What was the infamous “The DAO Hack” incident, and what were its consequences?

EthereumThe DAOSecurity IncidentSmart ContractHard Fork
Views: 0Created At: 9/2/2025Updated At: 9/16/2025
Maurice Smith
Maurice Smith
Researcher specializing in Ethereum DeFi; 专注于以太坊DeFi的研究员。

好的,没问题。这事儿在以太坊圈子里可以说是无人不知,我用大白话给你讲讲。

What Was The DAO? A Decentralized "Venture Capital Fund"

Before we talk about the hack, you first need to understand what The DAO was.

You can imagine it as a global, transparent venture capital fund, managed entirely by code. In 2016, this was an incredibly cutting-edge and ambitious idea.

  • How did it work? Anyone worldwide could invest Ether (ETH) into The DAO in exchange for something called "DAO tokens."
  • What were the tokens for? Holding DAO tokens meant you became a "shareholder" of this "fund," granting you voting rights. The community collectively voted on which promising new projects to invest the raised ETH into.
  • The result? This concept was so attractive that it raised over $150 million worth of ETH at the time, representing 14% of the total ETH supply. It was undoubtedly a milestone in blockchain history.

In simple terms, The DAO was like a gigantic crowdfunding investment platform, operating without a CEO or a board of directors, entirely governed by smart contracts and community voting.

How Did the Hacker "Steal" the Money? A Clever "Recursive Call" Vulnerability

The problem lay precisely in this "entirely managed by code" aspect. There was a vulnerability in the code that the hacker exploited. This vulnerability is technically known as a "Re-entrancy Attack," which sounds complex but is actually not difficult to understand.

The DAO's smart contract had a function that allowed investors to "split" and withdraw their funds. The process was roughly as follows:

  1. You request to the contract: "I want to get my invested money back."
  2. The contract checks your account and confirms you have funds.
  3. The contract first transfers the ETH to you.
  4. Then, it updates your account balance, deducting the transferred amount.

The key was the order of steps 3 and 4! This "transfer first, then update ledger" sequence provided the hacker with an opportunity.

To understand this with a real-life example:

Imagine you're withdrawing money from an old ATM.

  • Normal process: You insert your card, enter your PIN, and request 1000 units of currency -> The ATM first deducts 1000 from your balance in its system -> Then it dispenses the cash to you. This is secure.

  • The DAO's vulnerability was like this: You request 1000 units -> The ATM first dispenses 1000 units of cash to you -> And only then prepares to update your balance in the system.

So, what did the hacker do? They wrote a malicious "smart contract wallet" that, at the exact moment the ATM dispensed money but before it could update the balance, immediately sent another request to the ATM saying, "I want to withdraw 1000 units."

Since the ATM's system hadn't updated yet, it "saw": "Hey, this person still has money in their account!" So, it dispensed another 1000 units... This process was repeated many times until the hacker "withdrew" a large amount of money.

In The DAO incident, the hacker exploited this "transfer first, then record" vulnerability by repeatedly calling the withdrawal function before the contract could update the balance, much like continuously scooping water from a giant vault. Ultimately, they transferred approximately 3.6 million ETH (worth about $50 million at the time).

What Were the Consequences? The "Great Schism" of the Ethereum Community

This incident had profound consequences, directly leading to a "great earthquake" and split within the Ethereum community.

  1. Fierce Community Debate: Code is Law vs. Moral Justice

    • One faction (fundamentalists) argued: "Code is Law." The principle of blockchain is immutability; since the code was written that way, even with a vulnerability, the outcome should be accepted. Human intervention would undermine the core spirit of blockchain.
    • The other faction (the mainstream, represented by Vitalik Buterin) argued: This was clearly an act of theft, and the thief shouldn't get away with it just because of a code vulnerability. If we had the technical means to recover the money and restore community confidence, we should do so.

  2. Hard Fork: Ethereum (ETH) vs. Ethereum Classic (ETC) The debate's outcome was that the mainstream faction decided to act. They proposed a "hard fork" solution.

    • What is a hard fork? You can understand it as a mandatory system upgrade. At a specific block height, the blockchain's rules change. Everyone needs to decide whether to accept the new rules or remain on the old ones.
    • The new chain (Ethereum - ETH): Most community members, including the Ethereum Foundation, supported this hard fork. This new chain, by modifying the code, moved the stolen funds from the hacker's address to a specific address, allowing the original investors to retrieve their money. This was like turning back time and erasing the hack. What we refer to today as "Ethereum" or "ETH" is this post-fork new chain.
    • The old chain (Ethereum Classic - ETC): A smaller portion of people, adhering to the "Code is Law" principle, rejected the hard fork. They remained on the original, unmodified chain. On this chain, the fact of the hack remains permanently recorded, and the money is still in the hacker's address. This chain is what we now hear referred to as "Ethereum Classic" or "ETC."

  3. A Wake-up Call for Smart Contract Security The DAO Hack served as a wake-up call for everyone. People realized that while smart contracts are powerful, they are also extremely fragile. "Code is Law" meant that a single line of incorrect code could lead to irreversible and massive losses. From then on, smart contract security audits became standard practice for project launches, and various security tools and best practices began to flourish.

  4. Regulatory Attention Such a large-scale fund theft naturally drew the attention of regulatory bodies like the U.S. Securities and Exchange Commission (SEC). The SEC later determined that DAO tokens were "securities," which laid the groundwork for subsequent ICO and crypto project regulation.

In Summary

The DAO Hack was like a "Titanic moment" in the blockchain world. It originated from a cleverly designed smart contract with a fatal flaw. The hacker exploited the "transfer first, then record" sequence to repeatedly withdraw funds. The biggest consequence, in an effort to recover the losses, was the Ethereum community's highly controversial decision to perform a "hard fork," leading to the split into what we know today as Ethereum (ETH) and Ethereum Classic (ETC).

Although this incident was painful, it led the entire industry to prioritize security as never before. In the long run, it served as a valuable and profound lesson.

Created At: 09-02 03:39:30Updated At: 09-02 03:39:30