UI + Smart Contracts for illustrating the infamous 2016 Ethereum DAO hack.
Have you ever wondered why there are two Ethereums listed on most exchanges and token lists, Ethereum and Ethereum Classic?
Back in 2016 the German company slock.it created one of the first DAO contracts on Ethereum. The contract quickly gained in popularity, collecting almost 15% of the total ETH supply.
Then on 19th of June, Martin Koeppelman (CEO of Gnosis) submitted a post on r/ethereum: "I think The DAO is getting drained right now", alerting the community that an attack was happening.
Read up on the full event in more detail here.
Further reading:
- Ethereum Foundation statement
- Martin Koeppelman DAO FAQ
- Overview of relevant transactions of the hack
# install dependencies
$ yarn
# 1. terminal
# start local chain
$ yarn chain
# 2. terminal
# deploy contracts
$ yarn deploy
# start app
$ yarn startThe projects contains two smart contracts located in pakages/hardhat/contracts/:
TheDAO.sol
and
DarkDAO.sol
On executing yarn deploy, several accounts deposit ETH into TheDAO.sol.
Then the DarkDAO.solcan be used to attack and drain the funds from TheDAO.sol.
For the attack to work, the DarkDAO first needs to hold some shares/tokens form TheDAO. This is done by calling the function invest(address _to) function of TheDAO.sol and passing the DarkDAO contract address.
Then the attack(address _target) function of the DarkDAO contract is executed (calling invest() and withdraw() in the same transaction).
The withdraw() function sends ETH funds from TheDAO back to the DarkDAO.
This triggers the fallback() external payable function and the re-entrancy attack is executed by calling the withdraw() function again.
This triggers a loop where TheDAO sends all its ETH to the DarkDAO until it is empty.
MIT