This is what concerns me about contract programming. With human contract law, if there's a minor typo or loophole, participants can generally see the spirit and intent, and at worst go to a judge who will usually enforce the intent. But with software contracts, only the characters matter and there's no intent anywhere: either you get paid or you don't.
ETH is advising, "Contract authors should ... be very careful about recursive call bugs, and listen to advice from the Ethereum contract programming community," which indicates there's some subtle behaviors to be aware of and secure contracts are apparently not easy to write.
Lest you think, "we'll just be careful, review and QA it", consider the bug[1] in the "Programming Pearls" binary search. Bentley was clearly an expert who had proven the algorithm correct and the algorithm had 20 years of careful study by thousands of professionals. Yet it had a simple overflow.
Unlike traditional contracts, the idea was that smart contracts were going to eliminate the need for enforcement or dispute resolution. So that law is enshrined in code.
But this incident has set a precedent, at least within Ethereum, that the project leadership will intervene to enforce the spirit of a smart contract.
So what now are the benefits of Ethereum smart contracts over the traditional legal system?
The way I see it, at least with traditional contracts you have the benefit of a trained and experienced judge making the call in case of a serious problem.
Agreed. If this soft and hard fork idea really goes through, it seems that now you are in fact getting the worst of both worlds: For your contract, you have to write code that apparently is very hard to get right and bug-free[1], while at the same time you are at the whim of a "community" -- whose decisions (sorry, "suggestions") can apparently be announced by one guy in a blog post -- not to deem what you are doing an "attack".
PS: Also a second thought: Given that the "attacker" used apparently existing functionality of the DAO and that the DAO site clearly states "[n]othing in this explanation of terms or in any other document or communication may modify or add any additional obligations or guarantees beyond those set forth in The DAO’s code", I am wondering: If this (as measured by the DAO code: rightfully obtained) ether is now taken from him/her, might this not be an opportunity to sue the developers implementing this fork in a real-world court?
I think this comment on the original blog post says it very well:
"To be clear, if this happened due to an exploit in the software, then I can accept a hard fork fixing the issue. However, if the DAO team made a mistake in the way they designed their smart contract, as an issue of principle, they should not be "bailed out" by the Ethereum team because they are "to big to fail." Hard lessons like these teach the cryptocurrency community at large to do their homework and to be excessively (and obsessively) diligent with their security."
Do you own ethereum that will undoubtedly fall in value if the attacker is allowed to start dumping their earnings? It's within the network at larges interest to fork, so that is what will happen.
"Do you own ethereum that will undoubtedly fall in value if the attacker is allowed to start dumping their earnings?"
No, I do not own any ethereum and have had only a casual interest in the entire project. My own investments have been in "Oh By Codes"[1] most recently :)
> Agreed. If this soft and hard fork idea really goes through, it seems that now you are in fact getting the worst of both worlds: For your contract, you have to write code that apparently is very hard to get right and bug-free[1], while at the same time you are at the whim of a "community" -- whose decisions (sorry, "suggestions") can apparently be announced by one guy in a blog post -- not to deem what you are doing an "attack".
That's not really fair. His decree does not make it so. It still must be accepted by a majority of the miners, and this is and always has been a known property of the system. The collective will of the miners ultimately trumps the contract system. However, consensus there is purposely extremely difficult to achieve, and likely only possible in extreme cases like this.
Since this was a known property of the system, and since the agreement is inherently democratic, I don't see how this is a problem. Hard forks are simply another behavior of the network. Nothing more, nothing less.
The troubling issue with the system that this highlights is that a majority of users can agree to implement a fork which invalidates an existing contract.
As you say, that's a known property of the system. And it might be one of those things that's only viable in practice when the network is young. But can a CFO be considered to have satisfied their fiduciary duty if they write a contract which can be subverted in this way?
Ya, it's a tricky issue to be sure. But the miners are strongly incentivized to act in a way that minimizes harm to the currency itself. If they start accepting hard forks left and right then ether will lose all its value extremely rapidly. So i'm not really sure the slippery slope argument applies here.
I think this really can be considered a 'one time thing'. It isn't like miners can be pressured by a government to halt contracts for terrorists or other things. They have to be convinced and agree with the argument being made. There isn't a sole individual to whom pressure can be applied here. Granted, Vitalik may wield some influence, but if he started advocating things that were clearly not in the best interest of Ethereum, people simply wouldn't take on his suggested upgrades.
EDIT: I'd also add that for the record, as a DAO token holder, my personal opinion on what should be done is this: A soft fork to prevent ether from moving out of the child DAO, and then nothing. Just burn that ether forever. This avoids the moral hazard problem while minimizing harm to the overall ecosystem. People like me who made the mistake of investing still feel the pain, but Ethereum itself moves forward.
Commenting on your second thought: I hoped that people behind DAO (and Ethereum?) will stick to the terms they themselves proposed but it seems they will push hard for forking the chain (see: Ethereum blog).
The DAO was officially introduced by slock.it with "the code of the contract is the absolute truth, any other description is just a guideline", which was hailed as a new miracle by the investors, but now that it doesn't mean mountains of gold the founding principles are suddenly not important anymore, it seems.
The "hacker" simply used the DAO as it was meant to be used (i.e. according to the smart contract code), and deserves the funds. If there is a hard fork, I hope he sues slock.it for controlling the DAO, and for stealing the funds he is owed according to their own terms ("The contract is king").
Whenever they're about to lose, those with the power to do so usually change the rules to ensure they win. Cryptocurrency developers are rarely an exception to that.
Actually, the Bitcoin devs deserve a huge amount of credit for not attempting to "improve" the block reward or total supply during their multi-year bleed down from $1200->$200.
This is a smart response. The insurance company could also review the contract code in order to provide cover -- this would give investors extra confidence.
Suppose that I want to make a medical device, and I want to get liability insurance for when a bug in its code administers a lethal dose of radiation to a patient.
Is there any extant insurance company that would want to review my code in exchange for a lower premium?
If not, why would one be willing to do this for a flash-in-the-pan cryptocurrency, but not a useful, real-world device?
It might also be a question of survival. If $36 million+ is drained from the DAO itself unintentionally at such an early stage, can they continue, and how confident can anyone be that their implementation will be successful if the reference implementation itself is not?
If the DAO is not ready for survival now, then no amount of protecting it will make it ready for survival. What will make the DAO survive is code that only contains bugs that are too difficult to find relative to the value of finding them.
The project leadership can only propose change. Change requires "ratification" by a majority of miners as well as the support of node operators and holders.
> So what now are the benefits of Ethereum smart contracts over the traditional legal system?
The contract can only be invalidated by a significant majority / supermajority of the community through the consensus process. Therefore this is unlikely to happen often if ever, and if so, only in very extreme, clear circumstances in which the entire community is in jeopardy. [0]
Proposal #5 "Moratorium on proposals" only reached 8.86% of 20% quorum before voting ended.
Yet the moratorium is already in effect... as you can see there aren't any other real proposals out. Everyone is waiting to sort out these huge bugs in the framework.
I'm a Dao member (or at least I was this morning..!) and didn't vote on that one -- I didn't see the point in voting on proposals that are polls as opposed to votes on moving money to a specific address. There are forums to discuss general strategy, doesn't need to be a poll.
>But this incident has set a precedent, at least within Ethereum, that the project leadership will intervene to enforce the spirit of a smart contract.
It is the beginning of a precedent but precedent is fairly weak because Ethereum in its early stages and very experimental (many hard forks are in Ethereum future). Bitcoin rolled back the blockchain at one point as well but it wouldn't happen today.
>So what now are the benefits of Ethereum smart contracts over the traditional legal system?
My view is that smart contracts can most useful for low value contracts that you would never want to take to court. No judge wants to listen to two people arguing over 18 dollars.
Even if we agree that Ethereum is still in its early stages we have to ask whether this response is setting a good or bad precedent going forward.
Will the project leadership offer a soft- and/or hard-fork every time a poorly-implemented smart contract is exploited in a manner that is not intended by the contract creators?
If every smart contract is going to be "guaranteed" in this way, then this introduces significant overheads for the project and can also create moral hazard.
Alternatively, if only some contracts are "guaranteed" but not others, this can introduce opportunities for favouritism or discrimination...
Are cases only considered when they affect the ether price or where there is personal involvement with the contract? Is that fair?
