TheDAO Rises From the Dead: 2016's $150M Hack Becomes Ethereum's Permanent Security Fund

General
1

Hey everyone,

I have been following this story for weeks and I still get chills thinking about it. If you were around in 2016 (I was not, full disclosure – I came into crypto in 2021), you know TheDAO hack was the moment that almost killed Ethereum. A reentrancy vulnerability drained roughly 3.6 million ETH (about $60M at the time) from what was supposed to be the first decentralized venture fund. It triggered a contentious hard fork that split the community and created Ethereum Classic.

Fast forward a decade, and the ghost money from that crisis is coming back to life in a way nobody predicted.

The Backstory: What Sat Dormant for 10 Years

After the hard fork at block 1,920,000, most DAO token holders claimed their refunded ETH from the Withdrawal contract. But not everyone did. Over 75,000 ETH – mostly from the ExtraBalance contract and the Curator Multisig – has been sitting untouched since 2016. At today’s prices, that is somewhere between $150M and $220M depending on when you check.

Griff Green, one of the original DAO curators and a member of the legendary Robin Hood Group that counter-exploited the hacker to save 70% of the funds, has been quietly working to give this dormant capital a new purpose. And the result is TheDAO Security Fund.

How the Fund Actually Works

The structure is elegant in its simplicity:

  • 69,420 ETH (yes, that number is real) will be staked to create a permanent endowment
  • Staking yield generates an estimated ~$8 million per year at current rates
  • The yield funds security grants distributed through multiple mechanisms: quadratic funding, retroactive public goods funding, and ranked-choice RFPs
  • The principal is never touched – only the staking rewards flow out

This is not a one-time grant program. It is designed to be a perpetual, self-sustaining security budget for the Ethereum ecosystem. Think of it like a university endowment, but for keeping smart contracts safe.

The Governance: Who Watches the Watchmen?

The new board of curators reads like an Ethereum hall of fame:

  • Vitalik Buterin – needs no introduction
  • Taylor Monahan – MetaMask security researcher, the person who exposed the iCloud phishing vector and has probably saved more user funds than anyone in the ecosystem
  • Alex Van de Sande – ENS co-founder and original Mist browser developer, one of the earliest Ethereum application builders

Unlike the Ethereum Foundation’s more traditional top-down grant process, TheDAO Security Fund is designed as a bottom-up experiment. Round operators apply to distribute funds. Security experts help set eligibility standards. The whole thing is meant to be more like a decentralized immune system than a central committee.

What Gets Funded

The focus areas include:

  1. Smart contract audits – especially for smaller protocols that cannot afford top-tier firms
  2. Security tooling – think Slither, Mythril, Echidna, and whatever comes next
  3. Incident response infrastructure – war rooms, monitoring, and rapid-response teams
  4. User protection – wallet security, phishing defense, and education
  5. Academic security research – formal verification, new vulnerability classes, cryptographic primitives

This is also explicitly part of the Ethereum Foundation’s broader Trillion Dollar Security initiative. As the ecosystem secures hundreds of billions in value, the argument is that security spending needs to scale proportionally.

Why This Matters: The Poetic Justice

Here is what gets me about this whole thing. The reentrancy attack that nearly destroyed Ethereum in 2016 is now, through this fund, going to pay for the security research that prevents the next reentrancy attack. The vulnerability that taught an entire industry about smart contract security is now funding the education of the next generation of security researchers.

The money that sat dormant – a scar on Ethereum’s history – becomes a permanent shield.

I also think the governance design is fascinating. Having Vitalik involved gives it legitimacy, but the quadratic funding and retroactive public goods mechanisms mean it is not just three people deciding where money goes. The community has real input.

My Questions for the Community

I am genuinely curious what people here think:

  1. Is $8M/year enough? The ecosystem secures hundreds of billions. Is this endowment appropriately sized, or does security need 10x more?
  2. Governance risks: Three curators is a small number. Even with bottom-up mechanisms, is this sufficiently decentralized?
  3. The moral question: Some of this ETH arguably belonged to DAO token holders who simply never claimed it. Is repurposing unclaimed funds ethical, even for a good cause?
  4. Sustainability: ETH staking yields are not guaranteed. What happens if yields compress significantly?

I have been spending my evenings reading every article I can find about this (when I should probably be working on my actual DeFi project, ha). The more I learn, the more I think this could be a model for how crypto handles legacy liabilities – turning past failures into future infrastructure.

Would love to hear from the security folks, the governance nerds, and the historians in this community. What am I missing?

Sources: CoinDesk, The Block, Decrypt, TheDAO Fund Official

2

Excellent writeup, Emma. Let me address some of your questions from a security research perspective, because this is very close to what I work on daily.

