The DAO — recursive-call exploit

What happened

On 17 June 2016 an unknown attacker began draining funds from The DAO, a decentralised autonomous organisation that had raised approximately $150 million in Ether through a crowdsale the previous month. At the time it was the largest crowdfunding campaign in history. The attacker exploited a recursive-call vulnerability — a flaw that would later be categorised as “reentrancy” — in the contract’s splitDAO function and drained approximately 3.6 million ETH into a child DAO they controlled. At June 2016 prices, the stolen funds were worth roughly $50 million; at subsequent prices they have at times represented several billion dollars of value.

The theft halted The DAO’s operations immediately and triggered a weeks-long community-wide debate about how to respond. Ethereum’s founders and the majority of the network eventually executed a hard fork on 20 July 2016 that effectively rewound the theft, crediting original investors with their Ether. A minority of the network rejected the fork on principle — arguing that blockchain immutability was inviolable — and continued running the unforked chain, which became Ethereum Classic. The attacker’s funds remained intact on that chain.

The US Securities and Exchange Commission published an investigative report on The DAO in July 2017. The report concluded that DAO tokens were securities under US federal law, establishing the analytical framework the SEC would apply to subsequent token offerings and DeFi governance instruments.

How it worked

The DAO’s splitDAO function allowed investors to exit the main pool and form a child DAO — a mechanism designed to let minority factions leave with their proportionate share of funds. The function worked in three logical steps: check the caller’s balance, send the Ether, then set the balance to zero. The ordering of the second and third steps created a critical window: once the contract had confirmed the balance and initiated the transfer, an external contract could call back into splitDAO again before the balance had been zeroed.

This is reentrancy. The attacking contract called splitDAO, received the transfer, and from within its own receive function immediately called splitDAO again. Because The DAO’s contract had not yet updated its record of the attacker’s balance, the second call passed the same balance check and triggered another transfer. This loop repeated dozens of times per transaction. Each iteration drained the attacker’s stated balance in Ether while the contract’s internal ledger still showed that balance as unspent.

In programming terms, the fix is simple: update state before making external calls. In The DAO’s case, swapping the order of the “send Ether” and “set balance to zero” operations would have made the attack impossible. The bug was not new — computer scientists had described call-stack re-entrancy attacks in traditional software long before Ethereum existed — but the novelty of smart contract programming meant no established secure coding standard existed to flag it.

The attacker could not immediately access the drained Ether: The DAO’s split mechanism imposed a 28-day holding period on any child DAO. This cooling-off window gave the community time to debate and ultimately execute the hard fork before any funds could be liquidated.

Timeline

• April–May 2016 — The DAO crowdsale runs for 28 days, raising approximately 11.5 million ETH from around 11,000 investors. At its peak it holds roughly 14% of all circulating Ether.
• 9 June 2016 — Multiple researchers, including Emin Gün Sirer, publicly identify the reentrancy flaw in The DAO’s split mechanism.
• 17 June 2016 — The attacker exploits the reentrancy vulnerability. 3.6 million ETH is drained into a child DAO across multiple transactions over several hours.
• 17 June 2016 (same day) — Ethereum co-founders and The DAO team publicly acknowledge the attack. A soft-fork proposal is drafted to freeze the attacker’s child DAO.
• 20 June 2016 — The Ethereum community rejects the soft fork after researchers identify a denial-of-service vulnerability in its design.
• 15–20 July 2016 — Hard fork debate intensifies. A coin-vote shows roughly 87% of participating Ether in favour of the fork.
• 20 July 2016 — Ethereum hard fork executes at block 1,920,000. The theft is reversed; original investors receive refunds. A portion of the network continues on the original chain, preserved as Ethereum Classic.
• 25 July 2017 — The SEC publishes its Report of Investigation on The DAO, concluding DAO tokens are securities. No enforcement action is taken, but the report sets a lasting regulatory precedent.

What defenders should learn

Reentrancy is the lesson the entire smart contract industry takes from The DAO. The vulnerability class is now covered in every Solidity security primer, flagged by every major static-analysis tool, and addressed by standardised patterns including the checks-effects-interactions ordering rule and OpenZeppelin’s ReentrancyGuard library. Yet reentrancy variants continue to be exploited years later — the 2023 Curve Finance incident involved reentrancy introduced through a compiler, not developer code, demonstrating that the class can re-emerge through unexpected layers of the stack.

The deeper governance lesson is the one the industry has been slower to absorb. The decision to hard fork was taken by an informal coalition of developers, miners, and large holders who moved quickly under crisis pressure. No protocol existed for that decision — it was improvised, contested, and ultimately irreversible in its side effects. Ethereum Classic exists because a permanent schism was the cost of bailing out investors. Any protocol that holds significant value should reason, in advance and in the absence of a crisis, about what governance mechanisms would apply if a catastrophic exploit occurred.

The SEC’s investigation carries a third lesson that the DeFi industry has also been reluctant to confront: financial instruments structured as on-chain governance tokens may be securities regardless of how they are labelled. The DAO report was published in 2017. Every governance token issued since then exists in a regulatory environment that this incident defined.