Labs / Drain the lending vault
Isolated environment·0xrange sandbox testnet
+250 XP on completion

  Stage 1 · Briefing

The DAO

The DAO (Ethereum)

The DAO was a $150M investor-directed venture fund — at the time the largest crowdfund ever. Its split/refund path sent ETH to the caller before zeroing their internal balance. A malicious contract re-entered that path from its fallback, looping the withdrawal many times per call and siphoning ~3.6M ETH. The fallout forced the hard fork that split Ethereum from Ethereum Classic. Your target is a faithful recreation of that bug.

DateJune 17, 2016
Impact~3.6M ETH (~$60M)
DurationDrained over hours
Attack classSmart-contract security
Timeline
Apr 2016The DAO raises ~12.7M ETH (~$150M) in a 28-day crowdsale.
Early JunResearchers publicly warn of a recursive-call flaw in withdrawal logic.
Jun 17Attacker drains ~3.6M ETH via repeated re-entrant split calls.
Jul 20Ethereum hard-forks to recover funds; Ethereum Classic keeps the original chain.
Stage 1 of 5