A hacker has siphoned more than $50 million of digital money away from an experimental virtual currency project that had been billed as the most successful crowdfunding venture ever — taking with him not just a third of the venture’s money but also the hopes and dreams of thousands of participants who wanted to prove the safety and security of digital currency.
The attack most likely puts an end to the project, known as the Decentralized Autonomous Organization, which had raised $160 million in the form of Ether, an alternative to the digital currency Bitcoin. While the computer scientists involved in the project are aiming to tweak the code that underpins Ether in a way that will recover the money, the theft is nevertheless prompting a bigger debate about the viability and principles of virtual currencies like Bitcoin and Ether. “This is one of the nightmare scenarios everyone was worried about: Someone exploited a weakness in the code of the D.A.O.to empty out a large sum,” Emin Gün Sirer, a computer science professor at Cornell who co-wrote a paper pointing out problems with the project. Central banks and financial firms have been exploring how to use the technology underlying virtual currencies — known as blockchain — to improve their own internal systems. The technology is considered to have advantages in terms of transparency and security. Just last week, Janet L. Yellen, the Federal Reserve chairwoman, told central bankers at a trade industry conference that they should accelerate their efforts to explore blockchain.
But the incident provided another reminder of how the code can be just as vulnerable to human greed and mistakes as paper bills. The D.A.O. was meant to be a standard-bearer for online currency ventures. It was funded by investors from around the world using Ether, which has become popular over the last year. But just before the project stopped raising money in late May, computer scientists pointed out several vulnerabilities in its underlying code — effectively warning that what happened to the experimental consortium would be possible or even likely. “The D.A.O. is being attacked,” Griff Green, a community organizer with the company that wrote the project’s software, Slock.it, wrote on a chat channel for the project Friday morning. “This is not a drill.” The money that the hacker moved appeared to be frozen as a result of a safeguard previously built into the code. The thief was caught in what might be thought of as a digital version of the airtight double doors that sometimes protect valuable sites (known in security circles as man traps). Programmers working on the Ethereum network, which hosts Ether, were debating whether to make a one-time change to the code to recover the frozen money. That faced immediate opposition from many virtual currency purists who were attracted to the technology because of its ostensible freedom from human meddling. “The strength of blockchain tech is that it is a ledger, a statement of truth,” Bruce Fenton, a board member with the Bitcoin Foundation, wrote on Friday. “That ledger is only as good as its resistance to censorship, change, demands or attack.”
If the leaders of the Ethereum project decide to move forward with a change to the code — known as a fork — they will need to win the support of the people who lend their computing power to the network, and who have what amounts to a vote over any changes to the Ethereum software. The hacking underscored the complicated governance structure employed by so-called cryptocurrencies. These currencies are not run by any company or individual but by the computers of anyone who chooses to support the network. The D.A.O. was supposed to be a further extension of this concept of group decision-making. Thousands of people around the world financed the project by sending in Ether. The D.A.O. was supposed to act as a sort of venture capital fund, investing in projects that were voted upon by people who contributed money. The attack took place before any projects had been funded. The specific mechanism the hackers used is known as a recursive call vulnerability, — essentially a malicious transaction that moves money away from the D.A.O. into a side fund in an endlessly repeating loop. The attack led to chaos on the online message boards where D.A.O. investors and Ether users gather. “How can we help and protect our funds?” one user wrote on the Slack chat channel for D.A.O. investors. The programmers who wrote the D.A.O. code immediately suggested that investors vote to move their money to another, unrelated project known as Congo Split, primarily to protect their investments.
“The community needs to spam the network so that it can mount a counterattack,” Stephan Tual, an employee with Slock.it, wrote on that company’s website. Programmers with Slock.it wrote the code for the D.A.O. but said they had no formal continuing role with the project. By the time it was over, the hacker had managed to gain control of 3.6 million Ether — more than a third of the 11.5 million that were there at the beginning of the day. “The D.A.O.’s journey is over,” Mr. Tual said in an email. The incident was a reminder of the dozens of hacking attacks and thefts that have rattled Bitcoin since it was released in early 2009. In 2014, Mt. Gox, which was previously the largest Bitcoin exchange, announced that it had lost nearly half a billion dollars worth of Bitcoin. The attacks on Bitcoin have generally led to a temporary lull in public interest in virtual currencies. But Bitcoin has bounced back each time. Over the last week, the price of Bitcoin has risen swiftly to the highest level since the Mt. Gox fiasco; it stood at $770.
Some of the recent demand for Bitcoin has come from anticipation of a coming event known as halving. Currently, the Bitcoin software releases 25 new coins — a block — every 10 minutes or so to computers helping support the network. In mid-July, the blocks will shrink to 12.5 coins. The shrinking supply has led some to assume that the price will go up. The price of Ether had been rising alongside Bitcoin over the last month, in part because of the interest generated by the D.A.O. Both were up more than 60 percent over the previous month. But the attack sent the price of Ether into a downward spiral. The price of Ether fell 33 percent from its high a day earlier, to around $13. Bitcoin had also fallen, though less sharply, to around $750. The founder and lead programmer on the Ethereum project, Vitalik Buterin, wrote that he supported a change to the code that would reclaim the money from the hacker. But he said he recognized that he might not win the argument. “I recognize that there are very heavy arguments on both sides, and that either direction would have seen very heavy opposition,” Mr. Buterin wrote on Reddit.
Mr. Sirer, the Cornell professor, wrote: “There is no good solution here.”