Stealing 3.6 million ETH, changing the history of Ethereum, reviewing the beginning and end of the largest chain attack in history

On February 22, Laura Shin, the manager of "Unchained", posted on Forbes that according to the relevant evidence he found, Ethereum 2016 The DAO The identity of the hacker in the incident is suspected to be Toby Hoenisch, the co-founder and CEO of TenX and an Austrian programmer. Laura Shin said that based on her data tracking of the suspect and on-chain analysis by blockchain analysis firm Chainalysis, she locked in the address of TenX’s node in Singapore. The largest hacking incident in history 6 years ago has brought back many people's memories.

“I saw Vitalik, the founder of Ethereum, suddenly posted a sentence saying that The DAO was hacked and the money was being taken away by hackers. I thought it was a joke, and then I was dumbfounded.” said Daniel, the co-founder of the cryptocurrency wallet ImToken.

3.6 million ETH, which was more than $60 million at the time, was the amount stolen in this far-reaching hack. If calculated according to the historical highest price of ETH, 3.6 million ETH is worth close to 17.5 billion US dollars.

Two lines of code worth $60 million

Until Now, when many people think of the hacking incident in the encryption industry 6 years ago, they probably still have lingering fears.

Everyone knows that Bitcoin is a global ledger that securely records all transfer records, enabling barrier-free peer-to-peer transfers. Ethereum can be regarded as version 2.0 of Bitcoin, and it can be regarded as a "global computer". Based on Ethereum, developers can develop many upper-level applications efficiently and quickly.

On top of such a system, many projects dedicated to solving real pain points have begun to emerge. At that time, this way of operating by itself through code and not relying on personal subjective will was sought after by many people. It was against this background that The DAO was born.

It was actually a project initiated by a German start-up company called Slock.it. This company was doing the on-chain business of physical assets at the time, but because it was difficult to raise funds in traditional industries, they had a bold idea : Since no one invests in themselves, why not create an investment institution?

The concept of distributed autonomous organizations was introduced by them. By using contracts, a group of stakeholders (investors) put money together. If someone seeks financing with a business plan, everyone votes to decide whether to invest. If If it succeeds, everyone will share the benefits.

Its whole process actually works like this: users submit a proposal to it that they want to obtain investment. After the proposal is publicized, if more than half of the users vote for it, then this virtual "VC" will take out a sum of money. Vote for the project. The invested project needs to guarantee that its business will continue to give back to the organization through this contract with profit in the future, and each LP in the "VC" can share the corresponding income.

The DAO's way of running entirely on smart contracts has been sought after by the community. The project started fundraising at the end of April 2016. In less than a month, it attracted 11,000 investors to participate, and finally successfully raised 11.5 million Ethereum. Such a large amount of ETH accounted for 15% of the entire Ethereum network at that time. circulation, with a total value of more than 150 million US dollars. It also made The DAO the project with the largest number of Ethereum raised in the history of encryption.

But the seeds of danger were quietly planted when the news of the success of project financing came out.

At that time, even the team did not expect that the project could raise so much money. Confidently, they put all the ETH in one address. This is a very scary thing. Anyone with a little common sense knows that if you have a huge amount of Token, it is best to scatter the Token to multiple addresses. Even if you lose part of it, it will not disappear.

A tree that is beautiful in the forest will be destroyed by the wind. The DAO has become a "target" for hackers with ulterior motives.

In fact, as early as May 2016, members of the Ethereum team called for possible security problems in such DAO projects, and gave several possible attack schemes. On June 11, another Ethereum project also discovered that there was such a problem in the contract. Fortunately, it was dealt with in time and no losses were caused.

However, even after the team received the same security report, they still ignored it, thinking that the vulnerability would not pose a threat. In addition, there were dozens of proposals waiting to be voted on at that time. If the contract is suspended for inspection, it is estimated that the community will not accept it.

Just when everyone thought everything was going well, danger came.

