Ten years ago today, on June 17, 2016, an anonymous attacker exploited a smart contract vulnerability and siphoned 3,641,694 ETH out of The DAO. At the time, that represented roughly one-third of the $150 million the project had raised, making it one of the most dramatic thefts in the short history of programmable money.

The fallout didn’t just cost investors their tokens. It fractured the Ethereum community along philosophical lines and produced two competing blockchains that still exist today.

How one bug rewrote Ethereum’s history

The DAO launched in April 2016 as a decentralized venture capital fund, an ambitious experiment in collective investment governance. Its crowdfunding round pulled in roughly $150 million in ETH, making it one of the largest crowdfunding efforts of any kind at the time.

The problem was a reentrancy bug in the smart contract code. In English: the contract’s withdrawal function could be called repeatedly before it finished updating the sender’s balance. Think of it like a bank ATM that dispenses cash before recording the transaction, letting you hit “withdraw” over and over again.

The attacker exploited exactly that flaw, draining ETH into a “child DAO,” a subsidiary contract with a built-in 28-day withdrawal lock. That lock period gave the Ethereum community a narrow window to respond, and respond it did.

On July 20, 2016, roughly a month after the hack, a hard fork was executed. The forked chain, which reversed the exploit and returned funds to investors, became the Ethereum we know today. The original, unaltered chain continued as Ethereum Classic, championed by those who believed that blockchain immutability should be absolute, even when the outcome was ugly.

The phrase “code is law” became the rallying cry of the Ethereum Classic camp. Their argument was principled: if a community can vote to reverse transactions it doesn’t like, then the entire premise of a trustless, censorship-resistant ledger collapses. The other side countered that letting a thief walk away with $50 million because of a technicality wasn’t exactly the moral high ground either.

Unclaimed funds get a second life

Here’s the thing about large-scale recoveries: not everyone comes back for their money. After the hard fork restored the stolen ETH, a portion of it, estimated at around 75,000 ETH, went unclaimed by original DAO token holders.

In early 2026, those unclaimed funds were redirected to establish TheDAO Security Fund. At the time of activation, that stash was valued at approximately $220 million. The fund’s mission is to support security initiatives across the Ethereum ecosystem, essentially turning the wreckage of the original exploit into a permanent resource for preventing the next one.

The governance structure includes some familiar names. Vitalik Buterin and Griff Green are among the curators overseeing how the fund is deployed.

The reentrancy vulnerability that made The DAO exploit possible didn’t disappear after 2016. It became one of the most studied attack vectors in smart contract security. Variations of the same bug have appeared in exploits for years afterward, reinforcing why the category remains a priority for auditors and developers alike.

What this means for investors

The creation of TheDAO Security Fund signals something worth paying attention to. Rather than letting legacy assets sit idle, the Ethereum community chose to deploy them toward proactive defense. For investors evaluating Ethereum’s long-term value proposition, a dedicated $220 million security fund backed by unclaimed hack proceeds is a concrete commitment, not just rhetoric about “building safer infrastructure.”

That philosophical split still matters. Ethereum Classic trades at a fraction of Ethereum’s price, but it represents a living argument about what decentralization actually means. Every time a protocol considers an emergency intervention, whether it’s freezing hacked funds or rolling back a buggy upgrade, The DAO precedent looms in the background.