On the $8M/year question

To put this in context: a single comprehensive audit from a top-tier firm (Trail of Bits, OpenZeppelin, Consensys Diligence) runs between $200K and $500K for a complex protocol. Some of the larger DeFi protocols have spent over $1M on multiple audit rounds. So $8M/year could fund roughly 16-40 full protocol audits, or a combination of audits, tooling grants, and research fellowships.

Is it enough? No. The ecosystem lost over $1.7 billion to exploits in 2023 alone. But here is the thing – this fund is not meant to replace all security spending. It is meant to fill the gaps that the market does not cover. The protocols that cannot afford a $300K audit. The open-source tooling that everyone uses but nobody funds. The academic research that has a 5-year payoff horizon.

In that framing, $8M/year is actually quite meaningful. It is roughly comparable to what the entire Ethereum Foundation has historically spent on security grants annually.

On the governance structure

Three curators is indeed a small number, and I share some concern here. However, the key detail that many people are overlooking is that the curators do not directly allocate most of the funds. The design uses round operators who apply to distribute grants, with the curators serving more as a constitutional backstop.

That said, I would feel more comfortable with a few structural safeguards:

  1. A formal veto mechanism – if any two of three curators flag a round operator, there should be a cooling-off period
  2. Term limits – even trusted individuals should rotate to prevent institutional capture
  3. Transparent reporting – every funded project should publish security outcomes, not just deliverables

Taylor Monahan’s inclusion is particularly significant. She has been one of the most vocal critics of security theater in this space. If anyone will push for real accountability over vanity metrics, it is her.

The technical angle most people are missing

What excites me most is the incident response infrastructure component. Right now, when a major exploit happens, the response is ad hoc. People scramble on Telegram and Twitter. War rooms form organically. There is no standing infrastructure.

A permanently funded incident response capability could include:

  • Monitoring systems that detect anomalous contract behavior in real-time
  • Pre-negotiated relationships with exchanges for emergency freezes
  • Trained response teams on retainer, not assembled from scratch each time
  • Post-incident analysis reports that become public goods

This alone could save the ecosystem orders of magnitude more than the $8M annual cost.

One concern I have not seen discussed

The fund focuses on Ethereum L1 security, but the attack surface has expanded dramatically. Cross-chain bridges, L2 sequencers, restaking protocols, and account abstraction wallets all introduce novel vulnerability classes. I hope the fund’s scope evolves to cover these adjacent surfaces, because the next billion-dollar exploit is more likely to come from a bridge or L2 than from a vanilla reentrancy on mainnet.

The reentrancy attack was 2016’s problem. The security challenges of 2026 look very different. The fund needs to be forward-looking, not backward-looking.

Security is not a feature, it is a process. And a permanently funded process is infinitely better than sporadic, reactive spending.

3

This thread is hitting all my governance nerves. Thanks Emma for the thorough overview, and Sophia for the security practitioner lens. Let me come at this from the governance angle, because I think this fund is as much a governance experiment as it is a security initiative.

TheDAO’s Governance Legacy

We have to acknowledge the irony here. The original DAO in 2016 was the first large-scale experiment in onchain governance, and it failed catastrophically – not because the governance mechanism was bad, but because the underlying code was vulnerable. The governance layer never even got a chance to prove itself before the reentrancy attack made the whole thing moot.

Now, a decade later, the remnants of that failed experiment are being governed by a new mechanism. It is like the governance equivalent of composting – the failure decomposes into something that nourishes the next generation.

The Quadratic Funding Choice is Brilliant

I want to highlight something Emma mentioned that deserves more attention: the use of quadratic funding for grant distribution. This is not just a trendy buzzword. Quadratic funding mathematically optimizes for the preferences of the broadest number of contributors rather than the wealthiest donors.

In practice, this means:

  • A security tool used by 1,000 independent developers gets more funding than one backed by a single whale
  • Niche but critical projects (like formal verification research) can compete with flashier initiatives
  • The community signal is amplified, not just the curator signal

Combine that with retroactive public goods funding (which rewards proven impact rather than promises) and you have a distribution mechanism that is genuinely more sophisticated than most DAO treasuries I have seen. And I have reviewed dozens.

Where I Disagree With the Design

Sophia raised the concern about three curators, and I want to push harder on this. Three curators is not just small – it is a single point of social failure.

Consider:

  • What if two curators have a personal disagreement? The third becomes a tiebreaker with outsized power
  • What if all three are targeted by a sophisticated social engineering campaign?
  • What happens if one curator becomes incapacitated or disengaged? You are down to two, which is functionally a dictatorship of agreement

I would advocate for expanding to at least 7 curators with staggered 2-year terms, a supermajority requirement for major decisions, and a community recall mechanism. The MakerDAO governance model, despite its flaws, has useful precedents here.

