
Thinking About Smart Contract Security - ikeboy
https://blog.ethereum.org/2016/06/19/thinking-smart-contract-security/
======
nbadg
> The reason for this fundamental conclusion is as follows. All instances of
> smart contract theft or loss – in fact, the very definition of smart
> contract theft or loss, is fundamentally about differences between
> implementation and intent.

This is, I think, to its core the fundamental problem with any kind of rigid
language in contracts. It's nice to see an acknowledgement of its existence,
but disappointing to see __no __acknowledgement of its severity. We see this
all the time, not just in code, but in law and policy as well: an overly-
prescriptive law can be just as problematic as an overly-vague one. And
imperatively written smart contracts are about as prescriptive as you can get.

This is of course in addition to another critical shortcoming for smart
contracts: they are capable only of interacting with informational assets (of
which "money" is a subset). You can't possibly create a smart contract to
purchase a house, because at the end of the day the person that physically
occupies the house is in the position of power. Any smart contract enforcement
mechanism would necessarily rely upon some outside system, which defeats the
whole purpose of the thing in the first place.

I have high hopes for cryptocurrencies, in no small part because they
inherently deal with only information (again, money is a subset thereof). But
I'll be honest: I remain extremely skeptical that smart contracts _as we
currently understand them_ will ever see general adoption. It strikes me as an
emotionally understandable, but rationally ill-advised, radical departure from
hundreds of years of political philosophy and sociology... not in a way that
inspires the term "disruption", but rather in a way that evokes "out of the
frying pan, and into a boiling pot of lava". I'm all for "a better contracts
system", but given that a contract (even one with a non-human entity) is by
its very definition a social instrument, I just fail to see a reasonable way
forward for what is essentially contractual bytecode.

~~~
nemild
I agree broadly - and the current DAO was a terrible idea on many fronts, but
I'll discuss one quibble in case it starts a broader discussion.

> You can't possibly create a smart contract to purchase a house, because at
> the end of the day the person that physically occupies the house is in the
> position of power.

It's likely that if something like this ever succeeded, there'd be many
parties that would provide bridges between real world assets (dollars, a
house, entry to an electronic lock) + real world contracts that might bridge
to crypto contracts (so a trustee may hold a house under US law for a crypto
title owned by others - similar to how a custodial bank holds financial assets
on your behalf). You're right that the enforcement mechanism might be
decoupled, but that doesn't make it worthless, as the trustee could still use
the enforcement mechanism on the real world side. On the cryptocontract side,
parts could be enforced like payments.

So why might crypto contracts be interesting in this case:

\- There are too many parties involved and coordination costs are high (crypto
contracts that millions of people collectively negotiate together)

\- The adherents are international, and may prefer a standardized form of law
accessible cheaply and easily to all

There are clearly an infinite number of risks - but this is just an example of
how it might still be beneficial.

One other point. Everyone in this recent DAO hack discusses cryptocontracts as
set in stone - and the be all, end all once published. Still, you could always
inject in a party that adjudicates, but only in extreme scenarios
(technically, they might have root access when a few parties with conflicting
incentives agreed).

You might ask, doesn't this defeat the whole purpose of crypto contracts if
third parties are involved - but there still may be value if the third party
role is substantially diminished, or if previous forms of negotiation that
never happened due to coordination cost now occur.

(the canonical Bitcoin example is escrow, where the two parties can verifiably
escrow money which in the real world always required a third party actively
involved, and a third party in the cryptocurrency world steps in only if there
are issues that the two parties can't resolve and cannot take the money itself
- 2 of 3 multisig).

~~~
ethbro
_\- The adherents are international, and may prefer a standardized form of law
accessible cheaply and easily to all_

I think this is undervalued, and probably going to become even more important
in the future. Largely because it's something that the current legal framework
simply doesn't provide.

