Hacked Smart Contracts (and how to avoid being the next one)

Millions of dollars worth of Eth have been stolen from smart contracts that launched with vulnerabilities. In this course, we’ll take a close, technical look at the bugs and how we can prevent them from happening to us.

“I think the DAO is getting drained right now” – was the quiet headline of a post at /r/ethereum - “Unfortunately, I am on a train to work, so [I] cannot investigate, but looks like a recursive call exploit of some kind.”

This “recursive call exploit”, resulted in the attacker controlling $50 million dollars worth of Ether out of about $150 million dollars worth that had originally been invested.

“Why,” you might be asking, “would people give control of $150 million dollars to a smart contract?” And what code did that attacker write that suddenly gave them control of $50 million dollars?"

That is exactly what we’re going to look at. First, let me tell you about what the DAO even was.

In 2016 a team had a revolutionary idea: that organizations could be decentralized.

For example, we can think of a business as an organization controlled by it’s founders and investors. The business takes labor and capital as inputs and, hopefully returns more capital to the investors than was put in.

The pitch for the DAO to act as a decentralized organization. The idea is you send money to the DAO and you’re given voting tokens.

Of course, the DAO can’t do anything on it’s own – it requires someone to perform actions such as writing code, designing, producing. The person who does the work is called the contractor.

If the contractor wants perform work for the DAO, they submit a proposal and the proposal is voted on by the token-holding members. If the proposal is accepted, Ether is transferred into the destination specified by the Contractor

Unlike centralized organizations which are often opaque, arbitrary, and controlled by a few, the DAO was supposed to be transparent, fair, and controlled directly by it’s token-holding members.

What was the bug?

But when I hear the story of the DAO I’d always wonder, what was the bug exactly. If the Ethereum EVM wasn’t the problem, then that means, the DAO bug had could be implemented again today on any of these platforms.

When I’m writing my smart contracts, how can I prevent such a bug from ever happening to me.

Well in these videos that’s what we’re going to cover. It turns out, the Solidity bugs in the DAO aren’t that difficult to understand, once you know what to look for.

There were several different code issues with the DAO. But there two main patterns that caused the downfall of the DAO that we’re going to look at. They’re called:

  • re-entrancy and
  • race to empty

I’m going to show you toy versions of these patterns, and we’ll discuss alternative, safer patterns that help us mitigate the unwanted behavior.

Hearing of all these attacks might make you think that Solidity programming impossibly insecure and smart contract security is a lost cause. While Ethereum is young, this kind of blanket statement not true.

If history is any lesson, many people thought the same thing about web programming. SQL injection attacks, cross-site-scripting, and cookie-hacking, for example, were widely exploited until the attacks became better known and now these are common patterns we defend against, almost without thinking about - Defense for SQL injection is built into basically every web framework.

Solidity is similar in that we’re in the early stages where some attacks are not necessarily well understood. Raising awareness of these attacks and teaching you to defend against them is the point of this series.

Your Instructor

Nate Murray
Nate Murray

Frequently Asked Questions

When does the course start and finish?
The course starts now and never ends! It is a completely self-paced online course - you decide when you start and when you finish.
How long do I have access to the course?
How does lifetime access sound? After enrolling, you have unlimited access to this course for as long as you like - across any and all devices you own.
What if I am unhappy with the course?
We would never want you to be unhappy! If you are unsatisfied with your purchase, contact us in the first 30 days and we will give you a full refund.

Get started now!


Learn new tech with project-based programming books, videos, and tutorials.


© 2018 Fullstack.io, LLC
Terms of Service Privacy