Interventions and their resolution can also quickly get politicized just like the bank bailouts from the financial crisis.
Not to mention: you can use the mere claim of yourself knowing a bug in a smart contract to force the other side to do as you say. If it's sufficiently hard to check for bugs, the other party might accept the cost of doing as you say as cheaper than the cost of checking for bugs again.
This was a plot mechanism in some SciFi story I read a few years back.
Edit: one of the in-universe early Revelation Space books.
In this particular case the contract holds 15% of all ether.
The fork won't be enacted unless a majority of the community agrees to run its code. That's not likely to happen except in extreme cases, like this one.
Is 15% really that extreme? This is a game; nothing of real value in the world is being created or destroyed (that wasn't already during mining). I personally hope the ethereum community decides to play this game out and not bail out the DAO. It's way too early in the social experiment to change the rules.
I agree that 15% may not be that extreme, but 15% is not all that's at stake. 100% of all ether existing has so far lost 20% of its value (relative to other currencies at the time of the article's writing). I wouldn't be surprised if it continued to drop further. This may cause enough panic among miners to actually get a majority to agree to a hard fork.
Edit: for the record, I don't own use Ethereum or own any ether, so I would also hope that a hard fork doesn't happen to bail out a single contract, but I have no financial incentive on the line.
a) It is being bailed out by referendum, not mandate. Everyone gets a vote, if you don't want to install the patch, don't do it.
b) The funds to bail it out are those stolen by the attacker. Nobody is asking people without DAO tokens to suddenly contribute their ether to restoring the DAO or take debt.
Is there really an attacker and stolen funds though?
I mean, the contract executed exactly as specified.
If the system was well designed, there would be no way to undo the results. Such a system may never exist, but the fact that ethereum can sometimes change contract results means it isn't living up to its ideals.
I disagree in part with (b). A hard fork could split the community and cause the price of ether to crash further. While miners who fork may not actually lose ether in the process, they may actively cause it to lose whatever value it has left.
Of course, miners not associated with the DAO would never normally consider risking such a thing, but the rapidly falling price of their ether may convince them that it's the safest move.
Precisely, because this company is at the root of Ethereum. They can do these kinds of tomfoolery, and anyone who uses and trusts Ethereum is to blame for not doing their homework.
> But this incident has set a precedent, at least within Ethereum, that the project leadership will intervene to enforce the spirit of a smart contract.
This is really too bad. The best outcome would be for the community to learn from this and build tools and practices that make new contracts significantly more reliable.
Smart contract design practices will have to undergo the same kind of gradual hardening that web servers have over the past 20 years. Let's hope it happens a bit quicker.
Disagree. Over time, there will be less and less human intervention and people will be able to rely on a system of contracts assembled from tested and trusted components. And avoid expensive litigation fees.
Look, self-driving cars required humans to take over and require updates to deal with new challenges -- until they don't, or very rarely do.
In the place of litigation fees you pay software development fees. Not that I am really against it as a developer.
Smart contracts are different from self-driving cars in that the former have competing intents within while the latter have a common goal of "not hitting anything".
If anyone can intervene, intervention will happen, even if it takes a new law to make it so.
The only way to eliminate the human interpretation factor is to eliminate the possibility for human interpretation. This is effectively impossible in a pre-singularity world, so there can be no such thing as a contract enshrined in code which is binding.
> the idea was that smart contracts were going to eliminate the need for enforcement or dispute resolution
Well that's the fantasy of the century. Has no one learned this lesson with Bitcoin? An electronic currency doesn't magically wave away the fact it's being built and used by humans.
This real highlights the genius of Satoshi imo. If she had not disappeared she would have surely become a benevolent dictator for life and thus a single point of failure. By being anonymous and going silent, that outcome was prevented.
Keep in mind Ethereum is less than a year old, the DAO is even younger. It's still new, risky, and fraught with problems that need to be solved.
If you're not familiar with anarcho-capitalist theory, there's a concept called a DRO -- dispute resolution organization [1] -- that can perform arbitration functions in a decentralized manner, i.e. without a monopoly on judicial services like the state.
In the future, as the infrastructure matures, I'd be willing to bet DROs will arise to handle these types of disputes. Forthcoming DAOs can be more competitive by integrating dispute resolution clauses into their contracts.
For example, maybe there's a flag that must pass before any transaction takes place, and can fail if X% of DAO stakeholders vote to halt transactions and defer to a DRO for arbitration.
Hard to say exactly how things will evolve, but what's great about Ethereum is that contract law has the potential to evolve at a much quicker, cost effective pace than does the monopolistic, bureaucratic justice system we have in place today.
What's crazy to me about the whole thing isn't the bug in the DAO nor the fact that it's being taken advantage of. As you say, it's all very early stuff, and there's no surprise that it hasn't been fully worked out yet.
What does surprise me is that people poured the equivalent of tens of millions of dollars into this new, unproven thing. To me, this says that while Ethereum itself may be technologically fine, the community is completely bonkers.
There is a lot of speculative fervor going on. It's like any fad, except you can count the "value" generated by the waves of PR.
The underlying tech is clever though; the speculation is just a side-effect of cryptocurrency systems that they attract a lot of people who attempt to make a quick buck from during the rapid growth phase.
As others have pointed out, this is not a bad thing b/c speculation is one legitimate way that cryptocurrencies can bootstrap themselves, even if (over time) their strengths are not likely to result in more speculative behavior than is found in other established currencies.
Isn't pouring millions of dollars into new, unproven things the entire premise of venture capitalism? Great risk for great reward.
The outrageous investment in Ethereum/DAO does seem to highlight a desire for governance models outside of the corporatist status quo we live under today, though. Personally, I don't think it's bonkers to yearn for something better. But it's a hope that needs to be tempered with vigilance if people are going to avoid being duped.
Usually the millions of dollars comes after there's some sort of promise shown. This is basically the equivalent of doing an IPO with nothing but a nice-sounding business plan, and having people shower you with money only to discover that, oops, your real business plan is to take the money and flee to the Cayman Islands with it.
To be fair, people poured millions of dollars into a drunken pirate investment company (pirateat40). "I'm going to take your money and drink it away, har har" was somehow better than the alternatives, which often involve basically-impossible-to-circumvent paperwork requirements(buying stock without a phone/mailing address, say), obtrusive spy-on-your-customer policies, risk of having your wealth appropriated by governments like the government of Venezuela and so on.
Consider the fact that many who bought ETH did so with BTC, and that these BTC might have been acquired for a lot less than what the equivalent ETH are now worth.
This is fascinating. How do ancaps propose that DRO's will enforce their judgments? With violence? What's to stop the losing party from just gathering a bigger militia and shooting back to prevent collection?
The most effective way is likely ostracism, or some other penalty based on reputation. If someone doesn't pay their debts, people just stop trading with them. I'd posit that most people are interested in restitution, rather than punitive measures, which would be the primary goal of a DRO -- making the victim whole again. This is why DROs would likely function similar to an insurance agency.
The non-aggression principle is a central tenet in ancap philosophy which would preclude violence in most cases, however, it is permitted in self defense of ones person or property. Still, most people who subscribe for a DRO probably aren't going to want to pay the high costs for a standing militia. Would you voluntarily pay taxes for the War on Terror, or the numerous other military boondoggles across the globe, if you had a choice and knew the actual costs?
This ventures into the territory of private defense agencies, which decentralize security services, and is a deeper subject. If you want to dive in, I'd suggest Michael Huemer's book "The Problem of Political Authority: An Examination of the Right to Coerce and the Duty to Obey" in which he debunks the Hobbesian war of all against all scenario. "Practical Anarchy" by Stefan Molyneaux is also a decent (and free to read) overview of how ancap voluntarism could work, but Huemer's arguments are more comprehensive.
"If someone doesn't pay their debts, people just stop trading with them."
... Unless that impacts their bottom line. In reality, this is unsolvable - if it were, boycotts, divestments, and employer blacklists would be far more effective. You can always find scabs that will compromise on principle in order to put food on their table.
> The non-aggression principle is a central tenet in ancap philosophy which would preclude violence in most cases, however, it is permitted in self defense of ones person or property.
What if someone disagrees with the non-agression principle or uses a very liberal definition of "self defense"? If I'm the only one who is permitted to use violence to defend myself, does this mean I have to carry a weapon with me at all times (and hope the other one doesn't have a bigger gun/has hired the more expensive security force)?