We have tenuous legal agreements between nation-states (largely of the "we
choose to obey now because it's in our best interest" variety). And we have
legal systems that apply in a single country. But we really don't have an
ironclad anything in the ether (ha!) between those.

~~~
nickpsecurity
More than you think. One of the selling points for why some organizations,
especially financial or legal, advertise they are in specific countries is a
strong, consistent enforcement of specific things like banking integrity,
contract law, I.P. law, whatever. It's important enough to business sector
that it's on the international ratings for what countries are best to do
business in. Also, Switzerland makes a killing in the financial sector using
this approach.

So, picking the best jurisdiction for something like this plus getting all
parties to agree to settle disputes according to its laws would be a positive
step for such organizations. Knocks out a whole category of risk. These
decentralized schemes often pretend they won't need lawyers but they exist in
real world for good reasons. Best to know what they can or can't do in at
least all the common, criminal situations.

------
amasad
>There will be further bugs, and we will learn further lessons; there will not
be a single magic technology that solves everything.

Interesting change of attitude! I was just watching a talk[1] from a couple of
years ago where Vitalik says "there are a substantial number of applications
where you can actually say yes 'I am 99.9 percent certain this is bug free'".
Amazing how much a few years of industry practice can humble a young software
engineer.

[1]:
[https://youtu.be/cahj4WJtp20?t=43m45s](https://youtu.be/cahj4WJtp20?t=43m45s)

~~~
Eliezer
True at NASA and in many other places that spend 100x as much per line of
code, albeit it's more like 95% surety.

~~~
amasad
They also spend a lot of time building robust systems that can recover from
errors (e.g. the famous story about the guidance computer on the Apollo 11
recovering from cycle stealing and overflows).

------
srtjstjsj
Ethereum/DAO would be much less of a tire fire embarassment if the management
had taken some time to learn anything about the basics of contracts and law,
instead of making it up as they go and assuming the entirety of centuries of
civilization has no clue what they were doing.

~~~
benbou09
They were indeed very naive. In the history of law, there has always been a
divide between those who believe that the letter of law should be applied no
matter what, and those who believe that social justice should be ensured.
Whatever the terms of theDAO, there WILL be judges to find that what just
happened to it is theft. That is why instead of damaging trust in Ether by
forking it, the ethereum/DAO management should turn to the law to get its
money back.

Smart contracts are a very good thing, but they won't become perfectly safe
any time soon (if ever), so the community should recognize that civil and
criminal law are a safety net, likely to help smart contract get wider use,
because of they create increased trust.

~~~
bhouston
> Whatever the terms of theDAO, there WILL be judges to find that what just
> happened to it is theft.

I am not completely sure if it went to court and it was litigated fully it
would be found that the theDAO smart contracts that were buggy could be rolled
back to what was "intended" as there was language that specifically denied
that form of reasoning. theDAO clearly fucked up but that doesn't invalidate a
contract. The intent in the contract was actually clearly declared, the smart
contract was binding in its form. The smart contract's intent was its code.
It's code was buggy. Thus one will have to litigate in court whether intent
can inferred from buggy code and whether a software bug can be rules as
outside of intent. Rolling back transactions like that are really exceptional.

I think it is quite interesting. A lot of people in the stock market have lost
money because of software bugs, although everyone didn't agree beforehand that
that software was the intent. I think it could go either way with theDAO's
software contract if it was litigated.

That said you could possibly sue the implementers of the smart contract for
negligence to try to recover the loss, or those that advertized theDAO as a
viable investment vehicle for false advertizing or misleading one about
safety, both of those are much more straight forward legal avenues.

------
crispyambulance
Help?

I have no idea WTF is going on here. I've tried to search around for a clue
but the more I read the more confusing it gets.

At first it seemed that Ethereum was a kind of cryptocurrency like bitcoin
(something that people could "mine" and exchange), then something about
"contracts" that don't require trust, then something about it being
effectively "a computer" that never stops, an investment system investing in
something no one ever actually names, some story about a hack that drains
ether out of the system.

And now this story which has words like... "Governmental", "Rock-paper-
scissors", "Casino", fees "stolen" because of constructor bug, "ponzi".

Even forgetting all the confusing jargon, I can't come up with a mental model
that makes any sense at all. Is this just an elaborate puzzle game for
geniuses? Or are people making and losing real money with this? By "money" I
mean something that can be converted into actual US dollars right now and
stored in a bank.

