
Bloomberg – Blockchain Company's Smart Contracts Were Dumb - julian_1
http://www.bloomberg.com/view/articles/2016-06-17/blockchain-company-s-smart-contracts-were-dumb
======
lpage
A lot of this is predicated on the practicality of writing contracts in
conventional code, so let's talk about the state of writing "bug free
systems," and the cost. In some cases, there are options that come pretty
close. All have huge trade offs and drawbacks.

Model checkers work. You can, with effort, prove programs correct. This works
very well for small programs but grows exponentially more complex in the
number of branches and variable constraints. Even if you had the computational
power you'll quickly hit an inflection point where you're as likely to have a
bug in your proof as you are the underlying code.

Life-critical systems style code review works. NASA is very good at writing
bug-free C code via a style guide that subsets the language, static
analysis/formal methods, and a review process that makes waterfall look agile.

Voing works. In aerospace, code that's responsible for controlling actuators
and surfaces is often implemented in three different ways, driving three
different actuators. If one implementation returns a different result,
majority wins. Same principle for other applications - the output need not be
an actuation.

The biggest problem isn't that bug free system are a pipe dream - it's that
making one is very expensive, and the cost grows massively as your tolerance
for error decreases. This is a community that wants to drive adoption, and
that means competing with the status quo. If one of your selling points is
that you're saving the cost and complexity of dispute resolution and human
constructs, you've gotta factor in the cost of writing bug free contracts in
the first place.

~~~
zenogais
You're also talking about systems 20,000x larger than what The DAO contract
was [1]. The total DAO contract is roughly 2,000 LOC by my estimate [2].

IMO it probably won't be overly onerous to develop reliable contracts of this
size using many of these techniques. It's just so few people have the
discipline to delay implementation for design and planning at the level
required when it needs to be bug free. Most software developers have no
training in how to even begin designing and developing using these techniques.

[1]: Shuttle's primary flight software contains 400,000 LOC
[http://www.nasa.gov/mission_pages/shuttle/flyout/flyfeature_...](http://www.nasa.gov/mission_pages/shuttle/flyout/flyfeature_shuttlecomputers.html)

[2]: [https://github.com/slockit/DAO](https://github.com/slockit/DAO)

~~~
egd
> You're also talking about systems 20,000x larger than what The DAO contract
> was [1].

It sounds like the contract was underspecified.

In my experience, the basic core logic of a system's usually a pretty small
part of the overall codebase - the edge cases and error handling tend to be
the bulk of the code.

This tends to be the case in legal contracts, too - 100 pages of boilerplate
to make sure the two pages of contract are air-tight.

------
joosters
Writing perfect, bug-free code is merely the first hurdle when designing a
smart contract. You also need the code to cover all possible situations
correctly. It's here that smart contracts run into the mess we call the 'real
world', and there's no proof of correctness that covers that. Smart contract
creators need to be perfect programmers, but must also take their programming
blinkers off and consider actual usage too.

For example, a few weeks ago, there was a news story about an ethereum
prenuptial agreement : [http://www.coindesk.com/prenup-ethereum-marriage-
obligations...](http://www.coindesk.com/prenup-ethereum-marriage-obligations/)
:
[https://drive.google.com/file/d/0B1MEGeLr7lWiNEE2U2lGdGFvSm8...](https://drive.google.com/file/d/0B1MEGeLr7lWiNEE2U2lGdGFvSm8/view)

Ok, obviously a dumb idea, and not serious (I hope?) But take just one of the
contract terms: ' _It is stipulated that both the parties should spend at
least 100 minutes every 10 days on a date-night_ '

As someone in r/buttcoin wrote at the time: "In the last ten days, User 1
spent 5 nights at home, 1 night in a wrecked car and 4 nights in Lakeville
Hospital. Date night clause has been broken. Marriage terminated."

My point is that coding is the least of the problems with a smart contract.
There needs to be a way to handle unexpected circumstances. In the real world,
courts do that. In smart contracts, you're out of luck.

------
bunkydoo
You really can never say in code we trust entirely, because we say the same
thing about our state of the art encryption today that the Nazis said about
enigma in WW2 "It would take more than every human lifetime combined to crack
this code!" But then the next paradigm of computing sets in, and you have a
Turing machine built, or a Quantum brute force attack become possible on RSA
4096 rendering it as useless as enigma code. The fact of the matter is you
can't declare a system that can not update it's own software "Autonomous" \-
someone will attack.

------
JoshTriplett
> Instead, Libya's arguments take the form of: We didn't really mean what
> those contracts said. We didn't understand them.

[...]

> What JPMorgan did was explicitly allowed by the rules, but that doesn't mean
> that it was allowed.

This seems like both the biggest feature and the biggest bug of our legal
system. On the one hand, the court system exists to adjudicate cases that
aren't clear-cut, and often establish precedent in the process. On the other
hand, that makes it extremely difficult to construct a system where all the
rules _are_ clear cut and have "let the buyer beware" all over them, and not
have someone "cheat" and ask the court system to reverse a result that didn't
go in their favor. Heads I win, tails the court system might say I win anyway.

If you want a contract where the "spirit of the law" prevails, write it that
way. For example, the electricity regulations mentioned in the article could
have been written to say "if you find way to arbitrage this and produce
infinite money, you're wrong; this is governed by the spirit of the law as
interpreted by $governing_body".

But there _should_ be a way to write a "letter of the law" agreement, too,
where people can actually rely on the rules. There should exist a sufficiently
strong disclaimer that anyone agreeing to it will get summarily rejected from
a court saying "you should have known better". There should exist agreements
where someone giving their word is ironclad and irreversible.

