At the beginning of Lord of the Rings, all these people from these different groups (Hobbits, Elves, Dwarfs, etc.) didn’t trust each other, but they all had a unified mission, to take the ring to the mountain. Like DAOs, they are a group of diverse strangers who need to trust each other to reach a common goal. In Lord of the Rings, even though Frodo is somewhat the star, everyone made decisions together.
The Lord of the Rings isn’t entirely like DAOs because everyone passed the ring back and forth. In DAOs, the funds sit in a treasury and can only be used if there’s a sign-off by multiple participants, more on that later.
DAOs are organizations that allow untrusted parties to work collaboratively. Rules and guidelines are all locked with smart contracts on the blockchain network, making it difficult for one party cheat another party.
DAOs are a new way of organizing a foundation, organization, or business. Decentralized is the keyword here, the idea is it’s an organization that manages most business affairs as a group.
DAOs are not complicated technologies. It’s a forum that allows people to vote on decisions, funds are raised like a Kickstarter, and there’s an event mechanism that listens to the votes and can programmatically release funds and fire specific actions, a big sarcastic YEH 😐
Are DAOs under or over-hyped?
In a world where people followed the rules and played fair DAO would be a pointless technology. Unfortunately, the world isn’t fair and people get cheated out of what’s rightfully theirs all the time because the rules don’t apply to everyone.
DAOs make organizations more inclusive because they survive on community support, bringing us closer to a more diverse, inclusive, and equitable society.
It’s not a perfect solution; votes depend on how many tokens you own, many DAOs are not as user-friendly and require a certain level of technical expertise, and working in a DAO requires time that most people can’t afford these days.
The current state of DAOs today might be overhyped, but their potential is underhyped. There’s still a lot of work to make them more approachable and fair organizations. If we continue to better DAOs, I can see many companies and departments organizing themselves as DAOs.
Why would anyone want a DAO?
I can’t speak for everyone, but I would use a DAO to solve a specific problem, but I have certain constraints like time, friends, and money.
- Time ⏰ → I have a full-time job and need to collaborate with strangers
- Friends 👸🏻 → I don’t have too many friends in the industry, so many people don’t trust me, and I don’t trust them
- Money 💰 → I can’t financially compensate anyone to offset their lack of trust in me, but I could give them a share of this project in exchange for their work
With DAOs, the concept of being a CEO that makes all the decisions, gets a majority of the funds, and gets all the fame is out the door; it’s a group effort. Letting go of the fame and control tied to a centralized organization is worth it when all you want is to create the best solution with the limited resources you have. For instance, Uniswap generates 77.6% of the average daily trading volume process by Coinbase with 33x fewer personnel. This is the power of DAO it enables decision-making from the community, there are secure ways to handle joint funds, and it allows work to be easily dispersed to experts across the world.
Governance is a heavy word in DAOs because that’s their purpose. Not all blockchain projects use DAOs even though they all talk about governance.
In the absence of a centralized authority, decentralized networks and platforms rely on increasingly innovative governance structures to ensure the longevity and overall real-world use of their projects.
Blockchain governance typically employs mechanisms to make decisions on project direction, ongoing updates, and to ensure that the underlying protocol and ecosystem runs smoothly and efficiently.
Governance are categorized as either off-chain or on-chain governance. Off-chain governance is where the decisions start on a social level and are implemented by the developers. Bitcoin and Ethereum rely on off-chain governance, BIPs and EIPs are shared through a mailing list or Github repo and then are approved by the developers. On-chain governance is where decisions are reported and implemented on the blockchain network using smart contracts.
Some of the biggest blockchain projects are DAOs like MakerDAO, Augur, BitDAO, Decentraland, FriendsWithBenefits (FWB), Uniswap, Compound, Rarible, Gitcoin, Audius, and the famous Constitution Dao. Constitution DAO was a fundraising attempt to buy the US Consitution and fractionalize ownership. There are a lot of quirky DAOs out there but there are also serious ones that have raised a significant amount of funding from venture capitalists (a16z, Polychain Capital), angel investors (Peter Theil), and everyone else. Some DAOs have raised millions, like Sushi raised $33.9M and Compound raised roughly $298.77M.