The collection could be written as part of the smart contract that wants to use the service of the DRO (of course that part would have be be bug-free…).
Generally, I think ancaps would argue that violence wouldn't occur because it is too costly (as they do in the context of private defence agencies [1]).
Anyway, I believe this argument is flawed, in the sense that people have resorted to violence, despite the fact that it was nonsensical in economic terms (I'm looking for the quote of some prominent intellectual who argued around ~1914 that no big war could ever happen again, because it would be devastating in economic terms. He was proven both wrong and right in the sense that it indeed was devastating for the economy and that it occurred anyway as we know. If somebody knows the name of this gentleman please let me know).
A counter-argument is that most of the American population did not want to enter either of the world wars, but were dragged into it by state and corporate interests who, unlike the general population, did stand to profit enormously from the war. PDAs would not have the authority to do this.
As far as I understood it though, ancap wouldn't forbid any of the corporations that did profit from the war. (Or, in fact couldn't forbid it as this is the whole point). So what would prevent those corporations from engaging in the same war propaganda that the states did?
One solution would be for (some) individual contracts to be programmed to have "curators" with an expanded role. These curators would have dictatorial powers (via a supermajority vote of the curators) to nullify and replace the entire contract. However, they would promise to do this only in case of a genuine software bug, or if ordered to do so by a court with jurisdiction over them, not for any other reason. There would be many curators. Many of them would be professional curators, similar to professional accountants or trust executors, who work for huge firms which, like Big Four accounting firms, have a lot to lose if any of their members are caught misusing their power.
I see a different problem here: Ethereum and the DAO were not in a mature state to handle this amount of money. For example, there is a limited support for upgrading contracts in Ethereum and the DAO was not reviewed enough to handle hundreds of million dollars.
Also, there are methods to make the software ultra secure using formal models.
I always wondered why there was such a rush to launch the DAO. As opposed to what Ethereum itself did: develop a proof of concept for over a year, then release a beta version and provide bounties for security bugs, all the while collaborating with testers and security researchers to stress the software.
>I always wondered why there was such a rush to launch the DAO.
So Slock.it could raise money, obviously. A common complaint right around when Slock.it launched the DAO was that Slock.it planned to offer the first funding proposal on it but only provided a brief 2-week period for review and debate before the voting started. It had the appearance of an attempt at railroading the crowdfunding process for a quick payoff.
Fortunately cooler heads uncovered the problems and spoke out, putting the brakes on. Now it's a big learning experience for the ~23,000 people who blindly jumped on the hypetrain and put money into a flawed investment vehicle. You'd think the first 7 years of Bitcoin would have taught people a lesson that this technology is risky, but dollar signs in the eyes tend to obscure hindsight I guess.
> ~23,000 people who blindly jumped on the hypetrain
I haven't touched ETH or the DAO personally, but it is unfair to label every investment in them irrational. Over the past 5 years cryptocurrencies have provided multiple opportunities to convert, say, $10k into $100k or even $1M within a year or two; once your networth exceeds a certain amount, risking 1-2% of it on an opportunity like that is arguably wise - i.e. would be worth repeating - even if it does fail spectacularly.
It is certainly true that as long as that reasoning delivers 10-100x+ returns to some of the people some of the time, a giant fount of speculative money will continue to moisten a lot of scammers, con artists, and insufficiently-careful SW developers though.
Indeed an important question that will be decided soon is whether the "hacker" will get to keep the reward pot, or whether the rules of the game will change to deny it.
I am curious if a huge DAO-like organization could avoid being a target solely by keeping very of its wealth liquid at any moment... i.e. what would have happened if 99.99% of the DAO's eth were loaned out... would the hacker have bothered? (assuming it wasn't an inside job)
It's pretty obvious and simple. Because they want to run away with your money NOW. Ethereum had money already so they could survive while waiting to scam you even more.
That depends on whether you think of a contract as an interface or as an implementation.
A contract should present an interface that includes a declaration of its behavior. The declared behavior should be well defined, and if a bug in the implementation is discovered, the contract should be updatable to fix the bug. There could even be futures expressing the probability that a contract will be found to have a bug.
The willingness of participants to use a contract would depend on the chances that something about the interface is bug-prone, untested, etc.
As long as bugs do not result in reversal of money flow, the incentives seem to align properly toward a well-defined approach for declarative contracts.
What you're trying to solve is something very similar to the recursive self improvement problem that MIRI[1] and friends are trying to solve in the sphere of "friendly" artificial intelligence. If something rewrites its own source code, how can you assert invariants that can be relied upon? So going and looking over there at what they've come up with may be fruitful.
"Tiling agents" would be the most arguably relevant. Provably correct agents that approve the construction of other probably correct agents obeying similar invariants.
Note that this probably means that designing contracts of this sort of "friendly AI complete" in some sense, and therefore not a good thing to be betting on in the short term.
> A contract should present an interface that includes a declaration of its behavior. The declared behavior should be well defined, and if a bug in the implementation is discovered, the contract should be updatable to fix the bug.
The first part, a "declaration of...[future] behaviour," is basically a normal contract.
Indeed. However in a normal contract, the implementation is specified fairly loosely the laws (and enforcement mechanisms) can change drastically over the life of the contract.
There ought to be a way to have highly vetted primitives. In meatspace legalese, boilerplate words and phrases are the closest we get to this... once a contract (or open source license, etc.) has been through litigation, its vulnerabilities become better known.
If a dispute gets decided the "wrong" way because a few clarifying words were absent, the contract is modified and future deals use the new contract.
Contracts can be upgraded if they're designed that way. You can have a wrapper contract that just calls out to other contracts, where the addresses of the other contracts are updateable. You can even make the callee run in the context of the caller, so all the data is held at the caller, which calls an external function that manipulates it.
Doing this is a tradeoff. On the one hand it lets you fix bugs and vulnerabilities, on the other your users have to trust you not to abuse your power.
It completely obviates the point, because a contract no longer means what it says, it means what Bob says. So just wire your money to Bob, it's simpler.
Until such time as a College of Hortators gets invented and people start including standard provisions to defer some decisions to them. Yay, the courts have been reintroduced.
Vlad Zamfir, Greg Meredith, and Emin Gun Sirer are working on this for Ethereum's next consensus algo, Casper. Not aware that they've published anything on it yet though.
No, we can. We just don't, because it's very expensive, and we lack proper tooling to make it cheaper and/or faster. The flaw as I see it is that ETH jumped the gun, and tried to move to software law enforcement without investing the right amount of time/money in the code.
Worthwhile goal (though the desirability and practicality remains debatable), bad execution.
> No, we can. We just don't, because it's very expensive, and we lack proper tooling to make it cheaper and/or faster.
Eh, it depends on how amenable your standards for correctness are to formalization. Also when it comes to security, where clearly bugs tend to hurt a lot more, we're almost always at the mercy of "unproven" (in the formal sense) algorithms. Don't get me started on quantum computing's effects.
Reasoning about concurrent programs (let alone distributed ones) is something where I don't think we've got many reasonable schemes, even at the academic level. Though it's great to hear the Ethereum foundation is willing to drop some cash on that problem! I wish luck to anyone who takes them up on that, it's something I'd love to work on if I didn't have existing projects.
The Ethereum virtual machine isn't concurrent even though the network is. The model is a relatively simple serial sequence of operations, state machine style.
With enough effort, you can prove that your code conforms to the specification, but how do you prove that the specification conforms to your expectations?
You struggle to even do that. You can normally prove that some code conforms to a version of the specification that is explicitly formalised, but in practice, a large number of bugs are specification bugs and that will only increase the more you are forced to formalise the specification.
Sure there's evidence of that. Maybe not in the move-fast break things social/mobile/local web world, but in the mission/safety/life-critical and real-time systems engineering world there is. Just takes a quick google search, for example:
"As one example of Ada in an undergraduate setting, students at Vermont Technical College in the U.S. used the SPARK language (a formally analyzable subset of Ada) to develop the software for a CubeSat satellite that recently completed a successful two-year orbital mission. SPARK was chosen because of its reliability benefits. The students had no previous experience in Ada, SPARK, or formal methods, but were able to quickly come up to speed.