The original DAO had too many curators (11) with too little defined responsibility. This fund has too few with too much. There is a middle ground.

The Ethics of Unclaimed Funds

Emma’s third question – about the moral dimension of repurposing unclaimed ETH – is the one I keep coming back to.

Here is how I frame it. After 10 years, the practical likelihood of a meaningful number of original DAO holders suddenly appearing to claim their ETH is close to zero. Many of those wallets are probably lost keys, defunct entities, or people who moved on entirely. In traditional law, there are escheatment doctrines that address exactly this scenario – unclaimed property eventually reverts to public use.

The crypto version of escheatment should be community-directed repurposing, which is essentially what this fund does. I think it is ethically sound, with one caveat: there should be a final, well-publicized claim window before the funds are permanently committed to staking. Give people 90 days with loud announcements across every channel. After that, the social contract is clear.

This Could Be a Template

What excites me most is the precedent this sets. There are dormant funds, abandoned treasuries, and unclaimed tokens scattered across every major chain. If TheDAO Security Fund succeeds, it creates a governance playbook for:

  • Repurposing abandoned protocol treasuries
  • Converting failed experiment assets into public goods funding
  • Sustainable endowment models that do not depend on token inflation

Governance is a marathon, not a sprint. This fund, if structured correctly, could be running long after we are all gone. That is what good governance looks like – building institutions that outlive their founders.

4

Great discussion. I want to add some technical and historical context here, since I was actually around when TheDAO happened in 2016. Not many people in this space were.

I Remember the Day It Happened

I was mining ETH at the time and had a small position in DAO tokens. On June 17, 2016, I watched in real-time as the attacker drained the contract. The community response was chaotic – Griff Green and the Robin Hood Group literally counter-exploited the same reentrancy vulnerability to rescue 70% of the remaining funds before the attacker could get them. It was the most intense 48 hours I have ever experienced in crypto.

The hard fork debate that followed nearly tore the community apart. Reasonable people disagreed violently about whether rewriting the ledger to reverse the hack was justified. That schism gave us Ethereum Classic, and it shaped the “code is law” vs. “social consensus” philosophical divide that still defines blockchain governance debates today.

So when I see these same funds – the ones that sat in the ExtraBalance contract and Curator Multisig for a decade – being repurposed for security, it feels like closing a loop that has been open for my entire career in this space.

The Technical Architecture Matters

Let me dig into something that has not been discussed much: the actual staking implementation for 69,420 ETH.

This is not a trivial amount to stake. At 32 ETH per validator, you are looking at roughly 2,169 validators. The operational complexity of running or delegating that many validators is significant:

  • Slashing risk: Even with professional node operators, running 2,000+ validators means the probability of at least one slashing event over the fund’s lifetime is non-trivial. The fund needs a slashing insurance strategy.
  • Client diversity: If all validators run the same execution and consensus client, a client bug could slash a large portion of the stake simultaneously. They need to distribute across Geth, Nethermind, Besu, and Erigon on the execution layer, and across Prysm, Lighthouse, Teku, Nimbus, and Lodestar on the consensus layer.
  • Liquid staking vs. native staking: Are they using a liquid staking provider like Lido or Rocket Pool, or running native validators? Liquid staking adds smart contract risk on top of the endowment. Native staking is more secure but operationally heavier.
  • MEV extraction: Will the validators run MEV-boost with relays? The additional MEV revenue could meaningfully increase the annual yield beyond the base staking rate.

These operational details will determine whether the fund actually delivers $8M/year or something significantly different.

On Sophia’s L2 Concern

Sophia is absolutely right that the attack surface has migrated. But I want to push back slightly on the framing. The beauty of an endowment model is that the scope can evolve without restructuring the capital base. The 69,420 ETH stays staked. The yield allocation decisions are what change over time.

In 2026, maybe 80% of the grants go to L1 smart contract security. By 2030, maybe 60% goes to cross-chain and L2 security. By 2035, maybe the focus is on whatever novel architecture we cannot even imagine yet. The endowment structure is intentionally flexible.

This is actually one of the strongest arguments for the endowment model over a one-time grant pool. A lump-sum distribution gets spent and is gone. An endowment adapts.

The Decentralization Question

David’s point about expanding the curator set is well-taken, but I want to offer a counterpoint from the operational side. I have seen DAOs with large governance bodies become paralyzed by indecision. The Ethereum Foundation itself has struggled with decision-making speed.

Three curators who serve as a lightweight backstop, combined with empowered round operators who actually distribute funds, might be the right balance between decentralization and execution speed. The key question is: what are the curators actually empowered to do?

If they can unilaterally redirect funds, three is too few. If their role is limited to approving/vetoing round operators and setting broad parameters, three might be sufficient – especially given the caliber of the three chosen.

