Birth - Ethereum network early days
Ethereum was an idea crafted by a young man named Vitalik Buterin in late 2013. The idea of the Ethereum network was that along the transactions between people you could also make transactions to an automated software whose source is available to read. This piece of code you’re transacting with is called a Smart Contract (term was invented by Nick Szabo [1] [2]) and gets executed by clients running the node. This way, people don’t have to trust each other to transact in a more complex way than just transfering value. They can agree on any contract and know with 100% certainty how it will behave. A lot of people started using the term Code is Law to describe that the contract (in this case code) will get executed in the exact way it was written, regardless of possible inconveniences or even flaws in it.
After successfully raising 18 million from the ICO (72 million of Ether was premined), Ethereum gets its first implementation of the blockchain and gets launched successfully [1] [2].
Note: Computer code can have flaws and in vast majority of programs, it has many. The way we are used to dealing with software is releasing it to public and patching defects as they are reported. This can’t fly in the world of Smart Contracts because once the money gets stolen from a smart contract you can’t get it back due to the wallets being protected by Public-key cryptography. Only the owner of the private keys can move the money and once the money gets in the hacker hands, it’s gone forever.
Slock.It and The DAO
There have been many contracts written on the Ethereum blockchain but one played a huge role in Ethereum history called
The DAO contract [1].
The contract was written by a company named Slock.It started by a former Ethereum CCO Stephan Tual. The DAO was launched with a 28 day
crowdsale that helped fund the company. By May 21 2016 the DAO token sale managed to raise over 11.5 million Ether (~$150 million USD at the time).
Shortly after the crowd-sale ended a new exploit is found, termed race to empty [1] [2].
In Brief: Your smart contract is probably vulnerable to being emptied if you keep track of any sort of user balances and were not very, very careful.
A few days later an official statement from Stephan Tual - CEO of Slock.It - comes claiming that
no DAO funds are at risk [1] [2] because of this new recursive call bug discovery.
We promptly circumvented this so-called “recursive call vulnerability” or “race to empty” from the DAO Framework 1.1
Sadly, as it turned out, they could not have been more wrong.
Summary
- Ethereum network launches
- Soon after, a company named Slock.It deploys a smart contract that ends up holding 150 million dollars
- A new exploit is found that can be used to empty a lot of contracts that follow bad practices
- Slock.It CEO claims they are not vulnerable to this attack
Resources
Launching the ether sale - Vitalik Buterin [1]
Ethereum launches - Vitalik Buterin [1] [2]
The problem with censorship - Vitalik Buterin [1] [2]
Analysis of the DAO exploit - Phil Daian [1] [2]
No DAO funds at risk following the Ethereum smart contract recursive call bug - Stephan Tual [1] [2]
Deconstructing the DAO attack a brief tour - Peter Vessenes [1] [2]