Are DAOs that great? Recent Hacks Reveal the Achilles Heel of DAOs
What we cover?
- DAOs are not as secure as they purport to be
- Why are DAOs getting hacked?
- What can be done about DAO hacks?
The Achilles heel of DAOs: Open Code.
There’s no doubt that DAOs are great. They offer a new way of organizing and managing projects, and they have the potential to revolutionize how we do business. However, recent hacks have shown the Achilles heel of open source development: the vulnerability of code that is available to the general public. In this blog post, we’ll take a look at these hacks and explore ways to mitigate the risks involved in open source development.
The first question is, “Why would anyone want to hack a DAO?” The answer can be found in the very nature of what makes them so attractive. DAOs are open source projects that allow anyone with internet access to contribute their time and effort toward making them successful. This means that all code written for these projects is publicly available on GitHub or another public repository where hackers may find vulnerabilities they can use against you or your organization. In other words, if someone finds an easy way into one system then they will likely try it again elsewhere until they get caught — which could take years depending on how often security patches happen to occur at those locations (or never). As soon as something becomes known about these vulnerabilities people start looking around for them and the race is on to see who can find and exploit them first.
Clear examples of DAOs vulnerability
This was clearly demonstrated in the recent hacks of Wormhole and Slock.it, both of which was using code that was available to the public. In the case of Wormhole, a hacker found an exploit in their voting smart contract that allowed them to siphon off $320 million worth of Wrapped Ether (wETH) from the organization. This hack was made possible because the code for the voting contract had not been properly vetted by the community before it was put into production. The interesting fact about both Wormhole and Slock.it was that both had already patched their vulnerability before it became known to the public, but they hadn’t merged the patch and released the code to the production stable release.
These hacks have revealed a serious vulnerability in the way DAOs are being developed and operated. While it is still possible to create successful DAOs using open source code, you need to be aware of the risks involved and take steps to mitigate them. One solution is to use code that has been vetted by the community, and trusted 3rd parties, like OpenZeppelin or similar, before putting said code into production. This can help identify potential vulnerabilities before they become known to the general public and give you time to fix them. Another solution is to use closed-source code instead of open source code, which will protect your organization from hackers who may find exploits in publicly available code. However, this option comes with its own set of risks, as we’ll discuss in a future blog post.
As a user, what can you do?
In the meantime, it is important to be aware of the risks involved in using open source code and participating in projects using open source code, as you and your funds are at risk of a potential hack. Some of these hacks are unrecoverable, or at best, present a double-spend problem when you have wrapped tokens that are hacked. You should always ensure that before you get into any project you research the team and the project use case to ensure it aligns with your goals and interests. Stay tuned for our next blog post where we discuss the double-spend potential and problem of wrapped tokens when hacks occur on one side of the bridge. Until then, stay safe and stay informed!