Since some of these DAOs generate and hold a considerable amount of funds, they absolutely must be registered with the government. If you’re issuing a token in the US, even though there aren’t clear laws around them, they could be considered securities and need to adhere to security-specific laws. Recently Wyoming passed a law to recognize DAOs as LLCs back in July 2021. Before this law took place DAOs registered themselves as regular companies and still can, so ask your lawyer friend how this will affect the DAO registration process.
OpenLaw coined this term called LAOs, which are DAOs that are wrapped as legally compliant entities, such as an LLC or C-Corp. LAOs can enter legal contracts, custody, off-chain assets (i.e. SAFTs), and distribute dividends. Investors in LAOs must be accredited, but service providers compensated in LAO shares can earn their shares of the LAO portfolio.
There’s a DAO for everyone; some DAOs are charity-focused, others are funding-focused, and some are bounty-focused. Depending on the type of DAO we’re dealing with, we would consider different features.
Some of these feature terms are new, so below are a few definitions and concepts to understand:
Ragequit gives members the freedom to choose the best time to exit the DAO and withdraw their funds without any additional conditions.
Guild Kick proposals allows members to forcibly remove another member (their assets are refunded in full).
DAOs can have fungible (ERC20), non-fungible tokens (ERC721), and multi-standard tokens (ERC1155). Fungible tokens can be used for membership and for doing different activities with the DAO like voting or collecting shared earnings, etc. NFTs are often used to register membership like Bored Apes, where anyone that owns a BoredApe is part of the DAO.
With on-chain voting all votes are recorded on the blockchain, meaning they cost gas and usually require a commitment to the vote in the form of tokens. Different DAO voting schemes determine how many tokens are needed for a vote. A few different voting schemes are quadratic voting, holographic voting, token-based quorum voting, and conviction voting.
Off-chain voting is usually termed as “Temperature Check.” Off-chain voting is usually gas-free because it’s outside any blockchain network and doesn’t require a commitment. Usually, these votes occur in email chains, Discord channels, forums, and Snapshot (https://snapshot.org/#/).
Entitled financial distributions to non-voting shares
Shares grant voting rights that are proportionate ownership of core treasury. Shares are DAO-specific and cannot be transferred or traded.
Money streams are workflows that allow for continuous payments over time. Imagine not having to wait every 2 weeks for your paycheck instead you get paid for every second you work, dream big my friend, check out Sablier and SuperFluid.
Bounties are like gigs that DAOs post to the community, and if someone takes on the work, they can get paid in the form of an approved DAO token. Often, Bounties are posted on Gitcoin, Github, Discord, or Snapshot, where there is a request for an enhancement and price the DAO is willing to pay for the work.
Below is an example of a Bounty that needs to be voted by on the ENS Foundation DAO.
Not all bounties require heavy technical knowledge, below is an example of a Bounty that the Algorand Foundation posted for a Korean translator.
Given the magnitude of funds a DAO holds and the risks around creating DAOs, it’s easier and safer to use proven and tested DAO generators. Some popular DAO generators are Aragon, JuiceBox, Colony, and Mirror.
Aragon is one of the leading DAO generator solutions, and they have two options Aragon Client and Aragon Govern. Once you deploy your DAO, other people can interact with it on Aragon.
JuiceBox (Funding DAO Generator) is a funding DAO generator created by the same folks that brought us the Consitution DAO. The interface is relatively simple and all the DAO creator has to do is fill out a few forms on DAO generator.
Mirror XYZ is a writing-focused DAO generator that allows you to create a DAO based on different writing projects. It’s a blogging site like Medium, but you can hold your tokens and governance within your publication.
Even though these platforms handle the technical heavy lifting for you, always be aware of the risks and concerns around these platforms. Track the development community on Discord, Reddit, and the Blogs.
DAOs had a rough start. Back on June 17th, 2016, a hacker exploited a DAO called ‘The DAO’ and stole 3.6 million ETHs, equivalent to $70 million at the time.
