The DAO exploit marks its 10th anniversary, a hack that drained 3.6M ETH and split Ethereum in two

Ten years ago today, on June 17, 2016, an anonymous attacker exploited a smart contract vulnerability and siphoned 3,641,694 ETH out of The DAO. At the time, that represented roughly one-third of the $150 million the project had raised, making it one of the most dramatic thefts in the short history of programmable money.

The fallout didn’t just cost investors their tokens. It fractured the Ethereum community along philosophical lines and produced two competing blockchains that still exist today.

How one bug rewrote Ethereum’s history

The DAO launched in April 2016 as a decentralized venture capital fund, an ambitious experiment in collective investment governance. Its crowdfunding round pulled in roughly $150 million in ETH, making it one of the largest crowdfunding efforts of any kind at the time.

The problem was a reentrancy bug in the smart contract code. In English: the contract’s withdrawal function could be called repeatedly before it finished updating the sender’s balance. Think of it like a bank ATM that dispenses cash before recording the transaction, letting you hit “withdraw” over and over again.