Speaking at a London Tech Week event aimed at explaining blockchain technology - the distributed ledger, or database, behind cryptocurrencies like ether and bitcoin - Kappler described how the recent hack of the Decentralized Autonomous Organization (DAO) on the Ethereum blockchain went down from the inside.
Ethereum was launched in 2014 just as other cryptocurrencies like bitcoin and dogecoin were becoming household names, at least within tech and financial circles. The DAO came about in April this year. Think of it like a decentralised investment fund for the cryptocurrency ether. This investment fund, which reportedly amounted to $150 million, was the target of the Ethereum hack last week.
Bugs in the code
“Almost immediately people started finding a few bugs in the code,” said Kappler. “They were not thought to be serious, they did mean the functionality wouldn’t work as advertised and there would need to be a vote to take place to move everyone's funds to a new load code. So rewrite the code, redeploy it somewhere else move the funds and that was going to be fine.”
Then the hack happened. “Unfortunately on Thursday night somebody found a way to use these bugs to essentially withdraw as much money from the DAO as they wanted. This started to happen at around 4am on the Friday. I got woken up at 7am on the Friday when $45 million had been drained, and the price of ether had fallen 40 percent and the price of DAO tokens, which are used to vote on the DAO, had fallen by 70 percent.
“There was a call between myself and the core devs who designed the DAO, we went through the code and found the bug that was responsible and decided very quickly that although he [it is still unknown who was responsible for the hack] had found an exploit it came with several caveats.
"He’d moved it into another smart contract [a piece of computer code that acts like a legal contract or performs an action under a set of prescribed circumstances]. This smart contract had a set type of code which meant you couldn’t withdraw the money and sell it on exchange for another 27 days, so we knew we had time to try and figure out the problem.”
One of the key advantages that blockchain-backed currencies like bitcoin and ether like to advertise is their immutability, so that transactions can’t be tampered with.
The problem is “this isn’t true,” according to Kappler. “The reality is that all of these systems are reliant on people buying into them in concept.”
“So if everybody on a network decides they don’t want that transaction to have happened and someone is willing to code up a new reality, so create a new blockchain and pass it to them and they say they will switch to the new one, then you have buy-in for this new concept of reality and you can carry on from that point forward. This actually happened with bitcoin around four years ago when there was a bug.”
So Kappler and many of the original devs decided that the best way to solve this issue was to roll back the DAO. Think of it like loading a backup so that the hack essentially never happened.
White hat attack
While they debated this course of action and considered whether it would lead to a slippery slope situation where any transaction can be rolled back, a group of hackers decided to take matters into their own hands.
“Last night a bunch of people who I know personally decided they were going to mount what is known as a white hat attack on the remaining funds in the DAO and the DAO attacker. So they began spamming the network with dust transactions and then found the same exploit which was used to drain the original DAO and used it to drain the attacker’s smart contract,” said Kappler.
“So now the money is in a bunch of different places, controlled by a bunch of different people and we are now approaching this point where we can do a minor alteration to the software or it’s going to become essentially a game of I drain your DAO, you drain my DAO so that no one can ever drain the money and this stalemate has occurred and we still aren’t sure how this will be resolved.”
“The question we are faced with is whether we revert or not, should we set it right? I think that the network should set it right. It is such a terrible failure to lose something like ten percent of the ether in existence to one individual that it could potentially threaten the project. I think we are in the first year and it is a reasonable thing to do. It has been done before and hasn’t grossly effected how bitcoin operates.”
The issue with making a decision like this for a construct like the DAO or Ethereum is that it is built upon a philosophy of democracy, so decision making can become difficult.
As Kappler put it: “It comes down to democracy. Public blockchains are social constructs. All the money inside of them only has any value because everybody notionally says they have value. If that goes away for whatever reason: because they don’t trust the code that is executing it or because they feel like they were robbed, then the system is a failure or they become irrelevant.”
“They could have designed the DAO to have admin controls, someone able to stop things and move them back, but the point was they didn’t want to. It was an experiment to see if you could build a system which doesn’t have any kind of central control.”
“There is a resolution that will come, either in the form of a hardfork (changing the protocol and making the hacked transactions invalid) either taking place or not taking place, and that will happen over the next few weeks. As developers our only real responsibility is to give the option for taking this step or not taking it.”
Kappler is now the CCO of Ethcore, a company founded by a group of ex-Ethereum developers which “is dedicated to helping you get the most out of open source blockchain technology,” and offers a pre-built Ethereum client for Internet of Things (IoT) and enterprise deployment called Parity, according to its website.
Before Ethcore, Kappler worked as a technical communications director at the Ethereum foundation and he is still an active member of the Ethereum community. “We are all in the same Skype channels,” he told Techworld after the event.