~~~
nemild
A few quick answers:

\- Ethereum is a contracting language combined with a crypto currency; to run
the contracting language requires miners to not only determine the solution to
a puzzle (as in Bitcoin), but also to run code written by contract writers in
a virtual machine[1]; the blockchain stores the results of these computations

There's a lot written on the DAO (just search HN), but a quick summary:

\- A DAO is an autonomous organization that is self governing, with its by
laws written into code - and often the potential to fork off if you disagreed
with the majority decisions

\- "The DAO" which caused the recent blow up was the first public iteration of
this and was an investment fund meant to encourage apps on the blockchain, by
letting others fund it and then vote on proposals to receive money

\- "The DAO"had substantial flaws in how it was written, tested, and released

\- This was very successful by funding metrics, but that is based on a highly
speculative currency that had appreciated 30-40X in a few months (otherwise,
it might have just been a few million dollar experiment)

\- The flaws were pretty egregious (e.g., naming two functions essentially the
same - and calling the wrong one, not putting in place proper mutexes) - and
many on HN who worked on any mission critical code (e.g., finance, embedded
systems) would be surprised at how quickly it was released without testing,
community discussion, or a thoughtful rollout plan

\- Yes, people are losing money in two ways 1) in "The DAO" itself, if the
funds can't be recovered fully, 2) due to the price of Ethereum to
Dollars/Euros which people own and trade (which has fallen 50% since "The DAO"
issues, but that is still 10-15X up since late last year)

[1] Technically, Bitcoin miners also interpret contract code, but the language
is more complex and limited - with the most popular Bitcoin contract to simply
lock and unlock bitcoins

~~~
krisdol
DAO also has connotations in software architecture which makes this more
confusing. What does DAO stand for in this context?

~~~
nemild
Decentralized Autonomous Organization:
[https://en.wikipedia.org/wiki/Decentralized_autonomous_organ...](https://en.wikipedia.org/wiki/Decentralized_autonomous_organization)

------
mablap
It's a complete aberration that the Ethereum Foundation is even considering
pushing a fork (hard or soft). There will be a fork, that is people leaving
"Ethereum" for its new shiny successor.

If you want the protection of a big brother, why not invest in the regular
stock market? Lots of neophytes trying to get rich quick are now crying for
help after realizing they made a mistake. It's really touching.

~~~
bhouston
Any time there is a bug in a smart contract, do we get roll back in Ethereum?
There will be more smart contract bugs or operations against intent. I think
this is going to become a joke.

Ethereum is not trustable if there is rollback when a contract didn't operate
as intended. Can you imagine the stock market operating this way?

BTW has bitcoin ever had a rollback in its existence?

~~~
mablap
Well if there is a bug in the Ethereum software itself, it would be different.
In the sense that miners could decide which branch they want. To be honest
they _could_ do this with the current proposed forks as well.

The huuuge problem I see here is that it is the Ethereum Foundation, and
Vitalik Buterin himself, who are proposing the fork as a remedy. They should
simply say "well duh, fire burns."

------
blastrat
IRL, contract law and courts take precedence over schemes like Ethereum and
the DAO, just like arrest warrants do, money laundering regs, etc. Whether
this is good or bad, it just is.

In real contract law, there are three elements of a contract.

1\. a meeting of the minds: the parties must agree on what is being exchanged

2\. an actual exchange, in both directions, it's called "consideration"

3\. at least one of the parties must behave as if they are relying on the
contract, a party must "make a move" and begin to deliver on the contract.

There may be all sorts of guarantees written into contracts to enhance the
security of the either of the two sides. So, these mathematical smart
contracts are completely OK under contract law; however, the smart contracts
_and the surrounding activity_ must still meet the requirements of a contract.

It is not "a meeting of the minds" for one side to drain the other side of
their total balances, and it violates "consideration" as well since nothing is
being exchanged for the extra money. So there is ample reason to claim that
these were not valid contracts and should be rolled back.

