The DAO's withdrawal function sent Ether to the caller before updating the internal balance. The attacker's contract implemented a fallback function that re-called the withdrawal function before the balance was updated, draining the contract in a recursive loop.
The Ethereum community voted to hard-fork the blockchain to reverse the theft, creating Ethereum (the forked chain) and Ethereum Classic (the original chain). The event established that 'immutable' blockchain code is only as immutable as the community's willingness to let consequences stand.
The Incident
On June 17, 2016, an attacker began draining funds from The DAO — a decentralized autonomous organization built on Ethereum that had raised $150 million in the largest crowdfunding campaign in history at that time. Over several hours, the attacker siphoned approximately 3.6 million Ether, worth roughly $60 million.
The Root Cause
The DAO's smart contract had a withdrawal function that followed this sequence: (1) check the caller's balance, (2) send the requested Ether to the caller, (3) update the caller's balance to reflect the withdrawal. The vulnerability was in the ordering: the Ether was sent before the balance was updated.
When the DAO's contract sent Ether to the attacker's contract, the attacker's contract contained a fallback function that was automatically triggered by the incoming payment. This fallback function immediately called the DAO's withdrawal function again — before the first withdrawal had updated the balance. The DAO checked the balance (still unchanged), sent more Ether (triggering the fallback again), and the cycle repeated. The attacker recursively drained the contract until the child DAO's balance was depleted.
The vulnerability — sending value before updating state — was a known risk in Solidity development at the time. The checks-effects-interactions pattern (check conditions, update state, then interact with external contracts) had already been documented as the correct approach.
The Aftermath
The Ethereum community faced a choice: accept the theft and preserve the blockchain's immutability, or fork the blockchain to reverse the transaction and recover the funds. After contentious debate, the community voted to fork. The forked chain became Ethereum. The original chain — where the attacker kept the funds — became Ethereum Classic.
Why It Matters
Immutable code on a blockchain means bugs are permanent. There is no patch, no hotfix, no rollback — unless the entire community agrees to rewrite history. The DAO hack proved that "code is law" is an aspiration that breaks on contact with a $60 million theft. And the fix — a hard fork — created a precedent that divided the community: if you can reverse one theft, what stops you from reversing anything?