DAO had just raised $150 million in record crowdfunding effort. A futuristic technology experiment appears to have fallen prey to a common technological risk, as operators of a new investment fund based on a digital currency said they had suffered a catastrophic hack.
Founders of the fund, DAO, which was built around a digital currency called Ethereum and which raised more than $150 million this spring, said Friday morning they have been forced to shut down the fund and plan for its unwinding.
The attack spirited away roughly 3.6 million Ethereum coins, valued at around $55 million, from DAO to another account.
The Ethereum Foundation said on its website that the hacker’s account was identified and effectively frozen.
The attacker appeared to have exploited a loophole that essentially allowed a DAO stakeholder to create an identical fund and move money into it. But the code also imposes a waiting period that means the new fund can’t move any money for 27 days. The DAO’s founders are planning to “fork” the code and effectively void the hacker’s transactions.
“The DAO’s journey is over but all funds are safe,” said Stephan Tual, the founder of Slock.It, the group that created DAO, which stands for Decentralized Autonomous Organization. “All stolen funds will be retrieved from the attacker.”
The attack occurred in the early-morning hours on Friday and quickly sank the price of the Ethereum currency, which had been trading around $21 before it started. Within an hour, it had dropped 38% to $13. Late Friday, it was trading at $15.03. The value of the “tokens” that function like shares in the DAO fund fell as well.
The hack didn’t target the Ethereum network.
“DAO token holders and Ethereum users should sit tight and remain calm,”Vitalik Buterin, the creator of Ethereum, wrote on the Ethereum Foundation’s blog. “Exchanges should feel safe in resuming trading.”
Still, it is a black eye for the industry. DAO was set up in May as an experiment in using digital currencies and self-operating digital contracts to create a venture-capital fund that could run itself. But it was criticized early on for being poorly constructed, and there were calls for it to halt operations while it worked out its bugs. Those criticisms now appear prescient.
Investors seemed less concerned with the hack than with DAO’s decision to erase the fraudulent transactions. The move would be welcomed by most ordinary investors. But in the anarchic world of digital currencies, that sort of top-down reordering of events—even fraudulent ones—violates the decentralized ethos investors thought that they were supporting.
One investor in the DAO, Menno Pietersen, said he opposed the rescue and called the incident a “horrible mess.” The DAO’s creators “messed up” and didn’t take the time to build their product correctly, he said. He acknowledged that he himself didn’t vet the investment carefully enough, but said that as a backer of Ethereum, he was against any fix that would invalidate the goal of creating a decentralized platform. If trades can simply be erased, he asked, “what will they do next?”
“It was a risky investment,” he said. “You shouldn’t complain if you got burned.”
Another investor, Collin LaHay, called the idea of forking a “scary precedent.”
DAO’s funds were slated to be spent on supporting Ethereum-based startups through a proposal-and-voting mechanism. Startups would request funding, DAO stakeholders would vote on it, and if the proposal was approved, funds would automatically be dispersed.
The startup began a crowdfunding drive in May. Investors put in Ethereum and got tradable DAO tokens in return, which conferred voting rights. DAO raised more than $150 million of Ethereum through the month, far more than its creators expected. That made it the top crowdfunding effort on record and brought a high degree of attention in the cryptocurrency world and even from mainstream media.
“It’s not a disaster,” Slock.It founder Mr. Tual said. “There will be more projects. These are still early days.”
The identity of the attacker isn’t known, but Mr. Tual thinks the person or persons may eventually be identified.
Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.