
Thoughts on the DAO Hack - kushti
http://hackingdistributed.com/2016/06/17/thoughts-on-the-dao-hack/
======
mtgx
> _I believe that Ethereum overall will emerge from this in a few weeks,
> having been made much stronger as a result. It will have a newfound
> direction and charter that involves a slight pivot, away from "let's get
> DApps at all costs, let's make front-end programmers into smart contract
> writers," towards "let's build up the science of secure, smart contracts."_

You know how they always say "if only we knew then what we know now about
Internet security, then we would've definitely made the Internet secure by
default in the 90's!"

Except, even if they did know, they probably wouldn't have gone that path.
There's always a strong incentive towards making stuff "easy to use", and the
more secure you want to make it as well, the more work you have to put into
it, to a point where the developers may think that it has "enough" security
and they shouldn't waste too much funds on making it more secure (even though
it's not really enough).

The "advantage" something like Ethereum has now compared to the Internet in
the 90's, is that thousands of sophisticated attackers could try to hack it
from day one, thus showing Ethereum developers how naive they are early on.

This is good news, because we'd rather have something like this happen early
on, then 10-20 years from now after all of the world's banks and governments
adopt it, and instead of a $40 million heist, we have a $4 trillion one.

------
mangeletti
Honestly, at this point, I somewhat agree with the notion that we should just
be refunded our ETH.

I'd be happy to try something like this again, but I think the current
iteration clearly needs work and should be dissolved / refunded so that we can
make that choice at a later date.

~~~
street
What? It was clear from the very beginning to anyone who actually looked into
what the DAO was and how it worked, except those wanting to strike it rich
believing the crypto hype.

You're saying you trusted it, got burned, and are already looking forward to
the next one?

The DAO was described as "the code of the contract is the absolute truth, any
other description is just a guideline", which was hailed as a new miracle by
the investors, and now that it doesn't mean mountains of gold the founding
principles are suddenly not important anymore?

The "hacker" simply used the DAO as it was meant to be used (i.e. according to
the smart contract code), and deserves the funds. If there is a hard fork, I
hope he sues slock.it for controlling the DAO, and stealing the funds he is
owed according to their own terms ("The contract is king").

~~~
mangeletti
> ...as it was meant to be used...

Actually, a bug was exploited.

By that reasoning, I should be allowed to legally contact Amazon customer
service and socially engineer access to others' accounts, then place orders to
be shipped to myself. If the customers call and cancel the orders as
fraudulent, I should be awarded damages in a lawsuit against them.

It's also worth noting that, if you're a person that doesn't have any monetary
interest in The DAO, you don't have any right to vote for anything, meaning
you're no different than somebody standing near a poker table spouting out
your philosophies about where others should put their money (aka in the
industry as a railbird).

~~~
street
No, the DAO believers explicitly decided "f __* the government, in code we
trust " and wrote in their contract that whatever the DAO did, according to
its code, was right.

You don't have such an agreement with Amazon.

Regarding your edit: I don't want to vote for anything. I'm simply pointing
out that there is a (real-life!) agreement, and a party (slock.it et al.) not
holding themselves to that agreement, and that I'd enjoy seeing that played
out in court, where it belongs.

~~~
mangeletti
> "f* the government, in code we trust"

I never decided that.

The idea of distributed investments and unstoppable tools that are distributed
isn't about "f __* the government " or anarchism; it's about not letting
anyone other than a consensus of ourselves manipulate us.

> I'm simply pointing out that there is a contract, and a party not holding
> themselves to that contract, and that I'd enjoy seeing that played out in
> court, where it belongs.

The point is, if we disagree, what can _you_ do, if you don't have any
interest or control over this (hint: nothing)?

~~~
street
You didn't invest in a "distributed investment and unstoppable tool that is
distributed", you invested in a partnership with the DAO code explicitly
stated as the (potentially legally binding) operating document. If you didn't
share the values and conditions in that contract, you probably shouldn't have
joined the DAO/partnership.

Regarding your last paragraph: I'm not sure why you're attacking me personally
here.

~~~
mangeletti
I do share the values of The DAO, which is why I'm happy that things are being
handled exactly how I would have wanted them to. I'm not sure where the
confusion is arising from. I'm talking about next steps.

> I'm not sure why you're attacking me personally here.

Are you sure you're replying to the right person?

------
DennisP
> A good language for maintaining state machines would provide features for
> upgrading the security of a live contract.

This actually exists, if you code for it. You can make your contract call out
to functions in other contracts, and repoint if you need to upgrade.

But that means your users have to trust you not to abuse the power, so it's a
tradeoff.

------
lostmsu
Give them a chance to recover funds. Maybe they'll comeback.

~~~
dogma1138
These notions sound eerily like what gamblers would say.