You can build systems that incorporate human judgment and reversibility on top
of such an ironclad rule-based system. But the reverse isn't true: you can't
build an ironclad system on top of a system where anyone can cheat by saying
"no fair, I lost my money and I didn't really _mean_ it" to a court.

Sometimes, people find it comforting to have a "soft" system backing them up
that will look at the human factors involved; for some systems, I do too. But
in some cases, you want the comfort of knowing that you can rely on the rules
as stated and not someone saying "actually, now that I've lost money I don't
like the rules anymore, give me my money back".

~~~
mikeash
What would be the use case for "letter of the law" agreements, and how do you
avoid massive problems due to buggy contracts as we're seeing?

~~~
TheOtherHobbes
You don't. There are two _conflicting and irreconcilable_ centres of gravity
in law - justice/fairness, and the exploitation of power asymmetries for
profit.

Which is why it's literally not possible to reduce a contract to code, and it
never will be.

Even if you could produce perfect bug-free code at reasonable cost - a fantasy
in itself - you still have to contend with the irreconcilable motivations of
the parties to the contract, and the fact that contracts are used to hide
motivations as often as they are to reveal them.

It's perfectly possible - common, even - that the motivations are conflicting,
irreconcilable, and ambiguous, to the extent that the true _practical_ meaning
of a contract can only be defined by an external higher legal and political
authority.

Or by one party rolling over. Because making that more likely is what many
lawyers get paid for. (And what some of them live for.)

~~~
JoshTriplett
> There are two conflicting and irreconcilable centres of gravity in law -
> justice/fairness, and the exploitation of power asymmetries for profit.

I don't think that's a reasonable dichotomy. "Letter of the law" isn't
exclusively useful for people looking to exploit power asymmetries or create
unfairness. It's also useful for smaller entities to protect themselves from
threats that larger ones have enough insulation to just weather and survive.

------
danharaj
I want to understand the mindset and ideologies of people who think DAO is a
good idea. Holding this belief is correlated with a lot of other ideas in
particular, strands of right libertarian thought, and a heavy emphasis on
technology and technocracy (i.e. government by technical expertise).

Beneath that though, i think there's an undercurrent of something that feels
like misanthropy: a strong desire to replace political human beings
interacting in order to resolve conflicting interest, reconcile conflicting
experiences and pursue common interest with purely economic agents that
interact with each other through free (read: mechanistic) markets and
algorithmic contracts.

It feels like there is an unspoken need to be able to tell every human being
who has a problem "too bad", and a need for a societal structure that is
maximally ""rational"" and unassailable by human political action.

Obviously this would be a strawman if i said any particular person or group
specifically held these beliefs. It's an amalgamate of various ideas I've seen
pop up in the same places at the same time. Call me a skeptic of any thought
that leans in this direction.

~~~
easong
While the cryptocurrency conversation online is dominated by right-
libertarians, I think you'll find that a lot of hard/radical leftwing direct-
action types are _very_ much obsessed with cryptocurrency and structures like
the DAO. I personally don't look at the cryptocurrency scene/DAO with anything
more than bemusement, but I think that community is often presented in a very
unpleasant light (look at the weird nerds!).

A more charitable stereotype might be that cryptocurrencies and automated
contracts appeal to anyone who thinks that they can design (through their
technical expertise) a better world than the current political elites. I'm not
saying that they're right or that their line of thought hasn't been
historically responsible for atrocities, but I don't think it's fair to paint
them as sociopaths.

~~~
danharaj
Certainly didn't mean to imply that you have to be a sociopath to like
cryptocurrency! That would be unfair and ridiculous. I think it's more like an
allergy to what one considers politics.

The benefits of cryptocurrency i've seen argued for in left libertarian
circles don't propose some narrative where it supplants the current structures
of government. I think a lot of leftists would reason (certainly, I reason
this way) that cryptocurrency's much touted benefits are in conflict with
capitalism and could not support capitalism at all. This is at odds with the
right libertarian ambitions for the technology: right libertarians love
capitalism and the crypto enthusiasts on that side of the spectrum think it
would be great for capitalism! It's a fundamental disagreement. I've heard
about bitcoin being used to great effect by left wing insurgencies like
Rojava. It is useful in its current form as a subversive means of transmitting
resources.

I'm not familiar with the left wing arguments for cryptocurrency as a
transformative tool for structuring new societies. It sounds like technocracy
and vanguardism and, well, we know how that's played out.

------
sneak
"Do what I say, not what you think I mean. No takebacks, because crypto. Oh,
shit, wait, actually, do what you think I mean. No, really."

------
abalone
This has been marked a dupe.. Where is the duplicate?

------
wyager
>Just because rules are dumb and you are smart, that doesn't always mean that
you get to take advantage of them.

Then they rules are a sham. They are meaningless. If the "rules" in a contract
are just vague suggestions, then the contract is basically useless.

~~~
tptacek
No, it doesn't. It simply means that the rules in the contract are not _the
only rules_ that govern the agreement.

~~~
wyager
If that were the only problem, we could rectify it by explicitly enumerating
those rules in the contract. However, it unquestionably lowers the utility of
contracts if they are forced to have certain terms (explicit or implicit)
included.

~~~
tptacek
Indeed, it does unquestionably lower the utility of contracts that each
individual contract does not have the ability to create for itself its own
entire public policy and jurisprudence. We've generally decided contracts
shouldn't have that much utility.

------
curiousgal
>By definition! If the code could be hacked, the code allowed for the hack

wat? can't people just realise it was a loophole and hence unacceptable?

~~~
SamBam
Loopholes are generally legal, by definition.

~~~
curiousgal
A single instance, yes but we're talking about a platform. It's closer to bug
than a feature.

