A $79 million cryptocurrency heist just happened, and it’s threatening the future of blockchains
The Decentralized Autonomous Organization (DAO) is a radical experiment in crowdsourced investing, and it raised over $150 million in ether, a cryptocurrency that’s starting to rival bitcoin. The funds were stored at an address on the ethereum blockchain (the protocol underpinning ether) where they would sit until members of the DAO decided how they wanted to spend these funds, by collectively voting on proposals put before them.
But about nine hours ago (from the time of publication on June 17), chunks of ether started getting transferred away from the DAO’s address. As recently as an hour ago, the transfers were still taking place. All told, during that period the DAO’s balance fell by 3.7 million ether, worth $79.6 million at the time. As the hack was discovered, however, the price of ether itself has plunged by 27%, from being worth $21.50 each to $15.59 at its lowest. The price of bitcoin has also fallen by about 6% this morning, putting the brakes on a white-hot bull run.
It’s no surprise that cryptocurrency markets are in a panic. Funds invested in the DAO represents more than 10% of all the ether in circulation ($81.8 million worth). A massive hack on the DAO’s holdings would be roughly equivalent to a successful heist at a major financial institution. The hack was first reported by Business Insider.
Coincidentally, there’s a pretty good fiat-currency analogy to the DAO hack. The Bangladesh central bank had $81 million stolen from it in an online heist in February, after the SWIFT messaging network, which connects the world’s major financial institutions, was exploited by attackers.
While the Bangladesh heist only came to light in March, as government officials began pointing fingers, the DAO theft can be watched in real-time. Here’s the DAO’s address on an ethereum blockchain explorer called Etherscan, and here’s the address to which the apparent hacker is transferring funds. You can see the inflow of DAO funds into the attacker’s wallet on this list. The last transfer, for 258 ether, took place about 90 minutes ago.
Cryptocurrency heists happen fairly regularly. Most famously, Mt. Gox, once the biggest bitcoin exchange in the world, saw hundreds of millions of dollars worth of bitcoin vanish, leading to its collapse in 2014. But the DAO hack is significant for its size, and the fact that it has shaken the markets’ confidence in the security of the fundamental tools used to build on the ethereum protocol, which Wall Street sees as the blockchain’s “killer app” for its potential to automate routine contracts. While the code governing the ethereum blockchain doesn’t appear to have been compromised, the fact remains that the defenses of one of its largest pool of funds was breached.
It’s not currently clear how the DAO’s funds were accessed. The DAO community is congregating on its message board, and in a Slack group, to try to answer that question. “Well I think the DAO is now finished,” wrote one poster in the emergency thread created to marshall defenses against the attack.
Others aren’t so sure. Stephan Tual, a co-founder of a startup called Slock.it, which helped create the DAO, says there’s one way to fix the problem and boost the ethereum economy’s robustness. Ethereum’s miners, who decide what transactions form the cryptocurrency’s permanent record, can collectively agree to do a “rollback”, rewinding the ethereum blockchain to some point before the hack happened. The transactions for the stolen funds would effectively be nullified and wiped from the record. “It shows the community can work together for the benefit of the common good,” says Tual.
This isn’t as crazy as it sounds. Bitcoin miners have performed at least one rollback, in 2010, to fix a technical glitch. But bitcoin was trading for pennies then, a far cry from the $11.5 billion-worth of bitcoin in circulation today. Ether at current prices is already worth serious money. All the ether in circulation today is valued at $1.3 billion.
Another question is whether a rollback dangerously undermines a cryptocurrency designed to be decentralized and beyond the control of any single party or group. Tual has an argument against that too. “You need to compare this to a central server of a bank, where they can just change numbers without anyone being aware,” he says. “In this case, it’s completely different. If all the miners come together and [do a rollback], it’s a community action. And it’s transparent, completely transparent.”