Of the twelve CubeSats from academic institutions that were included in the launch, the one from Vermont Tech was the only one that completed its mission. Many of the others met their doom because of software errors. The Vermont Tech group credits its success to the SPARK approach, which, for example, allowed them to formally demonstrate the absence of run-time errors."
I've read similar success stories for Lisp and Haskell. Rust will likely add more evidence as it becomes more widely used. Agda and Idris are also capable in this respect.
The problem is too many engineers are just day-jobbers, who want to crank out LOC and quickly add features that get them paid, regardless how sloppy their work or the tools they use may be, or how much work/cost it adds to the maintenance overhead down the road. That work can either be done up front writing bug-free code, or later during maintenance putting out fires, but it can't be avoided. Programmers who chose the former use the excuse "bug-free code is impossible so we don't have to try" to justify pushing the work off on the maintenance team later. But it's demonstrably false.
You can write a formally verified, simple Hello World program and prove that it adheres to both your design and implementation specifications. You can this all the way down to how the specific processor will run the resulting machine code.
The catch is that this is difficult and the time and cost both scale non-linearly with the complexity of the software. But if you can do it for dead-simple programs running on hardware you understand very well, you can do it for complex software as well. Just be prepared to pay millions of dollars for it.
> But if you can do it for dead-simple programs running on hardware you understand very well, you can do it for complex software as well.
Not necessarily when you're bounded by reality and finite amounts of time and energy. Just because you can count to 2^8 doesn't mean you can count to 2^128.
Perhaps, but nobody can write a bug-free legal contract either, and no legal system is without bugs.
Sadly, for the legal system, many of the bugs are due to corruption, so they are actually more akin to systematic exploits being done again and again by malicious actors (who often happen to be wealthy or powerful).
Also, in terms of how drastic this bug is, suppose $5M gets stolen over a few days. If the community can strengthen itself and become resilient to a whole class of attacks, that is likely far superior to a meatspace improvement in contract law, which would likely take years to become law (and would be selectively enforced once it did).
> Perhaps, but nobody can write a bug-free legal contract either, and no legal system is without bugs.
The difference is that when there is an issue with a legal contract you can defer to an arbiter (a judge) and discuss whether that is a bug or a feature as soon as a divergence of interpretation is detected.
Hell, even just having a sentient empowered human in the loop is sufficient, with fully automated response systems we'd never have survived the cold war as a civilisation, the first false-positive detection (and there have been several) would have ended it.
You are describing human judgement or human discretion. It's probably a given that AI will surpass humans in judgement and discretion of many things in the coming years and would be at least as able to avoid reacting to a false-positive as any human.
The problem (and the thing you propose as a solution) is deferring to an arbiter. This is not human judgement as much as it is human authority. We conflate the two in meatspace because of the social rank conferred upon such positions (this is the same drive that makes humans bow before gods and dictators)
The very idea of decentralization is a different authority model than what is typically in human institutions. In theory, institutions managed in a decentralized and anonymous way have the potential to achieve a form of democratic governance that is far more resistant to corruption than any form previously invented.
In meatspace, a judge must be chosen, elected/appointed, confirmed, etc., and when that judge needs to be replaced we take an entirely different (largely unknown) judge and do a full-scale migration to that new judge's "firmware".
With smart contracts, we can divide the execution into many smaller smart-contracts, each with a specific domain of expertise. This makes versioning, incremental improvement, and extreme transparency possible.
If you listen to us SCOTUS argument, particularly when a case involves discussion of the intent of specific words in a law, it becomes clear how utterly mutable all of the constructs are. While the SCOTUS is a world-class institution in terms of its overall quality, it is reinforced using a highly centralized model of human authority, with all its problems.
There's nothing preventing a contract from adding fallback modes that require interaction from human agents. Indeed, most of the more high-assurance contracts will probably require this.
I agree, for now. What I argue is that just like nobody can write bug free code, nobody can write bug free contracts as well. I think this might have a good use case down the road once all the bugs are worked out. That said, it's not ready for prime time yet.
"Oh, that contact for 1000 dollars is really 10 dollars because they 'missed' a decimal place. You still have to uphold your part though."
Corruption of judges can be a problem in that space and that is in part what this is attempting to solve. A lofty goal, maybe even impossible, but certainly worth the time to try.
I actually found a typo of a 100x magnitude in a Washington, D.C. law about ten years ago. Submitted it, and it was administratively adjusted. No need to even take it back for another vote. I believe is happens with much greater frequency than anyone outside the business of maintaining legal documents imagines.
[even had a typo in the first publish of this comment!]
Situation was basically a table rendered in prose format. I can’t recall the precise verbiage, but it read something like:
In 2015, the requirement shall be 0.05%. In 2016, the requirement shall be 0.7. In 2017, the requirement shall be 0.09%
Very subtle typo which, had it been treated as The Truth of The Text would have bankrupted anyone attempting to adhere to the regulation.
for obvious fixes, that’s not actual power: They could not do that if the correct answer weren’t obvious.
If I offered a new car for 10€ — obviously it should have been 10k€, so others cannot expect me to fulfil that (ask your local police).
If I had offered it for 8.5k€ and suddenly claim it should have been 10k€, it’s far from obvious that this was a mere error, so I’d likely have to stand for it.
If I offered a used car for 10€, the case becomes murky.
This is hacker news. If this was some code rather than in meatspace and you trusted a single client to modify a turning complete config file for everyone else you'd call it a massive security vulnerability. I don't understand how having humans involved changes that. Yes, they probably have good intentions but has that assumption ever worked out in human history? If it's not used today for something nefarious, it will be used tomorrow.
A legislative body is a conflict resolution mechanism, and one that is basically in the business of writing the code of law (literally). For something to be considered a typo, there must be negligible conflict over that interpretation. If not, the legislative body addresses it again or it’s handled by the judiciary. The legal register who maintains the official version of the text works at the behest of the legislative body. These things are not occurring without supervision.
Aside from everything. In writing a contract, it's very common to write price with numbers and letters in brackets next to them. E.g. 1000$ ( one thousand dollars ), exactly because typos happen.
The decision what a typo is is made by the parties, in case of dispute then by several courts ( based on the evaluation of the contract ). That's at least in continental law system.
There's a way to specify a 3rd party court ( non-corrupted one, called arbitrage ) which can solve disputes for that contract.
Corruption of judges problem is being fixed also in several ways. Usually decisions in high courts are decided by 3 judges ( again continental law ) and sometimes a jury ( prevailing in anglo-saxon law system ). Also there is a way to appeal the decision of the court to a higher court(s).
It's impossible to corrupt a 3rd party judge (shouldn't all courts be third parties?), or 3 judges? I agree it's the best system we have today, but it won't be tomorrow.
There are relatively few cases where $1000 and $10 are both reasonable numbers. It should be pretty obvious to both parties from context which is the 'correct' interpretation.
To a rational person without ulterior motives yes, but remember in my country "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause" means "Go ahead and take papers (cash) from peoples cars without warrants, and then the burden is on them to prove they obtained it legally"
I certainly distrust the American legal system enough to use something like this in the future.
It most likely is not, looking at the recent post on contract security, most if not all examples ever posted as best practice are flawed and can be exploited:
The halting problem is easy to solve for Ethereum programs by design. Programs are made of instructions, each instruction requires fuel to run, and fuel is limited, so every program must halt eventually.
I'm not familiar with Ethereum programs, but it seems to me that it's not possible to answer the practically-identical question, "How much gas does this program need to start with to guarantee it will either get into a loop or halt of its own accord before it runs out of gas?"
Or, to put it another way, it sounds like the language is Turing complete in roughly the same way C is Turing complete even though every C program ever instantiated is actually a linear bounded automaton because there's no such thing as an infinite tape.
Like, I can announce that my C-like language will always halt after a trillion-trillion operations and therefore the halting problem is "solved" for it, but for all other purposes it's almost exactly as difficult to reason about as a Turing machine.
100% agreed and anyone who expects these types of smart contracts to replace typical contracts is overlooking this.
The real void smart contracts fill is the type of contracts that cannot be trusted to be enforced by the current court systems.
For example, consider prediction markets. Just about any economist or rational person will tell you these are a huge boon to the world, but the CFTC shut down InTrade just a few years ago. It makes a lot of sense for these types of contracts to move onto ETH or similar.
The entire finance industry does a fancy form of betting. Risk and reward are packaged up and bought and sold by people according to their preferred allotment, and once the outcome is known the spoils (or losses) are correspondingly shared.
