Ethereum DAO Smart Contract Vulnerability Exploited for $60 Million

The Ethereum DAO (Decentralized Autonomous Organization) was launched in April 2016 as an ambitious experiment in decentralized governance and investment. The DAO operated entirely through smart contracts on the Ethereum blockchain, allowing token holders to propose and vote on investment decisions without traditional management structures. By May 2016, the DAO had raised approximately $150 million worth of Ether, making it the largest crowdfunding project in history at the time. On June 17, 2016, an unknown attacker began exploiting a critical vulnerability in the DAO's smart contract code. The vulnerability, known as a reentrancy attack, existed in the splitDAO function that allowed users to leave the DAO and withdraw their funds. The contract's flawed logic updated user balances after transferring funds rather than before, enabling the attacker to recursively call the withdrawal function multiple times before the balance was updated. Over the course of several hours, the attacker drained approximately 3.6 million Ether, worth about $60 million at the time. The Ethereum community and developers faced an unprecedented crisis as the attack continued. The vulnerability had been identified by security researchers weeks earlier, but the complex governance structure of the DAO made it difficult to implement fixes quickly. As the attack progressed, developers and miners worked frantically to understand the exploit and develop countermeasures. The attacker's funds were temporarily locked in a child DAO due to the contract's design, providing a 28-day window before the stolen funds could be withdrawn. The incident triggered intense debate within the Ethereum community about how to respond. Two main factions emerged: those supporting intervention through a hard fork to reverse the theft, and those arguing that 'code is law' and the blockchain should remain immutable. After weeks of heated discussion, the Ethereum Foundation decided to implement a hard fork on July 20, 2016, effectively reversing the DAO hack and returning the stolen funds to their original owners. This decision led to a permanent split in the Ethereum blockchain, with the original chain continuing as Ethereum Classic and the new chain becoming the current Ethereum network. The incident highlighted critical risks in autonomous algorithmic systems and led to improved security practices in smart contract development.