Home/Blockchain/Reentrancy Attack Simulator/Dao Hack

🚨 The DAO Hack: $60 Million Stolen, Ethereum Forked

Understand the historic 2016 attack that led to Ethereum Classic

Your Progress

0 / 5 completed
1
2
3
4
5
Previous Section
Introduction

📜 The DAO Hack: A Historic Exploit

On June 17, 2016, an attacker exploited a reentrancy vulnerability in "The DAO" smart contract, draining over $60 million in ETH. This event became one of the most controversial moments in blockchain history.

🎯 Interactive: Attack Timeline

Follow the events that led to Ethereum's hard fork:

🚀
April 2016

The DAO Launches

$150M raised in largest crowdfunding

Impact: Initial Success

What Was The DAO?

🏛️Decentralized Autonomous Organization

  • • First major smart contract investment fund
  • • Crowdfunded $150 million in May 2016
  • • 11,000+ investors worldwide
  • • Governed by token holders voting

💎Key Features

  • • No central management
  • • Transparent on-chain operations
  • • Proposal-based funding system
  • • Exit mechanism (splitDAO function)

🎯 Interactive: Vulnerable Code Analysis

Compare the vulnerable DAO code with a secure implementation:

❌ The DAO's Vulnerable splitDAO Function

function splitDAO(
  uint _proposalID,
  address _newCurator
) returns (bool _success) {
  ...
  // Transfer Ether to the new DAO
  // ⚠️ EXTERNAL CALL BEFORE STATE UPDATE
  if (balances[msg.sender] > 0) {
    if (!msg.sender.call.value(balances[msg.sender])()) {
      throw;
    }
  }
  
  // ⚠️ STATE UPDATE HAPPENS AFTER EXTERNAL CALL
  // Attacker can reenter before reaching here!
  balances[msg.sender] = 0;
  
  return true;
}
🔍 Vulnerabilities:
  • CRITICAL External call before balance update
  • CRITICAL Attacker can reenter with non-zero balance
  • HIGH No reentrancy guard mechanism
  • HIGH Violates Checks-Effects-Interactions pattern

The Aftermath

⚖️
Ethical Debate

The community split over whether "code is law" or human intervention was justified. This debate continues today.

🔒
Security Awakening

Led to development of security tools, audit practices, and frameworks like OpenZeppelin.

📚
Education Focus

Reentrancy became the #1 vulnerability taught in smart contract development courses worldwide.

🛠️
Tool Development

Static analyzers, formal verification, and automated testing tools emerged to prevent similar attacks.

💡 Key Lessons

1️⃣
Code audits are essential: The vulnerability was known before the attack but not fixed in time.
2️⃣
Complexity increases risk: The DAO's complex logic made the vulnerability harder to spot.
3️⃣
Follow security patterns: Checks-Effects-Interactions pattern would have prevented this.
4️⃣
Use battle-tested libraries: OpenZeppelin's ReentrancyGuard was created in response to this attack.