What really happened with The DAO in 2016? 🍒 The DAO was the first-ever venture fund built on smart contracts. Users deposited ETH and received DAO tokens to vote on where the money should go. In total, it raised $150M from 11,000 people — 15% of all ETH at the time 🔷 Where was the vulnerability? There was a bug in the splitDAO function — it allowed a user to “split off” and create a new sub-DAO with a portion of the funds. But it didn’t include protection from a reentrancy attack — a type of exploit where a function is called repeatedly before the balance is updated 😳 How the attack worked: • The attacker triggered splitDAO to create a sub-DAO • Then called it recursively — dozens of times — before the balance updated • The contract didn’t check if funds had already been withdrawn, so they just kept coming Basically, it was like a broken ATM giving out cash over and over until it realized it was empty 🎰 How was it fixed? The Ethereum community had two options: A) Leave it be and let the hacker walk away with $60M 😱 B) Roll back the blockchain to before the hack 🔙 They chose option B. This led to a hard fork and two separate chains: • Ethereum (ETH) — with the rollback and refunds • Ethereum Classic (ETC) — the original chain, where the code stayed unchanged What changed after this? 1️⃣ Reentrancy became a well-known attack vector → Now one of the first things auditors check 2️⃣ Audit firms like OpenZeppelin and Trail of Bits became industry standards → No serious project launches smart contracts without an audit 3️⃣ DAO frameworks like XDAO, Aragon, and DAOstack emerged → Nobody writes DAO code from scratch anymore 4️⃣ UX and governance security improved → With roles, multisig, spending limits, rage quit, and more Why XDAO is protected from this kind of scenario The key difference: audits ✅ The DAO’s biggest flaw was launching without a full audit — and that’s exactly how the bug went unnoticed. The XDAO framework has been audited by independent security firms like Hacken and Pessimistic. It’s already used in 40+ blockchains and thousands of real DAOs. The smart contracts for XDAO on TON will also be audited soon 🫡 Closed, secure interface ✅ In The DAO, users could interact directly with the contract — triggering dangerous functions intentionally or by mistake. In XDAO, all actions go through a Telegram interface with only safe, pre-approved operations. You can’t call low-level contract functions manually🔓 No critical functions like splitDAO ✅ The DAO had a feature that let anyone split off and take a chunk of the treasury. XDAO doesn’t allow that — all fund movements require voting or multisig, and DAO behavior is set clearly at creation. Sensitive parts are guarded by roles, limits, and validation rules 🖥 XDAO isn’t an MVP — it’s a mature product ✅ It’s gone through audits, dozens of releases, adoption in 40+ chains, and stress-tested by hundreds of thousands of DAOs. This is robust infrastructure — and exactly what we’re building on for TON ⚙ Conclusion The DAO was a pioneer — and a victim of its own newness. Its failure was a turning point for the industry. Now it’s 2025. In 9 years, everything that once failed has been rebuilt from the ground up: architecture, audit practices, interfaces, legal clarity, and collective experience. Everything that was fatal in 2016 is fortified in XDAO today 🤩