Last night was very eventful to say the least.

Two white hat siphonings were performed on The DAO with 2 child DAOs as recipients. The child DAO created from proposal 78 has now 7.277 mil ETH in it and the child DAO created from proposal 99 has 353,000 ETH. A total of 7,630,479 ETH is placed inside child DAOs that are under (mostly) friendly control right now. That said, there is still work to be done to return the ETH to its rightful owners.

Reality Check.

What does the white hat siphoning really mean? Is that ETH safe now?

In short, it is safe for the time being and a soft or hard fork is needed to fully secure it. The ETH in the child DAOs is locked for another 24 days with a crushing majority of its tokens being under friendly control. It is important to identify each and every single one of the other split voters who have voted ‘yes’ in Prop #78 and Prop #99. If any of you are out there and are reading this please reach out to us. Specifically the owners of:

Prop #78

0xb97ba16dfafa8fc5824c029f0653cc03a1796e99

0xe1e278e5e6bbe00b2a41d49b60853bf6791ab614 ← Suspected malicious actor.

Prop #99

0x8d184669301640a42652e9b436843a3fa4998370

0xb97ba16dfafa8fc5824c029f0653cc03a1796e99

0x4c57bd476d9b155dc369966f0fb7648394e4aebf

0x2853d92e14928308500e2f1db1a69b20b09187be

0xcd8368170358d401cd03c66065fe4ae12aa5ee58

Theoretically, if we can be sure that all of the relevant actors in both splits are good actors, by having them identified publicly/privately, or even better, if they can remove the ETH and DAO tokens from their accounts and provide their private keys, then and only then can we be sure that the 7.63 million ETH can safely be refunded. Unfortunately due to recent developments we now are sure that there is at least one malicious actor inside the largest of the white hat child DAOs (Prop #78).

The question of how to get back the other 3.64 million ETH is still open. One possibility is the counter-attack described in my previous blog-post. Additionally we will also need to secure the 344,907 ETH in the extraBalance of the mother DAO which presents it’s own challenges.

Options from Here

There are really only 3 options from here on out. All of these options are made possible by the time-based failsafes that Christoph Jentzsch wisely implemented into DAO Framework v1.0. Now that all of the ETH in The DAO has been sent to child DAOs we have time to make educated decisions about the best path forward.

A hard fork: This is simple, elegant and guaranteed to work without requiring a rollback or any other changes to the Ethereum Blockchain unrelated to The DAO. If the hard fork receives consensus support from the Ethereum Community, this is the fastest and easiest solution. A targeted soft fork: This would allow most of the ETH to likely be returned to the DAO Token Holders over the course of several months (see below for details). No fork: This will likely result in some or all of the ETH being locked in the white hat and black hat child DAOs indefinitely. If an attacker has infiltrated both of the white hat child DAOs, then the no fork solution will probably not manage to return any ETH back to the DAO Token Holders.

Hard Fork

Despite the white hat siphoning there are still several unknowns, a lot of moving parts, and, at the present moment, no ETH is yet under the control of a trusted multisig wallet or a safe refund contract. The ETH is stuck here and there in different child DAOs with no guarantees of 100% safety. In fact, a seemingly malicious actor has joined one of the white hat child DAOs. Without a hard fork, all actions towards reclaiming the ETH will take many months and come with no guarantees of success.

A hard fork on the other hand would provide a quick, simple and easy solution as Christoph explained in the “Hard Fork” section of his last blog post. No generic blockchain rollbacks would be required, no other contracts or balances would be affected.

All DAO Framework v1.0 contracts would have their ETH sent into a refund contract. This contract would allow all DAO Token Holders to claim their fair proportion of the ETH (including the many legitimate splits that have happened). The exact ratio is still something to be determined as the hard fork is implemented, but it is likely to be slightly over 1 ETH for 100 DAO because of the extraBalance account.

