Cyber Incident Victim: The DAO
Date:
Jun 2016
Location:
United States of America
Summary
Attackers exploited a software vulnerability in The DAO, a crowdfunded Ethereum-based investment fund, draining over 3.6 million ether (approximately one-third of its holdings) through recursive calls to the splitDAO() function combined with a second bug enabling repeated attacks. Copycat incidents further siphoned funds, intensifying systemic risks to Ethereum's viability. The theft prompted a contentious proposal to invalidate stolen assets via a blockchain soft fork requiring majority miner approval, sparking debates over Ethereum's decentralized principles as critics equated intervention with centralized bailouts. The attacker halted withdrawals strategically amid community deliberations, leaving the cryptocurrency's integrity and governance model fundamentally challenged regardless of the fork outcome.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On June 17, 2016, attackers exploited a critical vulnerability in The DAO, a decentralized autonomous organization built on the Ethereum blockchain, resulting in the theft of over 3.6 million ether—equivalent to approximately one-third of its 11.5 million ether holdings. The stolen cryptocurrency, valued between $45 million (post-attack rates) and $77 million (pre-attack rates), was siphoned through recursive exploitation of a flaw in the splitDAO() function. This function, designed to allow investors to withdraw funds, failed to reset user balances to zero before permitting repeated recursive calls. Attackers combined this vulnerability with a second bug enabling them to replicate the attack from the same addresses, multiplying the theft. Within days, at least six copycat attacks occurred, extracting an additional 785 ether, though some were suspected to be whitehat attempts to secure remaining funds. The exploit’s persistence left The DAO and Ethereum vulnerable to further depletion, as the flaw remained unpatched during initial response efforts.
Ethereum’s core developers proposed a soft fork—a backward-incompatible protocol change requiring 51% miner approval—to invalidate the stolen transactions by rolling back the blockchain. Founder Vitalik Buterin endorsed this solution but emphasized miners’ ultimate authority. The proposal sparked intense debate, with critics arguing it violated Ethereum’s foundational principle of decentralization by introducing centralized intervention. Security researcher Rob Graham likened the fork to the 2008 financial bailouts, framing it as a corruption of cryptocurrency’s anti-establishment ethos. Meanwhile, the initial attacker halted further exploitation voluntarily, potentially to reduce community support for the fork. The incident threatened Ethereum’s viability: a successful fork would undermine claims of immutability and decentralization, while failure risked destabilizing the currency due to the stolen funds’ scale. No consensus outcome was confirmed at the time of reporting, leaving Ethereum’s future trajectory uncertain.