Cuz that's how contracts work, it's the only way they work.

~~~
droffel
> It is not "a meeting of the minds" for one side to drain the other side of
> their total balances, and it violates "consideration" as well since nothing
> is being exchanged for the extra money. So there is ample reason to claim
> that these were not valid contracts and should be rolled back.

I disagree. From the Explanation of Terms and Disclaimer[1] on the DAOhub
site:

"The terms of The DAO Creation are set forth in the smart contract code
existing on the Ethereum blockchain at
0xbb9bc244d798123fde783fcc1c72d3bb8c189413. Nothing in this explanation of
terms or in any other document or communication may modify or add any
additional obligations or guarantees beyond those set forth in The DAO’s code.
Any and all explanatory terms or descriptions are merely offered for
educational purposes and do not supercede or modify the express terms of The
DAO’s code set forth on the blockchain; to the extent you believe there to be
any conflict or discrepancy between the descriptions offered here and the
functionality of The DAO’s code at 0xbb9bc244d798123fde783fcc1c72d3bb8c189413,
The DAO’s code controls and sets forth all terms of The DAO Creation."

The Code is Law. All parties knew, and accepted this before 'investing'. The
contract performed exactly as designed.

[1] [https://daohub.org/explainer.html](https://daohub.org/explainer.html)

~~~
blastrat
| _I disagree._

Excellent! and I disagree with you, so we disagree. Where does that leave us?
Simply as two proponents of free speech... unless... unless we have a smart
contract between us, one under which you just drained my Ethereum account of
ether. Beyond being a proponent of free speech, that gives me "standing" to
become a "litigant", a "plaintiff" against you as "defendant". You would get
to tell your side to the judge, just like me.

Here are some exaggerated hypothetical examples where you will agree with me;
then hopefully you can see how a judge would look at the present situation
with the DAO:

If, buried in TheCodeThatIsLaw that AllPartiesKnewAndAccepted, there is
encoded an agreement to deliver narcotics to children, or sell children into
slavery, or to provide funding to a terror training cell for children, then it
wouldn't matter what TheCodeThatIsLaw says, a court would declare it invalid,
NotAContract, NotBinding. Even if we encoded it in language that says "this is
the funding part, being non-specific about the activities". That's simply how
it works. Period. And you can't write a binding contract to give money away,
there's no consideration.

TheCodeThatPurportsToBeLaw must meet standards of its own in order to provide
additional binding law, the standards I outlined above, a meeting of the
minds, consideration, and reliance. So when it comes to challenging the
results of TheCodeThatPurportsToBeLaw, courts will look inside, and they will
look for AMeetingOfTheMinds, and they will look at what actually happened, how
people behaved, and the court will decide if TheCodeThatPurportsToBeLaw
fulfills the requirements that all contracts must fulfill in order to be
binding.

My point is not that these contracts are invalid; my point is that these
contracts are not free from interpretation by courts, and they are not free
from meeting the standards of contracts _as seen and interpreted by the
courts_ , and not _as seen by one party to the agreement who got what they
wanted_.

And, by the way, contracts can't contain ponzis. No matter how many
signatures, lawyers, notaries, and PhDs in economics are involved in forging
the agreement, TheCodeThatIsLaw is not the law if the code contains a ponzi.
That's how the law works. I'm talking about US law (we are talking .com here)
but other countries of laws use similar methods of determination.

------
xg15
IANAL, but I think what might turn out most problematic for TheDAO in the end
is not the soft fork/hard fork proposal or even the loss of trust, but their -
often quoted - own terms of service[1]:

> _The terms of The DAO Creation are set forth in the smart contract code
> existing on the Ethereum blockchain at
> 0xbb9bc244d798123fde783fcc1c72d3bb8c189413. Nothing in this explanation of
> terms or in any other document or communication may modify or add any
> additional obligations or guarantees beyond those set forth in The DAO’s
> code._

That document is the single link that connects the Ethereum toy world with the
world of real, legally enforceable contracts. If any court actually takes that
clause seriously and treats the DAO code as legally binding terms of service,
I think that could have two consequences:

1) Intent: The terms written on the website don't say anything about
crowdfunding, voting processes or the supposed purpose of the DAO. They do
however say very clearly "the code is the law" and even point out that this
will cause risks for the investors, should the code contain bugs.

That writing IMO makes the current argument that the attacker violated the
"intent" of the contract very hard to argue.

2) Contract amendmends: As far as I know (as a layman), legal contracts may
only changed of all affected parties agree to the change. Therefore, if the
DAO code should be treated as a legal contract, you could interpret the soft
fork as an amendment - even though not all of the DAO token holders were asked
for agreement. In the most extreme case, the attacker could sue and demand
that his "theft" is cashed out, even if the soft/hard fork proposal is
accepted.

