Lessons Learned From the DAO Hack: The Blockchain, Smart Contracts and Security

2017-02-17T17:13:27+00:00October 12th, 2016|

The application of blockchain has undoubtedly captured the imagination of the commercial world. In our previous blog on blockchain, we discussed ‘The DAO’, a Decentralised Autonomous Organisation, as a demonstration of how blockchain could be used to revolutionise the way business is conducted. If you missed it, have a look here. We also explained the basics of blockchain in our first blog of the series here. However, while there are many exciting opportunities offered by blockchain technology, there are of course risks to consider.

The DAO was set up without a governing body or documents to be funded to invest in other business proposals. The DAO raised over the equivalent of US$150 million in the cryptocurrency ‘ether’, in just 28 days, reflecting a widespread optimism about the blockchain technology. In June of this year, however, The DAO was ‘hacked’ and US$50 million (post-theft valuation) was siphoned from The DAO into the wallet of an anonymous hacker, before users’ eyes. Significantly, at the time of the hack, The DAO held 15% of all ether, leading to a rapid devaluation of this cryptocurrency from over US$20 a unit to below US$13.

The attack is said to have occurred through the hacker’s manipulation of a ‘recursive call bug’ in the code of The DAO.

[1] The DAO’s code was available online for all users to see (as is customary with smart contracts and blockchain applications) and days before the attack occurred The DAO creators themselves highlighted that they had found the problem and that they would rectify it. Before they could do this though the attack was underway.

This attack sheds light on some of the dangers of using these new technologies, where small coding errors can have disastrous and costly ramifications. Much of the discussion of these risks revolves around the fact that it is near impossible to code an error-free application and thus there are inherent vulnerabilities in using smart contracts.

These issues are compounded by the supposed immutability of the blockchain ledger. Once a transaction is recorded on the blockchain ledger it supposedly cannot be changed. While this is touted as one of blockchain’s greatest drawcards, it also poses difficulties in situations where something goes wrong, as it would mean that the DAO hack could not simply be erased like a fraudulent bank transaction.

Yet erasure, is exactly what happened. After the DAO hack, the Ethereum Foundation became involved and together with the cooperation of data miners was able to execute a ‘soft-fork’, which cut the hackers off from their funds, and then a ‘hard-fork’, which returned the money to a smart contract, through which users could withdraw their original funds at no loss. A ‘fork’ in software development refers to creating a new branch of a project that is independent of the original project. Typically, this happens when the development team members are unable to resolve conflicts or reach a consensus about next steps.

Many ethereum and blockchain advocates believe that the intervention was the wrong move to make in this situation. Smart contracts are meant to be self-executing, immutable and free from disturbance by organisations and intermediaries. Yet the building block of all smart contracts, the code, is inherently imperfect. This means that the technology is vulnerable to the same malicious hackers that are targeting businesses and governments. It is also clear that the large scale intervention after the DAO hack could not and would not likely be taken in smaller transactions, as they greatly undermine the viability of the cryptocurrency and the technology.

While regulation would be antithetical to the decentralised nature of the blockchain and resulting applications, questions arise as to how the next hack will be dealt with, and who will make that decision. Yet just as the development and use of the technology is still in its infancy, regulators are also struggling to determine how blockchain sits within the current legal framework. And regulators are unlikely to engage in creating and imposing regulations until the full parameters and scope of the technology can be determined.

As for the role of lawyers, blockchain and smart contracts are likely to open up new fields of legal work rather than make lawyers redundant. While smart contracts may automate the execution process, lawyers will still be needed to transform ordinary contracts into code. Additionally, smart contracts, being the creation of the parties, will only do what they are programed to do and will only deal with clear and defined parameters. In a slightly more complex transaction or in the event of ambiguity and even disputes, there will be a need to interpret and exercise human judgment or to have complementary, additional contractual provisions. This will increasingly become the new role for lawyers in the relevant category of contracts.

Sainty Law can help you make decisions and advise you on how to get the most out of blockchain technology. Contact us to get advice from our experienced lawyers.


[1] David Siegel, ‘Understanding the DAO Attack’, CoinDesk, 25 June 2016.