Jens Kalaene/dpa/picture-alliance/NewscomJens Kalaene/dpa/picture-alliance/NewscomIf you can’t understand how a cutting-edge new investment platform works, it’s probably a bad idea to put serious money (or a good portion of an infant cryptocurrency network) behind it. This is a lesson that backers and enthusiasts of the Ethereum platform and its pet project—a bot-run investment corporation known as The Decentralized Autonomous Organization (DAO)—had to learn the hard way recently.

In May, I discussed the development of this new “leaderless” investment corporation, which was purported to be “bound by code“—i.e. run by a bot—and supposed to operate as an automated crowdfunding and profit-sharing venture that obviated the need for human administration. Since its creation on April 30, The DAO raised $150 million in investment on the trendy Ethereum smart-contract platform and plenty of positive press in the weeks leading up to its maiden IPO.

There was just one big problem: The code was broken, and The DAO got hacked.

Bound by Code

The DAO was conceptualized as a kind of decentralized venture-capital fund that could not be controlled by any one person or group. People who wanted to invest in The DAO could purchase “DAO tokens” using Ether (ETH), the native cryptocurrency of the Ethereum platform.

With DAO tokens, people could then vote to invest in a number of pre-approved, startup-like projects proposed by entrepreneurs The DAO called “contractors.” If a project got enough votes, it would be green-lit and the funds immediately distributed. If the startup began to rake in money, the profits would be dispersed among token holders. If, however, a project started hemorrhaging money, token holders would just have to take that hit.

The core innovation of The DAO was that all of these operations were to occur autonomously, facilitated by code rather than fund managers and administrators. In technical terms, The DAO was designed as a kind of “smart contract,” a digitized system set up in such a way that breaches of contract are expensive or impossible. There would be no Kickstarter administrator or venture capital general partner that would be capable of censoring or overriding decisions. As The DAO developer Stephen Tual told the Wall Street Journal on May 16, the project was “not bound by terms of law and jurisdiction. It’s bound by code.” At least, this was the theory.

Ack! A Hack!

But a funny thing happened on the way to a post-capitalist crypto-anarchist utopia.

Amid the fawning press and general euphoria imbuing The DAO community, a group of security researchers led by Cornell University’s Emin Gün Sirer published a May white paper sounding the alarm about many troubling vulnerabilities present in The DAO’s code. The researchers noted a number of mechanism design weaknesses that could promote sub-optimal voting behavior among token holders or even outright theft of funds. The DAO developers did issue some patches to smooth everything over—but it was too little, too late. The DAO proceeded along its original deployment timeline, warts and all.

This rush to release proved fatal for the project.

On the morning of June 17, startled token-holders logged online to learn that The DAO was being rapidly drained of its funds. Just as Sirer and his associates warned, an attacker had exploited a vulnerability in The DAO’s “split function,” which allowed the hacker to drain Ether multiple times during the course of one transaction. Panic struck the community as ETH trickled into the attacker’s clutches without pause. The price of ETH tumbled. Panicked token-holders took to the forums to demand answers and quick action from developers of Ethereum and The DAO.

In the course of one fateful day, The DAO went from a “new paradigm in economic cooperation” to yet another punchline in the wild world of cryptocurrency.

So Much for “Code Is Law”

In the aftermath of the hack, the high-tech sloganeering used to market The DAO proved little more than pretty words.

In good times, THE DAO developers never tired of extolling that “code is law” and mere mortals could never deign to intervene in their ironclad system design. The DAO’s initial terms and disclaimers clearly explains that purchasing tokens signified “[express agreement] to all of the terms and conditions set forth in that code“—which included the risk of major loss. Yet at the first sign of trouble, these principles were immediately cast to the side. All of a sudden, preexisting common law principles and external protocols became sovereign.

Because of the way that The DAO was designed, there was no way for its leaders to reverse the hack and restore funds to the proper holders. In fact, by the bare language of its code and contract, The DAO hacker did not do anything “wrong” at all. He or she simply took advantage of a profit opportunity overlooked by the many people who agreed to bind themselves to that specific code. If anything, according to the stated ethos of the project, The DAO hacker—whoever they are—should be applauded. He or she essentially claimed a large “bug bounty” for finding a vulnerability in The DAO’s code. Rather than chastising The DAO hacker, perhaps the leadership of Ethereum and The DAO should hire him or her!

Yet the many people who lost a lot of money in The DAO hack obviously don’t see it that way.