[1] [https://daohub.org/explainer.html](https://daohub.org/explainer.html)

~~~
jackgavigan
_> ..you could interpret the soft fork as an amendment - even though not all
of the DAO token holders were asked for agreement._

DAO token holders can express their agreement or disagreement by choosing
which fork they want to attach to.

------
will_brown
If the intent of the DAO was to create a decentralized system that people
could buy into so that they can vote/participate in investment opportunities
presented by other members, then the big question I have is why was the system
implemented in such a way as to hold all investment funds up front?

Wouldn't a more secure implementation have allowed members to buy in for a
nominal fee and keep their investment funds outside of the DAO until they
voted/participated in a specific contract/investment opportunity?

~~~
nemild
It's a bit of a chicken and egg, where you don't know how much to request from
the DAO, if it isn't funded. It's hard to have people softly commit (unless it
is a guaranteed commitment), as they could always renege on their promise when
it came time to provide money. Also, the vision seemed to be to create many VC
funds to consider projects, which required an aggregation of capital.

An alternate way is having each investment opportunity publicize it, but that
is a marketing challenge for each project, and may not raise the requisite
amount (there may also be greater legal risks to soliciting capital from
retail investors directly).

There are a lot of issues with the DAO (long before the hack), so I don't mean
that as a justification for launching the current DAO, but rather a potential
reasoning for that one aspect. (the bigger question is why didn't they do many
proof of concepts + then restrict the amount of money collected with the first
production version).

------
Eliezer
The next generation of geniuses is growing up understanding why Friendly AI is
hard. That's actually pretty damned encouraging.

------
panic
_Formal verification can be layered on top. One simple use case is as a way of
proving termination, greatly mitigating gas-related issues. Another use case
is proving specific properties – for example, “if all participants collude,
they can get their money out in all cases”, or “if you send your tokens A to
this contract, you are guaranteed to either get the amount of token B that you
want or be able to fully refund yourself”. Or “this contract fits into a
restricted subset of Solidity that makes re-entrancy, gas issues and call
stack issues impossible”._

Why not restrict the entire language instead of trying to verify that a
program fits into a safe subset? What practical uses are there for general
recursion and unbounded gas usage in the context of smart contracts (not to
mention multiple inheritance, inline bytecode assembly, and the many other
complex features of Solidity)?

~~~
pron
Because:

1\. It's very hard to create a language that is both restrictive yet useful
enough, without it being just as hard to verify (e.g. total-functional
languages are not nearly restrictive enough to make some global properties
easily provable; the only languages that make this somewhat feasible are
finite state machines, and their expressiveness is questionable).

2\. Even if that were somehow possible, it wouldn't solve the real problem,
which is defining the right safety properties. However you verify safety, the
hard problem remains what safety means.

~~~
db3d
1\. Starting from a declarative language (think XML), you might not be as
expressive, but you would still have a lot of value and mitigate a lot of the
potential problems.

2\. Safety properties that fall back on current law could be added in case of
dispute.

This scenario would still have great value as a smart contract.

~~~
pron
1\. XML is just a notation, and being declarative is not in itself a guarantee
of easy verification: Prolog is declarative and yet Turing complete (though
it's important to note that you don't need to be Turing complete to be hard to
verify!). So while declarative is an excellent idea, it doesn't help with the
problem of deciding what exactly the language can do to be both useful and
relatively easily verifiable.

2\. Absolutely, but I think the whole motivation behind projects like Ethereum
is to replace the law with algorithms. I think that any computer scientist
with a basic understanding of complexity would see why this is impossible, but
the idea persists. Eventually, someone who's less ideologically pure would
find a way to reconcile the utility of cryptocurrencies with the necessity for
human law.

------
empath75
The fact that people are making Ponzi schemes and _calling them Ponzi schemes_
tells you everything you need to know about the gullibility of the
cryptocurrency community.

~~~
viraptor
If you know you're giving money to a ponzi scheme and see all the rules of it,
is it really a ponzi scheme/gullibility? It sounds just as interesting as
betting on sports / stockmarket / ...

