One day after $53 million abruptly disappeared from an experimental cryptocurrency project, a note appearing to be from the attacker has surfaced on PasteBin, claiming that the money drained from the system is now legally his. The attacker withdrew the money by exploiting a contract bug in the code of the DAO (or Decentralized Autonomous Organization), a collective investment fund that uses the Ethereum cryptocurrency. The DAO had raised well over $100 million from Ethereum users at the time of the attack.
"I have carefully examined the code of The DAO and decided to participate after finding the feature where splitting is rewarded with additional ether," the note reads. "I have made use of this feature and have rightfully claimed 3,641,694 ether, and would like to thank the DAO for this reward." The note concludes with an identifying signature and hash, although The Verge was unable to independently verify their authenticity. The attacker’s legal name is still unknown.
"I… would like to thank the DAO for this reward."
"I am disappointed by those who are characterizing the use of this intentional feature as ‘theft,’" the note continues. "My law firm has advised me that my action is fully compliant with United States criminal and tort law."
It’s unclear whether this legal reasoning holds up, but it’s not entirely unprecedented. The DAO is structured like a legal contract, and while the attack certainly wasn’t an intended use of that contract, it proceeded according to the contract’s pre-established rules. Cornell cryptographer Emil Gün Sirer wrote yesterday that draining the funds may not even qualify as a hack.
"Had the attacker lost money by mistake," Sirer wrote, "I am sure the devs would have had no difficulty appropriating his funds and saying ‘this is what happens in the brave new world of programmatic money flows.’ When he […]
