christoph Jentzsch lay on the floor of his home, taking a deep breath to calm his panic. It was Friday morning, and the DAO Jentzsch had created was under attack.

Gün is right.

The test of digital liberalism

This is the biggest digital heist in history. Last year, hackers stole $81 million from the Bangladesh central bank, but the DAO attack was completely different. There was no way to intervene. Just as the global WannaCry ransomware attack in May exposed weaknesses in computer operating systems, the DAO hack exposed early flaws in smart contract security. The end result was a strange, futuristic war between white hat hackers and black hat hackers around the DAO.

The roots of the DAO came from an idea Jentzsch borrowed from Internet crowdfunding. Jentzsch, 32, is a theoretical physicist whose company, Slock.it, raised money through an ICO. But why should every new startup come up with a plan for its own ICO? Jentzsch thought, why not just offer a little giant fund to invest in them?

He introduced his idea to the world at DevCon 1 in London in November 2015. "What would be the way to create a company?" Jentzsch asked his audience. "Of course, it would have to be a DAO." It would work like this: Ether, a digital currency like Bitcoin, would be used to fund and develop applications, things like using a music app similar to iTunes or iTunes. Investors would buy DAO tokens with ether; the tokens would allow them to vote for the projects they liked. If the projects they supported made money, the token holders shared in the profits.

He created The DAO in six months, and Jentzsch thought The DAO would be able to raise $5 million. From April 30 to May 28, The DAO raised $150 million.

But why would anyone invest in the DAO in the first place? It has to do with the strain of digital libertarianism that is at the heart of the Ethereum community, just like the set of beliefs that led to the creation of Bitcoin: that Bitcoin is the first global currency, and its use cannot be blocked by governments or corporations; on top of that, Bitcoin is nearly impossible to hack. Ethereum is on another level, an uncensorable computer that is unprecedented and a little scary.

Jentzsch, who spent his evenings jogging or rowing by the river, exercised. But on that Friday morning, he had more pressing tasks: getting off the floor and dealing with the attack. “I went into emergency mode: Don’t try to save the DAO,” he said. “No, it’s over.”

It's far from over

Hours later, Alex Van de Sande woke up in his apartment in Rio de Janeiro.

这个娃娃脸的以太币开发者出生在巴西的一个小渔村，在三岁随他的父母搬到里约。他在Reddit和Twitter的以网名“avsa”著称。他的Skype接收到了无数的消息，随后他转身对妻子说：“记得我告诉你的不可能被黑掉的以太坊？”她点了点头。“它已经被黑了。”他告诉她。

His first thought was to get his tokens out of the DAO. He owned about 100,000 tokens, worth about $15,000 at the time. He was the lead designer of the Ethereum Wallet application, which allowed users to interact with the blockchain. Van de Sande hurriedly logged in, but got the password wrong. He tried a few more times, logged in successfully, and his panic subsided. He realized that instead of abandoning the DAO, he should try to save it. To do that, he needed Griff.

Griff Green, a former massage therapist in Los Angeles who is one of the few people in the world with a master’s degree in digital currency, was the first to tell Slock.it co-founder Jentzsch’s brother Simon about the attack.

Green, who had been working on Slock.it for about six months at the time, woke up that morning at Jentzsch’s mom’s house, where Jentzsch had offered up a spare bedroom. Through his extensive network of contacts, Green began identifying as many people as possible who were interacting with the DAO, trying to separate friend from foe.

Green woke up that morning at Jentzsch's mom's house in Mittweida. Jentzsch was one of nine children, so his mother had a spare bedroom where she could house Green for a few days. Through his extensive contacts, Green began identifying as many people as possible who could interact with the DAO in order to let strangers send pictures or scan their IDs, trying to sort friends from foes.

The attack stopped, and the white hats came on stage

Then something strange happened: The attack stopped. Within six hours of the attack starting, the attacker had managed to steal 30% of the DAO’s 12 million ether, worth about $55 million at the time. “We didn’t even understand why this guy stopped,” Van de Sande said.

Green quickly went to secure the remaining 70% that the attackers hadn’t stolen. Green and two or three other people, a group known as the white hats known as Robin Hood, devised a daring but brilliant plan to save The DAO. To save The DAO, they had to steal the remaining ether and then give it to its rightful owners.

As they went about this plan, doubts arose internally—no one knew if what they were doing was legal. Would their actions be as bad as the theft they were trying to prevent?

Someone has to do it, "Someone has to push the button."

The night before the attack, the price of Ethereum reached an all-time high of $20. After the attack, Ethereum fell by $15, and nearly $500 million in market value evaporated. At this price, DAO still holds $125 million. The white hat army is worried that the attack will come again, and they may be the only line of defense.

In this respect, the DAO is like the spaceship in the movie Aliens that has its self-destruct sequence activated. In order to survive, an escape pod must be used.