People still play roulette or blackjack, even though they know they're
guaranteed to lose in a long run / on average.

~~~
the_mitsuhiko
A ponzi scheme that calls itself a ponzi scheme is still illegal.

~~~
j15t
In which jurisdiction?

------
ktRolster
The problem of codifying reality with words and rules is an old one, as old as
the law, and no one has come up with a good solution yet. The edge cases seem
to be infinite.

------
danbruc
Ethereum already seems to be kind of a complex system and all the suggestions
in the article sound awfully like trying to put a few layers of patches over
the known weak spots. Especially attempts to prove properties of contracts
will likely soon make contact with Rice's theorem [1] or require giving up a
lot of the expressibility of the used language. The article also points out
that there are unsolved hard problems at the very foundation of smart
contracts but then kind of ignores that. To me it seems that what is really
needed is thinking again about the core ideas, not patching some code issues.

[1]
[https://en.wikipedia.org/wiki/Rice%27s_theorem](https://en.wikipedia.org/wiki/Rice%27s_theorem)

------
tdaltonc
I can't help but think about the way that Nick Bostrom outlines the AI control
problem when I read "differences between implementation and intent." Maybe
smart contracts (and automated mediation) is a good place to start cutting our
teeth on how to specify machine motivation.

------
nickpsecurity
He's still calling the DAO risk "theoretical" after all that's happened? A
situation that rarely if ever happens to the legal instruments and methods
Ethereum intends to replace. One that has them considering forks. One that has
investors wondering if they'll loose it all. That... "theoretical"... risk.

Specific vulnerabilities aside, I think any reader should stop trusting the
judgment or effectiveness of Ethereum-backed projects at this point. Probably
better doing the DAO as a well-managee, centralized non-profit to test crowd-
funding scheme while Ethereum continues baby steps toward a distributed scheme
that works.

~~~
dredmorbius
Quite the clown act, innit?

I'm rigorously trying to assess whether my complete inability to find any
there there in blockchain-based applications (Bitcoin, Smart Contracts) is a
bug on my part or feature.

I'm leaning strongly to feature.

------
compil3r
The fundamental problem is that Vitalik (and rest of eth devs) knows the
answer, but can't face it. If a tx gets revoked, ethereum turns into nothing
more than a private-chain/bank-chain. What about the crypto-law, state
revolution everyone in that crew have promised the users :(

------
fabrizioc1
What I think might be useful is something like the Rust borrow checker but it
would be a currency ownership checker which would check for currency ownership
at compile time.

~~~
viraptor
That doesn't really apply here. The code and runtime is correct as in: no
coins were generated or disappeared, nobody directly reassigned coins, etc.
This was simply a logic error - the code followed the legal/known path all the
time. Rust can be great for many things, but it can't tell you "this code does
not do what you think you wanted".

------
kordless
> If, in a given case, implementation and intent are the same thing, then any
> instance of “theft” is in fact a donation, and any instance of “loss” is
> voluntary money-burning, economically equivalent to a proportional donation
> to the ETH token holder community by means of deflation.

Don't forget about contributions to the aesthetic as well. Some of the things
that are occurring with these technologies will be literally mind blowing.

------
ianai
Is there one, solid as in time tested example of a smart contract working?
Sorry in advance for my total naivete

~~~
vessenes
Any spend to a Bitcoin address. It's a small program that other computers can
execute and validate the results of.

------
tdaltonc
> There have been many solutions proposed to smart contract safety, ranging
> from better development environments to better programming languages to
> formal verification and symbolic execution . . .

Why is 'human arbitration as a last resort' not on this list?

~~~
kahnpro
I thought one of the goals was for the currency to be outside the influence of
humans. Unless this arbitration is somehow built into the network and depends
on the majority. Which still isn't a great solution.

~~~
tdaltonc
A lot of projects have ambitions that they can't accomplish on day 1. It would
be a safety net. If everything goes right, then it won't get used.

------
StreamBright
One funny comment about the subject:
[https://twitter.com/thegrugq/status/744421708371623937](https://twitter.com/thegrugq/status/744421708371623937)

------
chmars
1/2 OT: How do you pronounce DAO? As a word like Dao or as an abbreviation
like D A O?