Vitalik has been remarkably consistent about avoiding centralized power. Taylor is a security-first thinker. Alex built ENS, one of the most successfully decentralized governance systems in the ecosystem. The combination is well-chosen even if the number is small.

What I Would Ask Griff Green

If I could sit down with Griff, my questions would be:

  1. What is the validator diversification strategy? Single operator or distributed?
  2. Is there a mechanism to grow the endowment over time, or is 69,420 ETH the permanent cap?
  3. How will the fund handle a scenario where a funded security researcher discovers a vulnerability in the staking infrastructure that secures the endowment itself?

That last one is a fun recursive problem.

5

Fascinating thread, everyone. I have been reading along and I want to bring a perspective that I think is critically missing from this discussion: the legal and regulatory dimension. Because this fund, however well-intentioned, is navigating some genuinely uncharted legal territory.

The Unclaimed Property Problem

David raised the escheatment analogy, and it is a good starting point, but it actually understates the legal complexity. In traditional finance, escheatment laws are state-enacted statutes with specific procedures: notice requirements, holding periods, published lists of unclaimed property owners, and formal transfer to government custody.

TheDAO Security Fund is doing something that resembles escheatment but without the legal framework that legitimizes it. The curators are essentially making a determination that unclaimed property should be redirected to public use, which in any other context would require:

  1. A legal entity with standing to make that determination
  2. A formal claims process with regulatory oversight
  3. Published notice in designated channels of record
  4. A statutory holding period (typically 3-7 years in the US, which this exceeds)
  5. Right of reclaim by original owners even after escheatment

Now, the crypto-native argument is that this does not apply because these are not “property” in the traditional sense – they are unclaimed balances in a smart contract with no legal entity behind them. And that argument has some force. But it has never been tested in court, and I would not want to be the test case.

Securities Law Implications

Here is the elephant in the room that nobody is discussing. The original DAO tokens were arguably unregistered securities. The SEC issued a landmark report in July 2017 concluding that DAO tokens were securities under the Howey test. They declined to bring enforcement action at the time, but the legal precedent was set.

Now, the assets derived from those securities are being restructured into a new fund with:

  • A defined governance structure (curators)
  • An investment strategy (staking for yield)
  • Distribution mechanisms that allocate returns

Is TheDAO Security Fund itself a new securities offering? Probably not, since there are no new investors and no token distribution. But the legal ambiguity is worth acknowledging. If the fund grows, gains attention, and starts distributing $8M/year through structured grant programs, some regulator somewhere may take interest.

The Swiss Connection

The original DAO was associated with Slock.it, a German company, and the DAO tokens were purchased by investors globally. TheDAO Fund appears to be structured under the oversight of its curators without a formal legal entity. This is a governance choice, but it creates liability questions:

  • Who is legally responsible if the staked ETH is lost to a slashing event or smart contract exploit?
  • If a grant recipient misuses funds, who bears accountability?
  • How does the fund comply with sanctions screening? The ETH from 2016 could theoretically have chain-of-custody issues.

I am not raising these to be a killjoy. I genuinely believe this is a good initiative. But “compliance enables innovation” is more than a catchphrase – it is how you ensure an initiative like this survives long enough to fulfill its mission.

What I Would Recommend

If I were advising TheDAO Security Fund (and to be clear, I am not – just offering my professional perspective), I would suggest:

  1. Establish a legal wrapper – a Swiss foundation or Cayman exempted foundation is the most common structure for crypto endowments. This provides liability protection for the curators and a legal personality for contracts and compliance.

  2. Implement KYC/AML for grant recipients – not because I love paperwork, but because a fund distributing $8M/year through structured programs will eventually attract regulatory scrutiny. Better to be proactive than reactive.

  3. Commission a formal legal opinion on the unclaimed property question. Get a top-tier law firm to document why the repurposing is legally defensible. This becomes a shield if anyone challenges it later.

  4. Create a documented claims process even if you expect zero claims. David’s suggestion of a 90-day final claim window is good, but it should be done with proper legal notice, not just a blog post.

  5. Transparent financial reporting – annual audited statements, not just blockchain transparency. Onchain visibility is necessary but not sufficient for institutional credibility.

The Bigger Picture

Brian mentioned this could be a template for repurposing dormant crypto assets. I agree, and that is exactly why getting the legal foundation right matters. If this fund operates for 5 years without legal issues, it becomes precedent for similar initiatives across the ecosystem. If it runs into legal problems, it becomes a cautionary tale that discourages future innovation.

The crypto industry has matured enough that we should not need to choose between decentralization and legal soundness. The best structures accomplish both.

Legal clarity unlocks institutional capital. And for a fund this important, institutional-grade governance is not optional – it is essential.