The timeline for such a scenario would be relatively short; 1–2 weeks to implement and test the hard fork code and then another week for the community to update their clients. So after 3 weeks the refund process for all DTHs could start and everyone would get 100% of their ETH back in a guaranteed fashion.

No other fork would be necessarily required if this can be implemented in the next few weeks and this fiasco can be put behind us so the Ethereum Community can simply focus on creating awesome Ɖapps.

Targeted Soft Fork

Another option that is on the table and is being actively considered is that of a soft fork. There are already PRs (i.e., suggested code changes) in both the geth and parity clients for this. The idea is that all transactions that would result in a value transfer from any DAO would be deemed invalid and not accepted by miners. The targeted part is due to two exceptions: The most important one being the Curator multisig and the other being a siphoning contract. It’s the same contract that was used in the white hat actions. The exception of the siphoning contract is not needed, but it does not hurt to have it as a safety precaution and to require less ETH for Dark DAO recovery actions.

What does that mean for the retrieval of the ETH?

Dark DAO (3.64 mil ETH)

The Dark DAO created in Proposal 59 needs to be infiltrated using the method detailed in the counter-attack post. The beneficiary of createTokenProxy(), where the Dark DAO tokens will be held, will be The DAO’s Curator multisig. Unfortunately due to the sheer amount of tokens the attacker has in the Dark DAO and due to the late stage in the Creation phase when createTokenProxy() would take place, getting a majority of the tokens in the Dark DAO would require a lot of ETH, a large portion of which would be sent into the Dark DAO’s extraBalance account.

Thanks to this suggested targeted soft-fork it would be possible to only put a small amount of ETH at stake using the Curator multisig. They can then pull the same split attack on the Dark DAO and split away to a safe child DAO. The attacker will not be able to follow since they would be blocked by the soft fork.

This whole process would take at least 23 days (left in the Dark DAO creation phase) + 7 days (to create a split proposal in the Dark DAO to run the same attack on him) + 27 days (waiting for the creation period to end) + 14 days (to create a proposal in the new child DAO to transfer all ETH to a refund contract). This ends up being 71 days from now (assuming everything works out perfectly) in order to be able to retrieve the 3.64 million ETH from the Dark DAO with the help of a soft fork.

The Dark DAO created in Proposal 59 needs to be infiltrated using the method detailed in the counter-attack post. The beneficiary of createTokenProxy(), where the Dark DAO tokens will be held, will be The DAO’s Curator multisig. Unfortunately due to the sheer amount of tokens the attacker has in the Dark DAO and due to the late stage in the Creation phase when createTokenProxy() would take place, getting a majority of the tokens in the Dark DAO would require a lot of ETH, a large portion of which would be sent into the Dark DAO’s extraBalance account. Thanks to this suggested targeted soft-fork it would be possible to only put a small amount of ETH at stake using the Curator multisig. They can then pull the same split attack on the Dark DAO and split away to a safe child DAO. The attacker will not be able to follow since they would be blocked by the soft fork. This whole process would take at least 23 days (left in the Dark DAO creation phase) + 7 days (to create a split proposal in the Dark DAO to run the same attack on him) + 27 days (waiting for the creation period to end) + 14 days (to create a proposal in the new child DAO to transfer all ETH to a refund contract). This ends up being 71 days from now (assuming everything works out perfectly) in order to be able to retrieve the 3.64 million ETH from the Dark DAO with the help of a soft fork. White Hat DAOs (7,630,479 ETH)

The white hat group have not yet identified all of the accounts that voted ‘yes’ in the white hat controlled child DAOs. Any account that voted in splits 78 and 99 which has not come forward is a potential attacker in the whitehat’s DAOs.

Thankfully if there is a targeted soft fork or a hard fork these potential attackers can’t do anything. The white hat contracts hold the majority of tokens and will transfer them to The DAO’s Curator multisig, the only account that can act during the soft fork. Via a normal proposal they will be able to move the ETH into the safety of a refund contract.

This would take 24 days (left in the creation period of Proposal 78’s splitDAO) + 14 (days for a normal proposal). So in a total of 38 days we could have the largest amount of the ETH secured if the targeted soft fork is implemented and there are no other complications.

