What happened?



3,641,694 ETH was split out of The DAO. The attacker found a loophole in the regular split DAO function that allowed them to reuse the same DAO tokens repeatedly.



How did it happen?



The attacker managed to combine two exploits: (1) calling the split DAO function recursively and (2) splitting without destroying the tokens in the original DAO. Calling the split DAO function recursively means that he first regular call would trigger a second (irregular) call of the function, the second call would trigger another call and so on. The calls following are done in a state before the balance of the attacker is set back to 0. This allowed the attacker to split about 40 times per transaction. The attacker could not split anymore, otherwise the transactions would have gotten too large and eventually reached the block gas limit.