The DAO Hack of 2016 Explained

The setup: a DAO with $150M and a known-fragile codebase

A DAO — decentralised autonomous organisation — is an on-chain entity that holds funds and acts by smart-contract logic and token-holder votes. The DAO (capital T, capital D) was the most ambitious early example. It was built by slock.it and launched on Ethereum in April 2016 with an open token sale that raised more than 11.5 million ETH — worth roughly $150 million at the time and about 14% of all ETH then in existence. Token holders could vote on which proposals to fund, with the assumption that returns would flow back to them.

The DAO's smart contract was complex. Several security researchers had publicly raised concerns about specific patterns — particularly around the function that allowed token holders to split off their share of the DAO into a child DAO. The relevant code path made an external call before updating the internal balance, a pattern that is now textbook-dangerous: reentrancy. Fixes were proposed but not deployed before exploitation.

This is educational, not financial advice. The DAO hack matters because the choices made in response shaped the meaning of "immutable" on Ethereum forever.

What actually happened: the drain and the fork

The exploit and the response unfolded over weeks.

• 17 June 2016. An attacker began exploiting the reentrancy bug. The attack recursively called The DAO's split function before the contract updated the attacker's internal balance, allowing repeated withdrawals against the same balance. About 3.6 million ETH was drained into a child DAO controlled by the attacker.
• The 28-day quirk. The DAO's structure required that drained funds remain in the child DAO for 28 days before they could be moved out. This gave the Ethereum community a window to respond before the attacker could spend the funds.
• Late June 2016: debate. Two main responses were debated. The first was a soft fork: a network rule change that would block transactions involving the drained funds, freezing the attacker. The second was a hard fork: a network rule change that would move the drained funds to a refund contract from which DAO token holders could withdraw their original ETH.
• Soft fork attempt and withdrawal. The soft-fork proposal was found to have a vulnerability that could enable a denial-of-service attack on Ethereum miners. It was withdrawn.
• 20 July 2016: hard fork executed. The Ethereum community executed a hard fork at block 1,920,000. The fork moved the drained ETH to a refund contract, allowing DAO token holders to withdraw their original ETH at a fixed rate.
• The split. A minority of miners and users refused the fork, arguing that immutability was the central promise of a blockchain and that intervening to reverse an exploit set a dangerous precedent. They continued mining and using the original chain. That chain became Ethereum Classic (ETC). The forked chain — the one that refunded — kept the name Ethereum (ETH) and the support of the Ethereum Foundation.

The attacker, whose identity remains formally unconfirmed despite multiple investigative claims, ended up with the drained ETH on the Ethereum Classic chain, which had not refunded. The fork did not undo the exploit on ETC; it only made the affected DAO token holders whole on ETH.

Who was involved

• The DAO contributors and slock.it. The team that built and marketed The DAO. They were not the on-chain attackers, but the bug was in their code.
• Vitalik Buterin and the Ethereum Foundation. Argued for the hard fork as the response that protected the largest number of users. Their public position effectively set the direction for the Ethereum chain.
• The attacker. Identity formally unconfirmed. A 2022 investigative article in Forbes named a specific individual as the suspected attacker, but the claim is contested and there has been no criminal conviction.
• The minority that became Ethereum Classic. A group of miners, developers and users who refused the fork on the grounds that immutability matters more than any single recovery. They include developers who built and maintained Ethereum Classic as a separate chain.
• The DAO token holders. Around 11,000 wallets held DAO tokens. After the hard fork, they could withdraw their original ETH from the refund contract on ETH.

The aftermath: two chains, a vocabulary and a research field

The DAO hack's impact extended far beyond June 2016.

• Two chains. Ethereum (ETH) and Ethereum Classic (ETC) have both continued to operate since 2016. Their valuations and ecosystems have diverged dramatically — Ethereum is hundreds of times larger by market capitalisation in 2026 — but Ethereum Classic still exists as a continuing experiment in strict immutability.
• A smart-contract security field. Reentrancy as a class of bug became a foundational example in smart-contract security education. OpenZeppelin's contract patterns, the Solidity language's reentrancy guards, formal verification tools and the practice of bug bounties all trace conceptually back to the DAO incident.
• The immutability debate. The hard fork made explicit what had been implicit: at sufficient scale, the Ethereum community could and would change the chain in response to off-chain considerations. That is either a feature (the network can recover from disasters) or a bug (the network is not actually immutable) depending on perspective.
• The SEC DAO Report (July 2017). The US Securities and Exchange Commission published a Section 21(a) Report concluding that DAO tokens were securities under the Howey Test. That report effectively defined the regulatory framework for the 2017 ICO bubble.
• Subsequent on-chain governance experiments. Every later attempt at on-chain organisation — MakerDAO, Compound governance, OlympusDAO, Gitcoin, the modern Optimism Collective — has had to navigate the same tension between immutable code, human judgement and stakeholder protection that the DAO incident first surfaced.

The lessons

The DAO hack is one of the most-studied incidents in crypto. Honest lessons include:

• Smart contracts are programs, and programs have bugs. The DAO held more value than most production financial software, written by a small team under time pressure, audited but not formally verified. The specific bug (reentrancy) had been described in security literature; using known-dangerous patterns at scale is what made the loss possible.
• Immutability is a choice the community makes, not a property of the substrate. Ethereum's hard fork demonstrated that, at sufficient consequence, the network would intervene. Subsequent chains have varied in how strictly they treat this. Ethereum Classic exists in part to maintain the position that immutability is non-negotiable.
• Recovery decisions create precedents. The DAO fork has been cited in subsequent crises — hack recoveries, bridge exploits, stablecoin de-pegs — as a precedent for community intervention. Some chains have rejected this precedent; others have embraced it; almost all have had to reason about it.
• Audits are necessary but not sufficient. The DAO had been audited. Auditors had raised some concerns. The exploit still happened. Real-world security relies on multiple defences — formal verification, bug bounties, conservative upgrade processes, time-locked controls — not on a single audit.
• Governance is a layer that needs design. The DAO's token-holder governance was novel and underspecified. Every subsequent serious DAO has had to design governance with much more care: quorum, voting weights, delay periods, emergency procedures. The DAO is the case study that made these concerns concrete.

It is worth being clear about what the DAO hack does not prove. It does not prove that all smart contracts are unsafe, or that on-chain organisations cannot work. It proves that smart contracts that hold large value need to be designed and audited with the seriousness of production financial software — and that the wider community needs to have thought through, in advance, what it will do when things go wrong.

Watch where smart-contract incidents start next

Smart-contract incidents continue every cycle — bridge exploits, lending-protocol drains, governance attacks. The patterns — known-dangerous code paths, time-pressured deployments, contested response — repeat. Zippfeed tracks DeFi and smart-contract security headlines across many sources with sentiment and importance scoring, so you can watch incidents and responses as they unfold — and learn from them before exposure becomes loss. This is educational, not financial advice.