Prediction markets can also be called "information markets" because they expand the class of things we can understand the risk characteristics of beyond the traditional instruments.
Lloyds of London began by issuing insurance on shipping vessels so that ship owners shared the risk of a wreck across all their fleets, reducing the devastation of losing a ship for each individual owner. Prediction markets let us do this for a host of other outcomes.
A prediction market is nothing more than a betting market, the innovation (attributable to Robin Hanson, I believe) is the idea of the binary future, which makes the probabilistic outcome work nicely with a traditional futures contract structure, and allows for a lot of nice intuitions based on price movement.
They provide a far more accurate insight into the likelihood of events than any other alternative. You can think of it as betting if you like, but it's betting with lots of positive externalities.
Consider a business that needs to reason about the probability of a law passing, severity of global warming, or any number of other difficult to predict events. Prediction markets would provide by far the most accurate insight.
>Consider a business that needs to reason about the probability of a law passing, severity of global warming, or any number of other difficult to predict events. Prediction markets would provide by far the most accurate insight.
Surely such prediction markets are a guarantee of corruption?
That or I just don't understand - if a market exists that takes bets on human actions such as passing laws, how long someone will live etc, the betters will have a very active interest in doing everything they can to make a large profit, of which corruption alone is the most obvious target.
I mean in a way you're right - it is wisdom of crowds, albeit crowds of people that "know" only because they're corrupted the final event.
They don't guarantee corruption, because if the corruption shows up on the prediction market it has occurred (or will occur) elsewhere already, and if large amounts of money are betting on a certain outcome, others will follow, and thus the payout won't be as large.
> Consider a business that needs to reason about the probability of a law passing, severity of global warming, or any number of other difficult to predict events
Like the probability of a smart contract being exploited via a loophole? ;)
This is OT now, but in addition to the corruptive effects of traders influencing results they are betting on mentioned by mootothemax, another possible negative externality is the conservative effect the prediction market would have on the traders. Eg. if you got a whole population to bet on the market, suddenly it is in the interest of the majority to uphold past predictions, thus making society resistant to change.
EDIT: Moved to the correct location in the discussion tree.
It's very frustrating for me to see "probability of a law passing" and "severity of global warming" being thrown in the same basket.
While the first lends itself naturally to be framed as a binary prediction market (and there are good reasons to believe that the market will produce reliable forecasts), "severity" doesn't lend itself to be framed in this way (in Taleb terms, it is a non-linear payoff from a complex domain, "4th quadrant"). Ignoring that there is a lot of ideology involved in defining the exact terms, in my mind it is just unreasonable to expect prediction markets (or any mechanism for that matter) to deliver reliable results in this case.
Even when not accepting the Taleb argument regarding our ability to predict, at least it should be acknowledged that it is not straight-forward to generalize from binary outcomes to open-ended ones.
> Just about any economist or rational person will tell you these are a huge boon to the world
True, but I think said people still haven't taken the whole Taleb idea to heart. I'm pretty sure there are certain domains where the wisdom of the crowd is no wiser then a chimp throwing darts.
As an extreme example, assume you ran a prediction market that predicted the value of the s&p500 x days from now. Would you expect to make money based on these predictions?
This is not to say that they can't be useful in certain domains. It is well known that they do well for binary outcomes like sport events and elections.
They might also be valuable in situations where there are behavioural factors that prevent the spread of information (e.g. whether a project will finish on time). However, there might be simpler mechanisms (like whistle blowing) which could solve the problem or it might not be a problem at all (Bent Flyvbjerg's research on mega projects suggests reliable forecasts are simply undesirable and "true" forecasts are known sub rosa anyway)
A relaxation of the law or more exemptions a la IEM could be beneficial from a research perspective, but I wouldn't expect a "huge boon" just because. These are a lot of words to basically say, it's not a black and white issue.
> As an extreme example, assume you ran a prediction market that predicted the value of the s&p500 x days from now. Would you expect to make money based on these predictions?
The S&P already is a prediction market for the future value of the S&P. So no, there would be no additional information here.
I agree that wisdom of crowds does not always work, but remember that this is not just wisdom of crowds, it's wisdom of crowds PLUS skin-in-the-game.
All of the things in quadrant 4 are difficult to predict. I would trust the predictions of people who have put money where there mouth is far more than the predictions of those who haven't, and I think Taleb would too.
Prediction markets already widely exist and have been around for ages, just not in America. You can bet on all kinds of real world events, not just sports, in many countries.
Adding a prediction market to ethereum or some other crypto coin isn't going to revolutionise anything.
I'm mostly an ethereum skeptic, but maybe this doesn't actually indicate that all smart contracts are doomed? Maybe all it means is that bespoke ethereum contracts are risky, and people will have to use boilerplate contracts that have proven robust in the past.
I sort of assumed this DAO thing was intended in this spirit, as an experimental stab on the path to robust contracts.
My hope is that the people putting millions of dollars into it are well off people who are OK with putting their spare money into something obviously risky and experimental.
Edit: If this is not how it is, I'd be interested to know who is putting money into the DAO, sociologically speaking. I hope nobody's investing their life savings in it.
My impression is that the DAO people are early adopters mostly from the Ethereum Foundation itself, so the "150 million dollars" number that is bandied about would be mostly paper profits from a much smaller investment. It doesn't mean they ever had 150 million dollars in actual money between them, or any practical way to get it.
Another way to say the same: there is no slack. Errors can be sudden and complete.
Compare with "old fashioned" contract law or e.g. national currencies or gold. The errors there (theft, counterfeit and fraud) tend to impact only one or a few transactions. It's all more localized/
In case of broader failure of old fashioned money (e.g. national currencies being destroyed through inflation): at least this is a very slow process that is usually being telegraphed years in advance.
This hopefully provides further evidence that smart contracts currently are not and probably never will be a replacement for traditional contracts and court systems. Instead they are a low-cost alternative for specific off-the-shelf problems (like ownership) for which battle-tested implementations will eventually exist.
In that sense smart contracts are a tool for a specific purpose (and maybe a replacement for people who don't have the luxury of a working court system) as opposed to the end-all-be-all solution that some make it out to be.
Attempting to enforce the spirit of the law is a problem in its own right though. The flexibility of written law is repeatedly abused. Whether it's politicians taking land from their constituents, or drug laws being used to drive racism, we really shouldn't be looking at the flexibility of written law as a good thing. Or at the very least, we should be acknowledging that it's a double edged sword.
Ethereum's smart contract language is not one which makes it easy to write secure smart contracts. There are dragons everywhere, and the DAO is far and away not the only smart contract to incur their wrath.
In general I am in favor of moving to programatic, unforgiving law. But we need to do so at a pace that matches our technological progress. Today, the technology is not there to make advanced contracts. Simple ideas like 'this coin is owned by this person until a signature from this key transfers ownership to someone else' are pretty easily enforceable. Bitcoin has a scripting system with a variety of safe scripts in widespread use.
But as soon as you start aiming at things like 'this investment fund is owned by this group of people and is able to make investments under conditions X, Y, Z, and can split... etc.', you've outpaced what we currently know how to do safely.
I don't know much about Ethereum, but why aren't the contracts declarative? Surely, it would be much easier to see the logic behind the contract and avoid the impossible task of a bug free turing complete language.
The Turing-completeness of the language is the whole point of Ethereum. That's what differentiates it from other (Bitcoin-like) crypto currencies. It allows anyone to build arbitrary business logic--an exchange, a venture capital firm, a game--that is run directly by the participants in the blockchain.
In retrospect, a declarative language might have been a better choice. There's a tendency in open-source projects to make things Turing-complete because it's too hard to agree on what the declarative primitives ought to be. (Hence JavaScript.) This is not what you want in contracts for substantial amounts of money. It's passing the buck to the users.
>This is what concerns me about contract programming. With human contract law, if there's a minor typo or loophole, participants can generally see the spirit and intent, and at worst go to a judge who will usually enforce the intent. But with software contracts, only the characters matter and there's no intent anywhere: either you get paid or you don't.
It's much worse than that!! What you've just said applies to building an airplane or getting to Mars, too. Mother nature won't care what you meant to do.
