Will TheDAO's $220M Security Fund Actually Make Ethereum Safer?

By Andrey Sergeenkov · February 9, 2026

In my previous article, I looked at how seven curators took control of $220 million in unclaimed TheDAO funds. Griff Green described the mission as ensuring Ethereum "is ready to become the backbone of the world's financial infrastructure." The initiative is part of the Ethereum Foundation's Trillion Dollar Security plan. But will this money actually make Ethereum safer?

The means destroy the end

Private property rights cannot be violated. This principle is what civilization is built on.

The Fifth Amendment to the US Constitution states: "No person shall be deprived of life, liberty, or property, without due process of law; nor shall private property be taken for public use, without just compensation." The same principle is protected by the European Convention on Human Rights and the Universal Declaration of Human Rights.

Others' funds cannot be used under any well-meaning excuse to make profit, establish control, or promote ideological positions without explicit consent from the owners.

The curators took control of $220 million to make Ethereum safer and more reliable. But the act itself (effectively using other people's money without consent, without a court ruling, without due process) makes Ethereum less reliable.

            If funds in a smart contract can be repurposed after a period of inactivity, why would anyone trust Ethereum as long-term infrastructure?
        

The slippery slope

There is also the problem of precedent escalation. Today it is unclaimed funds from 2016 that curators decided to stake and spend the rewards from. But each step lowers the threshold for the next one.

Eugene Volokh showed in the Harvard Law Review that when gun registration was introduced in England, New York City, and Australia, it was eventually followed by gun confiscation. Not because registration logically required it, but because it made confiscation cheaper and easier to implement. Once the infrastructure existed, the next step became politically feasible.

Volokh called this a "cost-lowering slippery slope": decision A doesn't change anyone's mind about whether B is right or wrong, but it lowers the practical cost of B, making it more likely to happen.

Today, the justification is: these funds have been inactive for years, so the people managing them can stake them and use the rewards for the ecosystem. This justification doesn't apply only to TheDAO. It works for any smart contract wallet where funds have not moved for a long period.

Once the right to use other people's money for a good cause is established, the definition of "good cause" can expand, and so can the pool of funds considered available for it.

You can't buy your way out of a problem you keep creating

As for Ethereum's blockchain security, the situation has reached a point where simply throwing money at the problem won't help.

At best, we will see the same popularity contest among a narrow circle of recipients that happens in almost every DAO funding experiment, regardless of the mechanism.

As DL News put it, "DAO-led grants are never far from controversy stemming from alleged insider dealing and lack of transparency." BlockScience, which studied Gitcoin's quadratic funding rounds, found that such systems exhibit the Matthew Effect, a runaway effect of "the rich get richer", alongside persistent sybil attacks and collusion.

The winners will become slightly wealthier and perhaps even produce a few patches. Which hackers will bypass in short order.

Disconnected from reality

The deeper problem is that Ethereum's leadership seems no longer capable of recognizing the consequences of their own actions. Blockworks described the situation as "the current narrative of Ethereum leadership being out of touch and uncompetitive." You cannot plug holes in a ship when the captains keep drilling new ones.

For example:

Despite knowing Ethereum faced numerous unresolved security problems, leadership proceeded with the Fusaka upgrade, which reduced fees and made spam attacks economically viable on the Ethereum blockchain.

The link between low fees and attack volume was already documented: a Carnegie Mellon University study published ten months before the upgrade found "a higher attack prevalence in chains with lower transaction fees." According to my data, address poisoning attacks alone caused $63.3 million in losses during the two months following the Fusaka upgrade — a 13-fold increase compared to the same period before it.

EIP-7702, introduced in May 2025 as part of the Pectra upgrade, is actively being exploited by attackers to drain wallets. Wintermute reports that over 80% of all EIP-7702 delegations are linked to malicious contracts, calling it "ridiculous and cruel that the same copied bytecode occupies most of the EIP-7702 authorizations." By the time of Wintermute's research in mid-2025, individual attacks had already resulted in losses up to $1.54 million, with victims signing batch transactions on fraudulent DeFi sites.

Fireblocks, a security firm, warned two months before the Pectra launch: "A reckless approach would strive to allow as open and free delegations as possible, but that is likely to end very fast with losing all funds. A single malicious delegation is all that is needed."

And now they are setting a precedent that would allow declaring funds in smart contracts abandoned after a period of inactivity and using them without owners' consent. When millions of users transition to smart contract wallets through Account Abstraction, this could create risk for anyone who simply holds cryptocurrency long-term.

Too broken to patch

But even without new developer errors, the sheer number of vulnerabilities, attack types, and attack vectors in Ethereum is so vast — and hackers can adapt and launder funds so easily — that any security investment will simply be burned through.

Smart contracts cannot be patched after deployment, making by default every vulnerability permanent and every stolen asset virtually irrecoverable. Each protocol upgrade introduces new attack surfaces faster than defenders can respond. MEV extraction is embedded in Ethereum's transaction ordering mechanism itself, with over 4,400 sandwich attacks per day and no unified protection at the protocol level.

The ERC-20 approval model (a core design choice) has been exploited for $2.7 billion in phishing losses between 2021 and 2024, prompting a US Secret Service operation specifically targeting Ethereum approval scams. A Frontiers in Blockchain study documented 220 major incidents resulting in $8.49 billion in quantified losses. A 2025 survey of 62 open-source security tools found that not a single one covers all known vulnerability types, and new categories keep emerging faster than tools are built to detect them.

As a 2025 ScienceDirect study of two years of MEV activity on Ethereum concluded, attackers are becoming "more sophisticated as they tend to chain different types of attacks," and "the value extracted could hinder the adoption of Ethereum in future projects." Or as the ACM put it more bluntly: "our capabilities in securing the Ethereum system are limited."

            "Code is law," cypherpunk enthusiasts like to say. But bad code is bad law. And Ethereum's code is bringing us closer not to a cypherpunk utopia, but to a cyberpunk dystopia.
        

Whether intentionally or not, the result is a system that disproportionately rewards dishonest behavior and thereby incentivizes it.

Security problems need to be solved fundamentally. There are approaches to doing so. I may explore some of them in upcoming articles.

You can follow new articles via RSS or Twitter.