In 2016, the blockchain industry was rocked by a security incident that went viral across the internet: an attacker spent less than $1 in transaction fees and, using a single line of code written in the wrong order, managed to siphon off digital assets worth $60 million from the on-chain smart contract of the leading project The DAO. Throughout the entire process, there was no brute-force cracking, no illegal intrusion—everything was accomplished purely by exploiting a logic flaw in the code itself.


The principle behind this vulnerability was absurdly simple: the withdrawal logic should normally clear the user’s account balance first, and then execute the transfer. But the contract from that time had the sequence written in reverse—send the funds first, then clear the balance. The attacker, inside the callback mechanism triggered by the transfer, repeatedly initiated withdrawal requests, taking advantage of the system not yet updating the balance state. Round after round, they drained funds in a recursive loop until the contract’s reserves were completely emptied. And the fix only required swapping the positions of two lines of code.
The DAO was by no means a faceless small project. It was, at the time, the most closely watched benchmark project in the Ethereum ecosystem, with a crowdfunding scale of $150 million. Its code had undergone multiple rounds of community review and verification by professional security teams—but somehow, no one managed to spot this most basic logic error.
In the end, the incident forced the Ethereum community to launch a hard fork, forcibly rolling back transactions to recover the stolen assets, and it also directly split off the Ethereum Classic branch chain. The industry’s long-standing belief in “code is law” was slapped in the face by reality for the first time. The debate over whether exploiting vulnerabilities is a legitimate action or theft is still simmering to this day.
Even more ironic is that, more than a decade later, these kinds of basic vulnerabilities have not disappeared—on the contrary, they keep resurfacing again and again under different disguises. In 2021, the well-known lending protocol CREAM Finance was drained of $130 million using the same technique. Because the call chain was nested layer upon layer and hidden under complex details, even after full professional audits, the risk still could not be identified.
Beyond that, there were flash-loan manipulation attacks with zero principal, low-level blunders like writing incorrect function permissions, and even a major cross-chain bridge case that caused a $625 million loss based solely on a phishing email—these cases have played out in the industry repeatedly. Many projects, in their rush to meet go-live timelines and reduce development costs, keep compromising on security in the name of speed. Every instance of cutting corners eventually becomes an irrecoverable, sky-high loss.$ETH
{spot}(ETHUSDT)
ETH1.62%
View Original
post-image
This page may contain third-party content, which is provided for information purposes only (not representations/warranties) and should not be considered as an endorsement of its views by Gate, nor as financial or professional advice. See Disclaimer for details.
  • Reward
  • Comment
  • Repost
  • Share
Comment
Add a comment
Add a comment
No comments
  • Pinned