But this is worse: mother nature might give you turbulence, but She won't carefully cycle or time the turbulence in a code injection vulnerability to try to get your avionics to lock up at some particular moment. With these kinds of systems, you have humans actively doing everything in their power to break the system, even using the most subtle possible tricks. It's not just noise: it's a malicious attacker.
It's not enough to "get it right". You have to get it right against someone with lockpicking tools, budget, time, and no legal, social, or moral checks and balances. By that standard, every vehicle NASA has ever built is completely broken, and NASA has never built a single thing that works.
It's not just about code that's correct. It's about code to held to literally supernatural standards of correctness.
I'm surprised no one has mentioned: Human contract law still applies in this case. DAO members can still go to the FBI and try to find the "attacker". They can still ask the courts to try to take their Ethers back.
Ideally, using formal methods [1], one can write a provably correct program. Just because software can have bugs does not mean it must have bugs. Human contract law has no analogue.
Personally I'd be wary of any electronic contract that wasn't formally verified. The DAO exploit is unsurprising.
I don't think that is the same - There is no claim that rules of written law always gives the most favourable outcome. But rather that the written law (or contract, in this case) allows for the reality of human error or omission by leaving space for human interpretation, enforcing the underlying intent, rather than strictly enforcing 'bugs' in the contract.
After all, there are almost always small mistakes in complex systems. The system of case law is, essentially, a structured way of turning differing interpretations into a stricter framework over time.
There are no bugs, there is just the contract, and the intent, and the difference between the two.
My point is, the institution of law needs to be trusted, yet patent-trolling exists because the institution has failed to apply fair judgment and common sense such that ridiculous legal structures have prevailed.
I disagree. While the use of the word 'bug' is often stretched (i.e. feature requests being made in the issue tracker), the contracts in this case are not purely the product of a writer - they are also a contract, as in a written, explicit agreement. Calling an unintended consequence a bug may be true from the perceptive of the writer, but not necessarily from the perspective of the second-party, who may have agreed to the written contract, but not the "intent". Hence a document with two parties does not have objective bugs in that sense, unless both parties agree, which is not the case in disputes requiring a judge.
But my point was the patent trolling exists because the law is unfavourable. Not because there is a system of mediation in place. If the patent system should be abolished or not doesn't really relate to how inconsistencies in contracts are handled, as far as I can see?
My own skepticism isn't so much stemming from any belief that the current legal systems are particularly great as it is from the learned reflex to be wary of anyone rewriting a system from scratch.
The legal system is complex and messy sometimes because moneyed interests have been keeping a thumb on the scales and sometimes because the world is complex and millions of people have spent hundreds of years patching bugs and extending the code to handle all the weird corner cases.
Smart contracts are a neat idea, but it is also kind of like the guy who wants to rewrite the production system in a weekend.
Formal proofs. These are reasonable to do with modern proving systems, and contracts with formal proofs would be a reasonable output for a specialist in this area, equivalent to a lawyer for regular contracts.
There is nothing stoping you from getting involved in a much more complex scheme of contracts. You could easily set up a system where a web of trust filtered, community funded "court" creates a wallet that is used for mitigating disputes. If a judgement (done by key signing votes) goes against a user you decrement how much they are going to get after the period ends and you increment how much the claimant gets. If nobody gets into a conflict at the end of the period everybody votes to send back all the money to everyone's respective wallets.
Your word "easily" translates to "I haven't really thought hard about it and I am not an expert but it seems easy to me." That is a trap for beginners to cryptographic systems. Getting it right in all details is HARD, as has been proven time and again by failures. The theory is hard, the implementation is hard, and making it usable is hard.
If there are ever more compelling use cases for smart contracts this will create a market for smart contract validation or development.
Interactive theorem proving is already at the level that verifying something like the DAO (a few hundred lines of code!) isn't too complicated. By the time smart contracts become relevant we'll probably have all the tools in place to make this an industry instead of a research project.
Of course. But human contracts require human judgment and it is precisely the psychological fear/mistrust/puzzlement of proponents of machine contracts that leads to their political adoption of the idea. I don't think there's necessarily an objective risk/reward analysis behind preferring one over the other, just a matter of personal temperament.
Just remember, when the developers inevitably appear with suggestions about how to stop the hack, roll back the blockchain, or come up with other schemes to block the hackers, they are showing everyone that all the talk of blockchains being decentralised, or being beyond the control of governments or other powers... is a complete lie.
If this hack can be stopped, then it demonstrates that the currency can be manipulated, that the decentralised system is not so fault tolerant or uncensored after all, and that people out there know this.
Also remember that this isn't the first time this idea of 'lets rollback a blockchain due to a hack/attack' has been floated or even tried. The first major blockchain rollback almost completely destroyed the cryptocurrency [1]. Since then, some major hacks have happened and the community/developers rejected the idea of a rollback [2][3]. That was a hard lesson, and hopefully the current developers will learn from the short history.
Also to your point, yes, Ethereum is not as decentralized as some would like to claim, either from a stakeholder perspective, or from a mining perspective, or even from a 'who holds the power' perspective. I suspect that's what makes it so efficient though, in terms of changing protocol, or making decisions on behalf of stakeholders.
One could argue that at this point in its history it stands to benefit more from that efficiency than it would from more robust decentralization.
When adoption is low it stands to reason centralization would be high, and so it enables them to move faster to increase adoption, and hence lower centralization as other players and stakeholders enter the game.
However it does also stand the risk of allowing the current influential parties (the developers or miners) to influence the system in their favor. So far though, I don't think this has been the case, but we'll see how this situation plays out.
There is no doubt that centralization is more efficient than decentralization. The problem comes when developers or other stakeholders don't understand or underplay this feature.
Also, centralization/decentralization is a a scale, not discrete boolean values.
It will definitely be interesting to see how this plays out. Good luck to everyone involved.
If there is consensus that this is a problem and shouldn't be allowed, then there presumably is also consensus for even a hard fork if necessary. As an outside observer, I don't see why this is a demonstration that the decentralised system can be manipulated, is not fault tolerant, or censored.
Since if this is a problem and will be fixed, it will presumably be by consensus. We already know that with consensus the entire system can be changed (or forked, if you like). This is no secret and there was never any claim otherwise. This is exactly what they mean by decentralised.
What should worry you is if a change happens without consensus, but there is no such indication here.
slock.it are now implying that opponents of the proposed hardfork are probably the thief and asking people to contact them with information about the identity of anyone who organizes opposition to it: https://twitter.com/christopherhesh/status/74379447973649612... It's going to be a very interesting kind of "consensus", that's for sure.
Let's call it self delusion. A "lie" needs the intention to deceive. I think most developers of these systems truly believe that they are building the First Distributed Republic or something like that.
Actually, I'd say the fact that he has to publicly ask for exchanges to stop the trades, and can't simply press a button or send out an order, shows the decentralization.
I think you're missing the point. The fact that one man can bring the whole of Ethereum trading to a halt with an announcement really demonstrates just how much power he has. So it doesn't matter that he doesn't have a physical kill switch if the end result is the same.
He wouldn't have that power in just any old circumstance. He could have the power to launch nukes, but if that power would only work if all of the world agrees, I'd still not be afraid of him.
> I think you're missing the point. The fact that one man can bring the whole of Ethereum trading to a halt with an announcement really demonstrates just how much power he has.
The reason for this is that ethereum exchanges are not decentralized and the "program" that the owners of the exchanges execute on their brains partly allows "dynamic mental code update" by Vitalik Buterin.
...but they didn't halt trading until they were asked to, so clearly it wasn't totally in their interests?
Exchanges are in a difficult position once the 'head' of ethereum tells them to stop. It's a sign that the blockchain might be forked, so any further trades they make might be undone - they simply have little choice but to stop after being told to do so.
> but they didn't halt trading until they were asked to, so clearly it wasn't totally in their interests?
Not at all. This is a classic "coordination problem". It is advantageous for many participants in the overall system to take an action, but only if the other participants are ALSO taking the action. In such a case, a widely followed and popular leader is one possible coordinating mechanism. And it does not give that popular leader the ability to do ANYTHING, only things that actually ARE popular but require coordination.
I don't agree. Centralised control would mean one person can change anything. Decentralised doesn't mean that nobody can propose a solution - only that others have to agree on it before it goes live.
How do you imagine decentralised decisions happening otherwise? Everyone choosing their own solution without ever talking to each other and seeing what is most popular?
I'm not sure whether we are redefining it... I suppose it depends on what definition you were starting with!