The hacker is very smart. He first quietly wrote an attack contract on June 15th, lay in ambush for two days, and did not start to act until June 17th. Taking advantage of the loopholes in the contract, the hacker successfully transferred more than 3.6 million ETH from the main contract to a child DAO. This is a recursive split method, and finally the collected coins were transferred away in one go.

The problem is the following two lines of code: the code is correct, but the order is reversed.

Someone analyzed that if the programmer changed the order of the two lines of code up and down, each function would not change, but it could avoid loopholes, maybe The DAO would be successful.

Of course, this is just a beautiful fantasy. Hackers took advantage of this loophole and successfully transferred more than 3 million ETH, which caused an uproar in the encryption community.

This attack caused the project to lose 3.6 million ETH. According to the price at that time, the total value exceeded 60 million US dollars. If calculated according to the highest price in ETH history, the lost assets were nearly 17.5 billion US dollars. This news quickly affected the secondary market, and the price of Ethereum fell from $20 to below $13, a drop of more than 30%.

However, the cunning hacker did not expect that because the contract of child DAO is still in the creation stage, there is a 27-day lock-up period, so he cannot transfer the money in a short time.

The time left for everyone is only 20 days, and everyone must make a decision before the money is transferred.

After the attack, Vitalik published an article, restoring the details of The DAO being attacked, and also gave a solution. He proposed that the community conduct a soft fork on the Ethereum blockchain, and consider transactions related to it as invalid transactions to prevent attackers from withdrawing stolen ETH. Afterwards, a hard fork vote will be initiated, and the ETH will be retrieved.

Before the coins were transferred, the Ethereum community released such a big move, and the hackers couldn’t sit still.

On June 18th, the hacker who claimed to be in charge of the attack appeared and sent an open letter to The DAO and the Ethereum community in a grand manner. Disappointed, claiming that the ETH he obtained is legal and justified, "My law firm said that such behavior is in full compliance with the law."

However, someone discovered that the signature he left was fake, so this open letter may have been forged.

On June 19, a user named "daoattacker" was still discussing the slack channel infestation of the incident. In an anonymous conversation, he stated that he would take measures to suspend the organized "theft" of his property, “Soon we will formulate a smart contract to reward those miners who do not support the soft fork, a total of 1 million ether and 100 bitcoin.” Trying to encourage miners not to support the fork. Interestingly, he also sent a few btc to the person who left the address in the discussion area.

The meaning of "hacker" is clear: do not recognize Ethereum fork. However, most of the community ignored his defense.

Soon, the Ethereum community launched a vote on whether to support the hard fork. Nearly 97% of ETH holders voted in favor of the fork. Only a few people disagreed with the fork. The final hard fork was unanimously approved.

On July 15, 2016, the specific hard fork plan was announced, and the currency refund contract began to be established. Since July 21 is the deadline, the deadline for hard fork execution is determined. 85% of the computing power supports the hard fork, and the hard fork of Ethereum is successful.

Now, when we review the hacking incident in the encrypted world, we will find that this attack not only defeated The DAO, but also had another worse "side effect": many people began to suspect that decentralized autonomous organizations are It's not a fantasy, is "Code is Law" a castle in the air? It is true that the Ethereum community launched a hard fork vote to recover the losses of most investors and terminated an attack.

But from a certain point of view, the "hacker" is not unreasonable: The DAO itself is a smart contract, its arbitrator is itself, and no other external nodes can change the established rules. The official approach of Ethereum overturns this rule.

In many cases, events that trigger hacker attacks can be avoided as much as possible during the process of writing code by developers, but hackers in the encrypted world can take advantage of not only lines of code, but also loopholes in human governance.

Welcome to join the official BlockBeats community:

Telegram Subscription Group: https://t.me/theblockbeats

Telegram Discussion Group: https://t.me/BlockBeats_App

Official Twitter Account: https://twitter.com/BlockBeatsAsia