The attacker was able to request Ether back multiple times before the smart contract could update its balance, this is called a re-entrancy attack. It’s as if you went to a bank and your teller was Dory from the movie ‘Finding Nemo’ and she kept forgetting to update your balance so you could ask her for the same withdrawal amount over and over again.
Luckily, the account where the stolen funds were placed were on hold for 28 days, giving the Ethereum community a chance to remedy the situation by forking the chain. Forking the chain allowed the Ethereum community a chance to refund the tokens back to the community.
Today the original is Ethereum Classic and the new forked one is Ethereum (the mainstream one).
The Suspected Hacker: Linda Shin recently reported that the DAO hacker from 2016 was the CEO of TenX. She came to this discovery when she was writing her new book “The Cryptopians: Idealism, Greed, Lies, and the Making of the First Big Cryptocurrency Craze”.
Linda Shin wrote an amazing article on how she got to the conclusion, it’s basically a crypto verbal movie: https://www.forbes.com/sites/laurashin/2022/02/22/exclusive-austrian-programmer-and-ex-crypto-ceo-likely-stole-11-billion-of-ether/?sh=f47894f7f589
Recursive Bug Found on June 12th, 5 days prior to the attack
A few days before the actual attack on June 17th, ‘The DAO’ identified a “race to empty bug” which is a recursive call vulnerability. On June 12th the community celebrated👏 catching this bug with Eththrowa and resolving it. Meanwhile, a second attack was being planned…👺
The Day of Attack on June 17th
Withdrawing Funds was difficult, it required the creation of a child DAO to withdraw funds. To create these child DAOs, you put in a split proposal that takes 7 days to mature and get participants. If these participants vote yes, they can call splitDAO and withdraw their funds.
But the way the SplitDao function was implemented allowed the attacker was able to recursively split from the DAO and withdraw funds indefinitely before the balance was ever updated. The SplitDAO function was called 29 times by 27996 internal transactions, where 13996 were non-zero transactions. Since the balance never updated, the withdrawal for the same amount was called multiple times with the ETH balance of 258.06 ETHs, coming out to roughly ~3,611,759.68 ETHs.
Below is the first attack by ‘TheDarkDao’ (Address: 0x304a554a310C7e546dfe434669C62820b7D83490) started with the transaction below (Transaction Hash: 0x0ec3f2488a93839524add10ea229e773f6bc891b4eb4794c3337d4495263790b).
You can find the infamous contract that was hacked on Etherscan, the contract is 0xbb9bc244d798123fde783fcc1c72d3bb8c189413. (https://etherscan.io/address/0xbb9bc244d798123fde783fcc1c72d3bb8c189413#code)
Below is the function that specifically caused the vulnerability. As you’re scanning it, look at the following observations:
- withdrawRewardFor at line 69, happens before the balance is updated at line 71
- Line 28 creates the new DAO, the child DAO
- Line 45 is the code that creates the new tokens for the child DAO
// Move ether and assign new Tokensuint fundsToBeMoved =(balances[msg.sender] * p.splitData.splitBalance) /p.splitData.totalSupply;if (p.splitData.newDAO.createTokenProxy.value(fundsToBeMoved)(msg.sender) == false)throw;
Check out vessenes overview for more details:
Below is a detailed code analysis of the hack:
I hope the ‘TheDao’ hack didn’t scare you, it was 5 years ago. Since that brutal wake-up call, the Blockchain community has made major strides in improving the security of DApp implementations.
Below is a checklist to go through before deploying your DAO to the mainnet for mainstream consumption:
Treasury is one of the checklist items that’s specific to DAOs. The treasury of a DAO usually sits in a multi-signature wallet for contracts that require multiple members to sign-off on transactions. The treasury usually has the funds in fungible tokens created by ERC 20s and can only be used for proposed projects that were voted on. This is one of the biggest selling points for DAOs, it makes embezzlement difficult. If a group of people never met each other trust each other, they can still work together because the DAO secures the funds programmatically.