My idea of "decentralized" includes things like "continues to function perfectly well if any one person or small group is removed from the process" and "continues to function perfectly well if any one person or small group becomes malicious".
In this case, if Vitalik Buterin were not around to announce the problem, someone else could announce it and that would provide a coordinating signal for all of the independent players to act on. If Vitalik Buterin were malicious and decided to announce a rollback of a big spend he had done, then the independent miners and mining pool operators would (I hope) choose to ignore the announcement and refuse to participate.
I guess to me, having a centralized group or individual make decisions seems to violate "decentralized", but having one of several possible groups or individuals make announcements which signal the population to take action does not.
Nobody has to follow the leader. Want to keep your exchange trading? Go ahead - nobody can stop you. It just so happens that everybody agrees this time.
A surprising number of people seem to believe in the near-perfect efficiency of markets, that every participant is making optimal decisions based on their own goals.
Why, has anyone thought that decentralization means no one has a lot of power? I figured that people who prefer decentralizations prefer feudal power over centralized power.
Governmental currency printing has zero effect on the negotiated transaction between two people, and it does precisely nothing on my ability to choose to continue using that currency. That's the underlying freedom; use dollars or blueberry scones if you want. You just need to find a willing counter-party.
The anti-fiat crowd should think for a minute on how money actually works in practice.
They're now talking about essentially blacklisting the hacker's ETH address, how is that decentralised?
Halting trading is a show of force too, if they believed a single thing of what they preach they'd let the free market continue its course with the hacker walking away with the money.
Looking at your comment history it seems clear you have an agenda here, so I'll ignore the ad hominem.
Decentralization doesn't mean complete lack of central control, or anarchy, it means that balance of power is in the periphery with the broader organization largely controlled by protocol and policy. Issuing an edict in a crisis doesn't necessarily imply centralization if the member nodes can ignore the edict.
In the history of organization structures, for example, Peter Drucker in 1946 wrote the "Concept of the Corporation", a study on General Motors, which was arguably one of the early detailed studies of Decentralized governance in an organization.
how is that decentralised? [..] Halting trading is a show of force too
Decentralisation does not preclude "force". The one really has nothing to do with the other. Unless your idea of "decentralization" is actually the solipsist view that every person is an island, and social structures hold no benefit for survival.
If it takes a vast majority of participants to agree, then not really. It's decentralized, not 100% immutable. Will get harder as it gets larger but at this stage it is good to still have the ability.
At this stage yes. That's why I don't hold ether as being solid enough yet to be a store of value, aside from the fact that it's being inflated at ~25% pa. Needs to go through these teething problems now while that is still the case.
Why would that be different at later stages? Bitcoin grew more centralized with time, not decentralized: The miners with the most powerful equipment also have the most ability to become even more powerful.
It's not that simple. In the end it's what users actually use that matters. Mining on a fork that sees no use would be suicidal. So miners need to follow users, or their investment is for nothing. And users tend to follow developers, at least until there is a contentious fork.
So while there is no clear single party that makes decisions, active developers have the most say.
And if it can't be stopped, the argument about decentralized apps being "unstoppable" won't be that appealing anymore after all :)
It's sad, being able to write blockchain apps like with ethereum and lisk is cool tech, but we'll have to deal with the idea that once is out, it's out. Programming NASA style.
> If this hack can be stopped, then it demonstrates that the currency can be manipulated, that the decentralised system is not so fault tolerant or uncensored after all, and that people out there know this.
My thought exactly. And despite putting a little money into the DAO myself, this is the kind of risk I was willing to take. I should lose my money. Miners should vote strongly against this fork.
I know in the Bitcoin community this wouldn't be accepted, not so sure about Ethereum though where the developers have a lot more control (than they should IMO).
This is FUD, broadly speaking. The devs have put out a patch for miners which allows them to decide whether or not they wish to fork over these transactions. Centralization is not required for this decision, instead, distributed consensus.
The counterpoint to your statements is simply that consumers need safety with their money. It is no badge of honor to let unsophisticated technical people lose money for some extreme libertarian ideals.
> This is FUD, broadly speaking. The devs have put out a patch for miners which allows them to decide whether or not they wish to fork over these transactions. Centralization is not required for this decision, instead, distributed consensus.
With all respect Peter, this is not FUD and OP is raising a valid concern. Yes, the miners vote on the patch - but given the infant state of the ecosystem and the large loss incurred, even further controversy or delay in finding a resolution may cause them permanent economic harm; so it would appear that there is little leeway in the choice involved.
> The counterpoint to your statements is simply that consumers need safety with their money. It is no badge of honor to let unsophisticated technical people lose money for some extreme libertarian ideals.
Yes, that's certainly the argument, particularly that if there is majority agreement than the protocol change is justified. But this doesn't at all invalidate OP's concern that fundamentally algorithmic contract's aren't binding if such an alteration can be adopted. The case could be made that in a more mature ecosystem such case specific alterations are more potentially damaging than useful and that this is a transitional phase, yet I think the burden of proof is on the one responding.
>so it would appear that there is little leeway in the choice involved.
I think we agree on this. The reality is that an active choice will still have to be made by a consensus group, though. It's not a matter of something being forced down the throats of a majority by an oligarchy, it's utilizing the existing consensus mechanism.
I think OP should be well warned here as to what is binding with smart contracts, for sure. This isn't any different than risk calculations in Bitcoin, though -- early days advice was to wait six blocks for transactions over $20, because the cost of subverting the network was very low. This is part of the give and take of mining and distributed consensus with current technologies.
I agree with your points. But the miners who actually have a say, if I am not mistaken, are the big ones and the pool owners. These are just a small fraction of all people running mining software.
A soft fork will undeniably require distributed consensus. It is the number of people with the actual right to vote that may be worrisome.
Perhaps the pool owners should extend their voting rights to their pool contributors, pooling votes as they pool mining shares.
(Disclaimer: I hold a small amount of ETH and participate in a mining pool.)
The only way any of that can happen is if most of the community agrees to run the software implementing the change. If you know of a way to get more decentralized than that, I'd like to hear about it.
True! It's definitely a situation where the 'market cap' of bitcoin gives it some extra stability. If the DAO contained bitcoins, it would be a far smaller % of the total and there would be fewer calls to roll back the logs.
What is 'network consensus'? It certainly isn't giving everyone a vote as to whether they think the rollback is a good idea or not. Instead, it's connected people wielding influence.
So can random people who agree with each other completely control everything that happens with the currency? So if there is a company who they dislike can they just decide that they have no money?
Majority of ethereum holders would want to rollback. That is consensus. If they don't hard fork they can keep running an old node. What is the problem?
The incentive here isn't to pick the side of the fork you agree with; it's to pick the side of the fork you believe will win. So you can't really say that the rollback side winning means that most miners agreed with the rollback - rather it means that most miners thought the rollback side would win. There's a strong element of "self-fulfilling prophesy" here.
Isn't that basically measuring which side has more hashing power? It's not obvious to me why that necessarily represents "the majority of ethereum holders". Or am I missing a mechanism?
The hashing power is the voting power. Since it is not obvious how one could even define what "the majority of ethereum holders" even means (and who says that every ethereum holder who is a physical person has to have the same voting power? If this were the case one would simply split your ethereum "account" into many who are hold by stooges).
It has been proven impossible to reach full consensus at scale in a fully decentralized, asynchronous system (the FLP theorem).
So, in computer science terms, consensus algorithms are about approximating distributed consensus in the face of benign and malicious threats or communication failures, which devolves to "quorum / majority" pretty quickly in a crisis.
After the crisis, some kind of compensation, reconciliation or excommunication has to happen with the portion that disagreed.
So that means if you are against majority thought you are shit out of luck. Just think of any time when majority consensus hasn't been the optimal solution.
If you believe that there is a better way to find a consensus in a distributed system than majority you are free to implement a system based on it. I consider it as quite plausible that such a system exists, but cannot even imagine how it might look like.
There is a better way but it unfortunately requires the system to have an understanding of what the decision is about - in other words, no longer decoupling the mechanics of the decision from the meaning of the decision.
A distributed system can easily make a majority decision that is unwise, like if the votes are based off of bad information. But if the different options of the decision could be formalized and checked/proven as part of the decision making process, based off of axioms and values that participants all agree on, then perhaps the most rational decision could be selected even if it's not what the majority was initially in favor of.