The investors in the DAO had to initiate a similar process to deploy an escape pod to move their ether out of the DAO. The location of this escape pod was right where the bug was. So the Robinhood white hat team had to exploit this vulnerability, and they only had a short time and a few escape pods to exploit.

Minutes before the attack, Van de Sande joked: "Let's go rob a bank!" No one laughed. "Not everyone likes humor very much," he said.

In his apartment, Van de Sande prepared to press a button on his laptop. Then suddenly, he was disconnected from the Internet. His router was down. "What's going on?" he said. He had less than 30 minutes to execute the Robin Hood hack. He frantically called NET, the Brazilian Internet service provider, and got a robotic voice in response: "There's a network problem nearby." He quipped, "We were trying to steal tens of millions of dollars from one machine, but we were ambushed by another machine."

“And then we missed the window,” he said. The window closed. His euphoria about saving the DAO was shattered by the network’s operators. He then walked his dog and crawled into bed, frustrated.

The next morning, it was Saturday, and Van de Sande tried to reconvene the Robin Hood group to infiltrate another escape pod. But everyone was busy and couldn't get together. "We were like the worst hackers ever," Van de Sande said. "We were both badly affected by the internet and badly affected by our families."

Who are their opponents in this war?

No one really knows, but there are some clues. One address used by the attacker is 0xF35e2cC8E6523d683eD44870f5B7cC785051a77D. Like everything else on the blockchain, a user's address is an anonymous string of characters, but each address leaves a public record on the blockchain.

To pull off his attack, the attacker needed to create a contract that interacted with the DAO to slowly drain the DAO of ether. Green said he did this on June 15 and deployed it in the early hours of two days later. Once activated, the attack contract began sending about $4,000 in ether every three to four minutes through the attacker's account to drain the DAO.

But where was the original source of the funds? In order to interact with the Ethereum blockchain, each attack contract needs two addresses to provide funds, but further tracing is difficult. This is because the second address uses an exchange called ShapeShift to send 52 ether to its account on June 14. ShapeShift does not collect any information about its users and converts it to another virtual currency (such as Bitcoin) within 10 seconds. While there are legitimate reasons to use ShapeShift, it is also a good way to whitewash digital asset records.

After the attack contract stopped working, the thief needed to deploy it again, but the hack was aborted. (Green said one possible reason the attack was halted was that the hacker’s tokens were destroyed, meaning he had no way to exploit the bug.)

While we can only learn so much about this blockchain record, digital asset exchanges know more, with one exchange’s internal investigation concluding that the DAO attacker was likely a group based in Switzerland, rather than a lone wolf. According to the CEO of an anonymous company, even with an anonymous blockchain, the exchange was able to analyze the location of its customers’ trading activity. The CEO said the exchange shared the analysis with the FBI’s Boston office, but there has been no further contact since October last year.

Gün said he also spoke with agents from the FBI's Boston and New York offices and the New York Attorney General's office. But assisting such investigations is difficult because attackers leave no trace.

“I’m surprised that it’s not possible to trace back who did this,” said Stephan Tual, the third co-founder of Slock.it. “I still don’t understand it. What that person did was extremely unethical.”

Black Hat returns and they start a showdown

On Thursday, four days after the attack, the hackers returned and somehow resumed the heist. The Robin Hood White Hat group feared this moment would come and prepared for it. On Sunday morning they finally managed to muster up and successfully infiltrate an escape pod online, but had stopped fighting back. Now they had no choice.

"Honestly, I'm thrilled," Green said. "This is the craziest thing that's ever happened to me."

Whether it is legal or not remains an open question.

"What they were doing was almost certainly illegal, but they claimed it was for the greater good," said Vessenes, a programming expert. Now, Van de Sande's work has let the Ethereum community know that Robinhood's counterattack is benign. On Twitter, he wrote: "The DAO is safely drained, don't panic."

“We escaped the mothership, but now we’re escaping in space with the aliens,” Van de Sande said. That’s a big problem. Since Jentzsch wrote his code, the Robinhood group will have to wait several weeks to secure their recovered ether.

However, if the attacker is on the run with the group, he could follow them — a so-called stalking attack. If the hacker is following the Robinhood group, Ether isn’t really safe at all.

“It will only end when one of the parties stops fighting,” Van de Sande said. This is essentially the core of the DAO Wars, an endless battle that has to be fought to keep the recovered ether safe. Hopefully there will be a way to reverse the theft once and for all.

DAOs and the Death Principle

What happened next is one of the strangest and most controversial things to happen in the history of blockchain.

As the Robinhood white hat team's rescue efforts proceeded in private, heated discussions arose. White hat hackers weren't the only ones who wanted to save the DAO. Jentzsch worked almost around the clock, issuing hundreds of requests to DAO investors on what they should do. 23-year-old Vitalik Buterin, who created the Ethereum blockchain before he was 20, became the community's focus.

In short, what they could do is change the Ethereum blockchain to fix the DAO, but only if a majority of the computers running the network agree can the software be updated to get rid of the vulnerability, as if the attack had never happened.

