the contract and he wanted to figure out what went wrong. He identified several major problems in the code that didn't allow the ether to be freed. More generally, he had taken a look at a cross-section of smart contracts that had been deployed on the Ethereum blockchain at that time. He estimated that more than 10 percent of the Ethereum smart contract code he examined had a bug in it. The title of his blog post: “Ethereum Contracts Are Going to Be Candy for Hackers.”
The write-up got a fair amount of notice and was picked up by Hacker News. Vessenes was intrigued, so he kept looking for security issues to highlight on his blog. A few weeks after his first smart contract post, he published one called “More Ethereum Attacks: Race-to-Empty Is Real.” Vessenes had noticed a comment online by Christian Reitwiessner, one of the creators of Solidity, the computer language used to write smart contracts. The bug allowed users to ask for money back from a smart contract and end up getting more than they had available to withdraw. While Peter called the bug “race-to-empty,” it would soon be known more widely as a “reentrancy bug.”
In any event, he wrote this on his blog on June 9, 2016, eight days before the DAO attack, “Your smart contract is probably vulnerable to being emptied if you keep track of any sort of user balances and are not very, very careful.”
Vessenes had seen plenty of controversy by then. He'd lost a battle to remake the board of directors of the Bitcoin Foundation and tangled with Mt. Gox in court for years. He said he's received death threats. In one sense, to him, the DAO was just another chapter in the unbelievable blockchain story.
“It's always something in digital currency land,” he said. “This was a little bigger, but at the time it wasn't clear it was going to be bigger.” In any event, it was impossible to look away.
“Kids get a bunch of money and flamethrowers, so every week, you tune in,” he said.
Outside the ferry building on Bainbridge Island, the coincidental timing of meeting Peter Vessenes has stuck with Dax Hansen over the years. “I thought it was really interesting and kind of ironic that I ran into him on that day, and that he had been paying attention to it,” Hansen said. Afterwards, Vessenes got on the ferry and headed into Seattle.
Three thousand miles away on the East Coast, another researcher had been looking at security flaws in the DAO. Emin Gün Sirer is an associate professor of computer science at Cornell University. In 2002, he devised a decentralized system for rewarding good behavior he called Karma. It was the first currency system to use proof of work to establish the validity of transactions. Cynthia Dwork and Moni Naor invented the idea of proof of work in 1993 as a means to reduce email spam. The concept was later adopted for cryptocurrencies by people such as Adam Back, and most famously by Satoshi Nakamoto in his design for Bitcoin.
So by the time Bitcoin came around in 2009, Gün – everyone calls him Gün (pronounced goon) – was well versed in digital currencies. And then, with its added complexity, Ethereum opened up a whole new vista of possibilities for blockchain applications. With the rise of the DAO, Gün found himself in computer scientist nerd heaven.
“It's a fascinating story,” he said. “This is one of the best heist stories I know. It all happened out in the open.” He wears his dark hair short and appears years younger than he is thanks to his Turkish roots. He drives his BMW around Ithaca like he's still in Istanbul. There is an earned arrogance about Gün: he rubs some people the wrong way, but I've always found him to be extremely helpful and generous with his time. “People stole from a robot,” he said. “It's man versus robot. It's insane.”
Every aspect of the DAO was prescribed. It's written in code. The amount of time it was open to collect money had been set to run from April 30 to May 28. This was the fundraising part of the DAO, the time when more money than anyone associated with it could have imagined came pouring in. It was during this period that Gün decided to take a look at its source code along with two friends, Dino Mark and Vlad Zamfir. From the very start they saw it was bad.
“There are like nine different ways of getting money out of this thing,” Gün said. Based on the severity of what they found, the three researchers published “A Call for a Temporary Moratorium on the DAO” on May 27, a day before the crowdfunding was set to end.
“These concerns motivate a moratorium on funding proposals to prevent losses due to poor mechanism design,” Mark, Zamfir, and Sirer wrote. “A moratorium would give the DAO time to make critical security upgrades.”
They'd discovered seven potential flaws in the DAO code, such as inherent biases involved in how DAO token holders would vote on proposals. Another was termed a “stalking attack,” and would become important later. A stalking attack is done to someone who wants to withdraw their funds from the DAO. To withdraw their ether, they create a subcontract that's an exact copy of the DAO, known as a child DAO. Remember our underground bank? The bank is the DAO and the room you carved out is the child DAO.
And as you may recall, the person has to wait 27 days to get their money out of the child DAO. Yet because this is done on a public blockchain, a stalker could interact with – or “enter” – the subcontract. They can ride along inside the child DAO. This throws off control of what the contract can do, as the stalker can be evil and vote against proposals such as getting the money out. This is bad. It essentially freezes money in the DAO and encourages blackmail and ransom, the three researchers wrote.
While there was a healthy public debate over what to do about the DAO, no moratorium was implemented. Many people I've spoken to feel that there was just too much momentum behind the DAO for anyone or anything to stop it. Ethereum users wanted the DAO to work. They'd all put their money in. It would work.
The DAO went live on May 28, meaning people could now make funding proposals. Gün continued to watch its progress.
A year earlier, Gün had become a father, and sometime in mid-June his one-year-old son passed on a different kind of bug to him. On the evening of Monday, June 13, 2016, he lay in bed with his laptop on his chest in the second-floor bedroom of his house in Ithaca. His eyes were watering and used Kleenex surrounded him. As sick as he was, he couldn't tear himself away from the DAO. He thought he'd found another flaw.
On the other end of an email chat with Gün was his soon-to-be graduate student Phil Daian. He's skinny and dark haired, not one for a suntan, and possesses an almost preternatural understanding of distributed systems. In his 20s when the DAO attack occurred, Phil seemed to me to be the type of guy who peaks in his mid-50s – so look out. But on this night in June 2016, he sat on a ratty couch in the apartment he shared with friends from college in Champaign, Illinois. He should have been working for the software testing startup he'd joined; they had a deadline approaching. But Gün can be incredibly persistent and had been looking at the DAO code for weeks at that point.
Both Phil and Gün were aware of what Peter Vessenes and a few others had published about the reentrancy bug. This is how it works: imagine there is a line of 20 bank tellers, and you go to the first and ask to withdraw $100. But before you get the money, you go to the second teller and ask for $100. And so on, down the line until all 20 have been visited. Normally you'd need $2,000 in your account to cover all the withdrawals. The reentrancy bug in the DAO, however, didn't allow the code to work that way. If you knew where to focus your attack, you could run the bank-teller trick, asking for more and then more and then more until the DAO had given you millions of dollars even though you only had a few thousand in your account.
But where? Where, exactly, was that vulnerability in the code? The day before, a user on the DAOhub message board named eththrowa had identified a bug. It was encoded in the function that would pay out DAO token holders if they had earned income from their investment. So if you voted for a project that got funded, and that project made money, you got a cut through this payout feature. It's known in the code as the “withdrawRewardFor” function. It came on line 772 of the DAO code. This was a bug, yet it wasn't the bug. (Interestingly, eththrowa was never heard from again, he/she popped up once and then disappeared five days before the DAO attack.)
The bug in the DAO code responsible for the $55 million hack, the one Gün stared at on his laptop that evening, lived in a