The white hat group have not yet identified all of the accounts that voted ‘yes’ in the white hat controlled child DAOs. Any account that voted in splits 78 and 99 which has not come forward is a potential attacker in the whitehat’s DAOs. Thankfully if there is a targeted soft fork or a hard fork these potential attackers can’t do anything. The white hat contracts hold the majority of tokens and will transfer them to The DAO’s Curator multisig, the only account that can act during the soft fork. Via a normal proposal they will be able to move the ETH into the safety of a refund contract. This would take 24 days (left in the creation period of Proposal 78’s splitDAO) + 14 (days for a normal proposal). So in a total of 38 days we could have the largest amount of the ETH secured if the targeted soft fork is implemented and there are no other complications. Extra Balance (344,907 ETH)

The DAO’s Curator multisig can whitelist the extraBalance account and make a proposal to transfer the extraBalance to The DAO. At the same time another proposal to transfer the ETH from the DAO into the refund contract can be made. When both are voted on and executed in the proper order the extraBalance’s ETH will be moved.

The above process would take at least 14 days (two proposals running concurrently) until the 344,907 ETH is moved into a refund contract, but it requires the targeted soft fork to allow it to happen safely.

The DAO’s Curator multisig can whitelist the extraBalance account and make a proposal to transfer the extraBalance to The DAO. At the same time another proposal to transfer the ETH from the DAO into the refund contract can be made. When both are voted on and executed in the proper order the extraBalance’s ETH will be moved. The above process would take at least 14 days (two proposals running concurrently) until the 344,907 ETH is moved into a refund contract, but it requires the targeted soft fork to allow it to happen safely. Small Dark DAOs (??? ETH)

Essentially the same process as we described for the large Dark DAO can be followed for all the smaller Dark DAOs that went rogue and pulled the exploit attack on the mother DAO. There is a list of all the accounts which pulled off the shenanigans and there is no need to let them go unpunished. With a targeted soft fork the counter-attack process has a decent chance to succeed and could be over in ~71 days for each DAO that is targeted. Depending on when the split period was started and assuming no other complications.

The targeted soft fork is a complicated process which will take a very long time to execute and will be a large distraction for the Ethereum Community while it is enacted, but it does have the potential to return a considerable amount of the ETH to the Token Holders and stops the attackers from reacting to a friendly actor’s moves. A targeted soft fork must be implemented and adapted by the miners quite quickly for it to work. This can happen in parallel with the development and testing of the hard fork.

No Fork

I will be frank with you, this is a nightmare scenario. In such a situation absolutely nothing is safe and there is no guarantee that any ETH will be returned to the DAO Token Holders. At the time of writing this post someone already started donating ETH to the DAO, likely with a malicious intent. It can be drained quickly but it is not possible to completely empty the DAO (even though it is down to 1 wei) or stop people from sending ETH to the DAO, so a likely malicious actor has already managed to join Prop #78’s white hat child DAO.

That means that any malicious actor can use the same recursive exploit in any split the white hat hackers try to join (and there is a possibility that there is a malicious actor in both whitehat child DAOs) and continue this ‘game’ ad-infinitum. The attacker would hopefully not get any money out of this, but neither would the DAO Token Holders. In such a scenario the token holders would probably not be able to see a refund of their ETH, and in the worst case scenario, some of this ETH will be able to hit the exchanges.

Conclusion

In the end the choice of how to go forward is up to the Ethereum Community. All I can do is inform you about the possible options and of their consequences for the refunding of the DAO Token Holders. I trust that the community will make the right choice.

My personal opinion is that the cleanest and fastest solution, the hard fork, is the clear way to go here. A hard fork will refund the DAO Token Holders 100% as quickly as possible, avoiding months of hard work by volunteer white hats and bad press for Ethereum. The other options will likely end up with suboptimal results distracting the world from the true potential of the Ethereum Network.