The decision sparked a backlash that remains controversial a year later, both in the ethereum community, which insists the blockchain’s history cannot be altered, and in bitcoin, where some users see hard forks as violating fundamental values.

Some Bitcoin users saw the hard fork as violating some of its most fundamental values. Within the Ethereum community, computer nodes around the world accepted this view. Included in block 1,920,000, the fix for the DAO was simple and did just one thing - if you had invested in the DAO, you could now withdraw it.

Everything about the DAO was a parameter: rules, if-then statements, and more rules, all put in place before the program was set loose. One of the parameters stated that anyone who wanted to be taken out of the DAO had to wait a certain period of time, 27 days after the initial request, and then another seven days.

This failsafe written by Jentzsch also applies to the attacker. So even if someone effectively robbed the bank, he would have to wait 34 days before crossing the street, allowing him to escape. While waiting, the money was stolen back again.

Back on the Cornell campus, Gün brought champagne to a class he was teaching, and he labeled the bottle: “Congratulations on Fork.”

Then something unexpected happened. The original Ethereum blockchain that was attacked continued to grow. A hard fork is like a branch of a tree that sprouts in a different direction from the end of the main stem. That branch should have withered after the hard fork, but as a small group of users continued to process transactions on that version of the blockchain, it continued to grow instead of dying.

Nearly $53 million worth of ether was transferred to a contract object nicknamed "Dark DAO". The mechanism of this attack has been widely discussed. Since then, white hat hackers have used the same vulnerability to transfer the remaining funds of the DAO to the "White Hat DAO". The Robin Hood white hat team holds approximately $8.4 million because in this parallel universe, they still control 70% of the recovered DAO funds.

The Robin Hood White Hat team was in disbelief. “We did everything we could to avoid this, but now we’re being dragged back into this fight,” Van de Sande said.

Current Bitcoin supporters can back their former selves by buying Ethereum Classic, which is what Bitcoin heavyweight entrepreneur Barry Silbert does. “Remember, the original blockchain is Ethereum Classic.” His company recently released an investment paper outlining the advantages of Ethereum Classic. A section titled “DAO and the Death Principle” summarizes the theoretical basis.

Alexis Roussel, co-founder of Swiss cryptocurrency broker Bity.com, still marvels at the wild world of hard forks and blockchain. “This is something that doesn’t happen in traditional finance,” he said. “If something happens to Apple, you don’t suddenly have a clone of Apple.”

What went wrong?

It’s been a year since the DAO attack, which is plenty of time to assess what went wrong.

Van de Sande is eager to move on. “This is really just a one-time incident,” he said. “We’re ready to turn the page and put the DAO story behind us.”

Green, who organized an Ethereum conference at Burning Man, still has his sense of humor. "The Robin Hood white hat team is just a show," he said with a laugh. "I hope the movie turns out better than it actually is."

Green, who organized a panacea at the Burning Man festival in the Nevada desert this summer, has kept his sense of humor. "The Robin Hood group is just a show," he said with a laugh. "I hope the movie turns out better than it actually is."

As for the bug itself, it’s clear that many smart people looked at the code before Gün and missed a major flaw: the sequence of commands in the code allowed DAO token holders to reap any profits from their investment.

"If the code was in the right order, the attack would have been impossible," Jentzsch said, but in reality it became one of the biggest backdoors in hacker history.

If the first letter "T" on line 666 was a lowercase "t", that would also prevent hackers from breaking in.

Jentzsch has many regrets but insists that no one knew about the specific problem in lines 666-667. (Other observers point to flaws elsewhere, just not here.) "It makes no difference at all," he said. "If you don't know what to look for in a security review, you won't find it."

Gün still let the bug go, and Green's emotions were related to Gün. "I was actually really angry," Green said. "He started bragging about how he found the bug." He added, "Don't tell anyone, he's very irresponsible." However, Green still respects Gün very much and said that they have made changes.

“I think it’s a potential problem,” Gün said. But he consulted with his student Daian. Daian said the vulnerability was “unexploitable,” and Gün said that if he determined the danger, “then I would tell people.”

Gün said of the attacker (whoever he was) and the stupidity of Ethereum Classic (the original Ethereum chain): “Excellent, he should cash out.” The hard fork proved that it wasn’t just the DAO that needed fixing, but the Ethereum blockchain itself. “The bug was also on the system side,” he said.

Concerns about smart contracts and the Ethereum blockchain have evaporated, at least according to the market’s reaction based on the price of Ether.

In the approximately nine months following the attack, Ether rose from $10 to $12, then began to soar in March, reaching $341.19 as of June 12.

The original Ethereum has also risen and is now trading at $18.71. In other words, both versions of Ethereum are viable. Looking ahead, who would you rather trust? After the hard fork, the attacker has finally left the classic Ethereum, taking away approximately $67.4 million.

Source:Bloomberg