Ethereum is an open-source, blockchain based platform that supports smart contracts. Ether, the cryptocurrency generated by the Ethereum platform is the second most valued cryptocurrency right now.

In June 2016, Ethereum found itself under attack when an unknown hacker made use of some existing vulnerabilities to steal more than 3.6m Ether that is $50 million worth of cryptocurrency.

Some terms that those new to blockchain should be familiar with to help you understand the story of this attack better:

A DAO is a Decentralized Autonomous Organization that functions as a computer program wherein policies and the decision making structure of the organization are coded. It is transparent to all shareholders and thus eliminates the need for a central authority.

A smart contract is a computer protocol intended to digitally facilitate, verify, or enforce the negotiation or performance of a contract. Smart contracts allow the performance of credible transactions without third parties.

These transactions are trackable and irreversible (Wikipddia). In short, it is code that is executed on the Ethereum blockchain and can interact with Eth and user wallets.

A distributed ledger is the public database of all transactions on the Ethereum blockchain and is maintained by every Ethereum node.

Ethereum makes use of the above concepts. These give the blockchain its most important features of security and immutability. Imagine the frenzy it must have sent the shareholders into when these very core principles were threatened!

The Backstory Behind the Attack :

Ethereum was founded in 2015 by 21 year old Vitalik Buterin who wanted to decentralize the internet with Ethereum. A crowdsourcing campaign had helped raise the funds to launch Ethereum (Ether worth $18m was sold).

Ethereum functions as a decentralized autonomous organization (DAO). “The DAO” is the name of a DAO that was launched on April 2016 by a German startup called Slock.it.

It found itself under attack within 2 months of launch when an unknown hacker started withdrawing Ether from “The DAO” and transferring it to a child DAO that had the same structure as its parent. This resulted in a sharp drop in the market price of Ether from $17.5 to $13.

What was the Problem?

In June, “The DAO” announced that a recursive call bug had been found in it but there was no cause for concern and all funds were safe. Within 6 days of this announcement on June 17, an unknown hacker started stealing ether that would amount to $50 million.

The attacker also went on to proclaim that his actions were within the laws of legal jurisdiction and no criminal proceedings could be initiated against him because all he did was take advantage of a loophole in the system.

What The Attacker Did

The hacker used a loophole to his advantage to steal ether within the legal framework. Ethereum is a platform that carries out all its transactions on gas, which is the cost to execute a smart contract on the blockchain. The attacker exploited this to increase the size of the Ethereum block sizes by flooding it with illegitimate transactions that were of no value. This led to a delay of transactions that were actually of use.

But the attacker couldn’t access the ether in the child DAO for 28 days since that was the initial funding period of the child DAO. Any attempts to withdraw from the child DAO would raise alarms. And that the attacker could not risk!

The open letter posted by the attacker

The Shortcoming Ethereum Hadn’t Addressed

The issue that the Ethereum designers didn’t address was that all the Ether was stored at a single address. This gave leeway for the hacker to carry on his attack. Of course, the thought of splitting “The DAO” to stop the attack did cross the minds of the shareholders but there was too little time to to raise a consensus and get the required number of votes.

The Proposed Solution

There were only two courses of action left to be taken now. One was to do nothing and potentially end up losing millions of dollars. The second solution proposed was a two-step process, what was a soft fork followed by a hard fork.

That was against the main principle of immutability that blockchain stands for, where a previous state cannot be altered. This made many skeptical.

“The development community is proposing a soft fork, (with NO ROLLBACK; no transactions or blocks will be “reversed”) which will make any transactions that make any calls/callcodes/delegatecalls that execute code with code hash (ie. The DAO and children) lead to the transaction (not just the call, the transaction) being invalid, preventing the Ether from being withdrawn by the attacker past the 27-day window.

This will later be followed up by a hard fork which will give token holders the ability to recover their Ether.”
- Vitalik Buterin in response to the DAO Vulnerability on June 17

However, the idea of a soft fork was later put aside as it raised a number of security concerns with it. On the other hand, the hard fork proposal was voted for and agreed upon by most of the shareholders of Ethereum.

And Finally Pulling Through…

The hard fork was finally put in place on the 20th of July, 2016. This however created 2 branches —the Ethereum that was forked and Ethereum Classic which was on the original blockchain.

After which, Ethereum took several measures to keep the size of the blockchain from expanding should such a situation arise ever again. It also added extra protection against DDoS (Distributed Denial of Service) attacks.

Since then, Ethereum has bounced back from the attack. It has changed it mining approach from a Proof-of-Work concept to a Proof-of-Stake concept. Currently, it is the second largest currency in the market with $45 billion in market cap.