If $60million were stolen from a high street bank, we would probably never read about it in the news. Not because its not a story worth writing about, but because banks don’t want the public to know about a huge security breach. When an attack like this happens to a cryptocurrency everybody knows, because transactions are all recorded openly on the Blockchain. That's what happened on June 17th 2016 to the DAO. The Distributed Autonomous Organisation.
Firstly, perhaps we should explain what the Distributed Autonomous Organisation is and how it came to be. In 2013, a 19-year-old Russian programmer by the name of Vitalik Buterin proposed a next generation cryptocurrency that would run a decentralised application platform called Ethereum. These decentralised applications were to be based on “smart contracts”, which according to Vitalik Buterin are "computer programs that directly control digital assets". Ethereum was launched in August 2014 and every since developers have been writing smart contracts to do some pretty interesting things.
For instance, a smart contract can create a “trustless” crowdfunding campaign (think Kickstarter without the fees), let anyone issue their own cryptocurrencies or build a decentralised organisation that has no CEO, no CFO, no management of any kind. The organisation can be managed by a smart contract. A simple algorithm that is controlled by all members of the organisation collectively through voting. This means no single person can change the rules of how the organisation operates. Welcome to a future where your new boss is a piece of code and the employees get to tell it what to do. This is the basis of the DAO, the largest and most well known Ethereum project to date. So where does the money come in?
Unlike other Bitcoin 2.0 projects (like Stroj, Counterparty and numerous others), Ethereum has its own Blockchain and its own currency called Ether. Ether powers these decentralised applications and so was used to fund the DAO. The project ended up raising more than $120million worth of Ether, which is the biggest crowdfunding campaign in the world so far. So now we have an organisation directed by a smart contract, which is holding $120 million worth of Ether for its members who collectively and proportionally (more money invested means more voting power) decide what to do as an organisation with the funds. Then along comes a “hacker” and simply takes $60 million. This should be impossible, as funds cannot move without the consent of at least 51% of the DAO members. So how did all this money disappear?
The person claiming to be behind the attack wrote an open letter to the Ethereum community declaring that what they had done was not illegal. In fact, the smart contract supposedly enabled them to create a “child DAO” by splitting the code and taking half of the Ether (worth $60million) with the child. This all sounds like a messy A.I. divorce that we hopefully don’t see too many more of in the future.
So actually, stolen may not be the right term to use in this situation. But the money is gone and now the Ethereum community and larger Bitcoin/crypto community are waiting to see what will happen next. Everyone has agreed that the DAO smart contract needs fixing. The lines of code that allowed the hacker to take the money need to be rewritten so that this problem never happens again. Some are leaning towards a soft fork in the code, meaning it will still be backwards compatible (like when a new games console is released but you can play old games on it), whilst others are pushing for a hard fork which is not forward compatible (so everyone needs to convert to the new system and the old system slowly dies).
Whatever they decide, some expensive lessons have been learned from this experience. There is still a lot of work to be done to put A.I. in charge of an organisation, it's probably best to test new cryptocurrency innovations with less money at stake and of course when signing (smart) contracts, always read the small print.