On June 17, 2016, an anonymous attacker took advantage of a vulnerability in a smart contract and stole 3,641,694 ETH from The DAO. This incident was significant as it represented approximately one-third of the $150 million raised by the project. The theft was not merely a financial loss for investors; it caused deep divisions within the Ethereum community and resulted in two separate blockchains that continue to exist today.
What led to such a monumental breach?
The DAO, which was launched in April 2016, operated as a decentralized venture capital fund. Its ambitious goals attracted a lot of funding, making it one of the largest crowdfunding initiatives at the time. However, a reentrancy bug in the smart contract code emerged as a critical flaw. This vulnerability allowed the withdrawal function in the contract to be called multiple times before it completed updating the sender’s balance. This scenario is akin to a faulty ATM that dispenses cash before registering the transaction, allowing repeated withdrawals.
The attacker exploited this reentrancy vulnerability, successfully draining ETH into a subsidiary contract known as a child DAO. This child DAO contained a 28-day withdrawal lock, which provided the Ethereum community a limited opportunity to react.
On July 20, 2016, a hard fork was enacted approximately one month post-hack. This hard fork allowed the Ethereum blockchain to reverse the theft and restore funds to affected investors. As a result, the forked chain became the Ethereum currently widely utilized. Conversely, the original chain continued as Ethereum Classic, representing a faction within the community that advocated for unalterable blockchain principles even concerning unfavorable outcomes.
The debate between the two communities crystallized around the phrase that code is law. Advocates for Ethereum Classic argued that reversing transactions undermines the essence of a trustless ledger. In contrast, supporters of the hard fork contended that allowing an attacker to retain a significant sum due to a technical mishap was not ethically right.
What happened to the funds that went unclaimed?
Interestingly, after the hard fork, a portion of the restored funds, estimated at about 75,000 ETH, was never claimed by original DAO token holders. Fast forward to early 2026, and these unclaimed assets became the cornerstone for creating TheDAO Security Fund. At its inception, this fund was valued at nearly $220 million. Its purpose is to catalyze security initiatives throughout the Ethereum ecosystem, converting the aftermath of the original hack into a resource for future protective measures.
The governance of TheDAO Security Fund includes prominent figures like Vitalik Buterin and Griff Green, ensuring its funds are invested wisely.
The vulnerability that enabled The DAO hack has not vanished. It has since become a well-examined attack vector in the field of smart contract security. Variants of this bug have surfaced in subsequent hacks, underscoring the need for ongoing scrutiny from developers and auditors.
Why is the existence of TheDAO Security Fund important for investors?
The establishment of TheDAO Security Fund illustrates a proactive stance taken by the Ethereum community regarding legacy assets. Rather than allowing these funds to remain idle, they are now dedicated to advancing protective measures. For investors considering the long-term potential of Ethereum, a $220 million security fund, supported by funds from a prior hack, demonstrates a serious commitment to developing a safer ecosystem.
This philosophical division retains its relevance today. Ethereum Classic may trade at a much lower price compared to Ethereum, yet it continues to embody an ongoing debate about the true meaning of decentralization. Each time a protocol contemplates emergency modifications—be it freezing hacked assets or reversing unwanted updates—the precedent set by The DAO remains a significant consideration.