Also just remember, that Rome was not built in one day. Progressing mankind with a functioning DAO is most likely worth much more than even a $200M failure (worst case scenario) if you look at how it could increase world productivity/efficiency.
The developers appear to be treating this as a dev environment - "We were starting a new team (welcome @hiddentao, @evertonfraga and @luclu) and I was pushing for weekly releases, without proper testing. Meanwhile the DAO happened, and we wanted to make a release that had support for events subscription without realizing the performance impact it would have..."
I realize this is the wallet development but they are absolutely related and shows the culture of this software is not as professional or thought out as it should be.
We already knew that blockchains are vulnerable to 51% attacks. There are real problems with points of centralization (including the developers), but events like this don't prove anything.
Edit: to be clear, the 51% attack I'm referring to is actually the defense of the network by developers/miners/users that the parent post is complaining about.
They do if the developers suddenly come up with schemes to block the attack or hack the DAO. vbuterin has posted on reddit a plea for any DAO holders who were about to 'split' their holdings to contact him - presumably he has a way to hack the DAO more effectively and so grab the money before the attackers grab it.
But when did he know how to do this? Was it a secret that he was sitting on, or has he only learnt about it from the existing attack?
If this is just a 51% attack then we didn't learn anything about etherium qua etherium or blockchains qua blockchains... but we'll learn something about the lower bound for being big enough that they're not a realistic possibility.
Rolling back the blockchain would have some pretty serious ramifications, as the possibility of that becomes greater it makes sense to sell as quickly as possible into another chain to retain value.
The provided link is just a page showing a bunch of transactions. For someone like me, who is not so intimate with the Ethereum terminology in use (but who is still interested in the DAO, as an observer), could someone provide a layman's explanation of what's going on?
Somewhat more specifically, I'm wondering the following:
- At a high level, what does this attack actually consist of?
- How does ethereum "go missing" in a distributed blockchain, where you can see all the transaction endpoints?
- Who loses and who gains from an attack of this scale?
- How severe could this attack be - does it pose an existential threat to The DAO (or Ethereum, more broadly)?
- How is this attack being perpetrated? Has the attack vector been previously anticipated? Why is this unexpected?
- I don't think there's any definitive details yet, but it could be an instance of this attack [1].
The code behind the DAO is available here [2].
Apparently [3], there's a bug where one can recursively call `splitDAO` multiple times to extract ether from the contract if one has a split open.
- Ether can go missing when it is sent to a public address which has no known corresponding private key. It's a "we can't inverse a hash" type of problem.
- People lose if they're holding a long position on ETH, or have DAO which they can now no longer recoup to ETH. People gain if they're shorting ETH, or are the attacker themselves (it looks like the ETH from the dao is going to this address [4])
- Looks to be an existential threat to the DAO from where we're standing right now. I can't see any mitigations but an entire Ethereum blockchain split.
Ah, I see: the money isn't missing, it's just gone to an unknown party (the hacker) - so we're practically watching a bank heist in progress, where the "good guys" are trying to slow down the robber's getaway vehicle (by flooding the transaction network).
I looked into this a bit more, and it seems very likely that the attackers are exploiting a recursive call - from https://live.ether.camp/account/304a554a310c7e546dfe434669c6..., I can see that most of the transactions are internal, with the API reporting monotonically increasing call-depth values. It seems like there are three recursive calls involved here: one call in the DAO, a second call to transfer money to the attacker, and a third "dummy" call which appears to transfer nothing (but presumably kicks off the next recursion into the DAO).
The scary thing, to me, is that someone else could figure out the bug right now and start exploiting it - presumably, all the relevant code is open source.
I'm not sure someone else could start exploiting the bug - I suspect that they need to have DAO tokens and successfully vote to split their share off into a new sub-DAO they control first, and if I recall correctly there's a minimum voting period that has to elapse for that to happen.
This is astonishing. The company behind the DAO knew that the bug in question affected withdrawals from the DAO rewards balance and wrote a blog post saying this isn't an issue because it's empty, but either didn't bother checking whether withdrawals of of people's original capital through the splitDAO mechanism (which is possible) had the same bug, or did and pretended it didn't exist and everyone's funds were fine.
> - At a high level, what does this attack actually consist of?
At a high level, The Dao is like Pokemon. Casual observation suggests that it may be a more or less consistent world internally and that a lot of people are very excited about it. A few of those people even claim to fully understand how it works. But there's a lot of fat guys with acne blindly spending on Pokemon cards thinking it's a wise investment.
Unfortunately, the fans are so excited that they jump up and down clapping all the time and forget to breath while they're talking. This makes it very difficult to understand what they're trying to say. If you manage to understand, you will hear something like:
"Most Pokémon have only one type. However, EX Team Magma vs Team Aqua introduced Dual-type Pokémon, which have two different types. For a while, all existing dual-type cards had either Darkness or Metal as their secondary type, with the exception of certain Pokémon cards with the Dual Armor Poké-Body, such as Medicham from the EX Crystal Guardians expansion, which can have multiple types when certain energy are attached."
Now what possibly happened during the attack is that Pokemon cards are spontaneously catching fire! This is particularly troubling, because Pokemon just came out with a super-duper fire defence card and told everyone to buy it for lots and lots of money. And everybody did.
Now while all of this is clearly very troubling for heavily invested Pokemon fans. But in the grand scheme of things, well a butterfly flapped it's wings in China: there's a theoretical possibility that this affects anything, but in practice no one but fans cares.
> - How does ethereum "go missing" in a distributed blockchain, where you can see all the transaction endpoints?
1. keep the exp you earned
2. lose some money
3. wind back at the pokemon center at the pokemon league
4. have to start over on the e4
> Who loses and who gains from an attack of this scale?
Pokemon fans, obviously.
> How severe could this attack be - does it pose an existential threat to The DAO (or Ethereum, more broadly)?
Synchronoise when used by Pokémon like Umbreon. It deals damage to every Pokémon that shares the user's type, so in Umbreon's case it hits every Dark type Pokémon. Only it doesn't, because it's a Psychic move and always fails.
Funny, but to be fair this doesn't apply to Ethereum only, the vast majority of discussions here on HN would look like this to a person not interested in programming or tech.
And that's fine, nothing wrong with having a hobby and being passionate about it. Not everything needs to have an impact in the grand scheme of things.
Or, they could just plow that currency into BTC at diminishing value as fast as possible. That's presumably what I would do if I discovered a bug like this and wanted to make bank.
I think they could also be shorting ETH, in dollars/euros/rubles/yuans, in which case destroying the currency would be excellent business for them, even if they can't extract what they stole.
Shorting small illiquid markets is very difficult and prone to blowing up in your face. The most recent famous example of this is Porsche/VW: http://www.economist.com/node/12523898
Poloniex seems to be the exchange with the largest volume (I somehow doubt anyone is buying long-positions larger than that) - so it looks like they could at least cash out several thousand bitcoins - although it's been a while since I've been on their site and if they offer API access some of those positions might be automatically diverted as the price moves.
The purpose of a hack (or any crime) is not to extract the maximum possible value, but to extract the maximum value and get away with it. Cashing out quickly and disappearing is part of the escape strategy. They probably won't care if it destroys the currency.
It's a reentry bug - native ETH always calls the recipient contract's code on transfer, which can call back into the current function. If you manage native ETH do accounting in the wrong order, you can "withdraw" multiple times.
It doesn't "go missing", presumably the hacker will drain it into Bitcoin via any anonymous exchange accounts they have. Everyone loses big time (except the attacker if they manage to launder some of the coins). Watch for a wave of rebranding.
> How severe could this attack be - does it pose an existential threat to The DAO (or Ethereum, more broadly)?
We will see. The group behind TheDAO has a lot of pull - if Ethereum successfully rejects calls for a hard fork that will damage it severely in the public's eye, but will be the ultimate proof of concept.
> How is this attack being perpetrated? Has the attack vector been previously anticipated? Why is this unexpected?
"""
No DAO funds at risk following the Ethereum smart contract ‘recursive call’ bug discovery
Our team is blessed to have Dr. Christian Reitwießner, Father of Solidity, as its Advisor. During the early development of the DAO Framework 1.1 and thanks to his guidance we were made aware of a generic vulnerability common to all Ethereum smart contracts. We promptly circumvented this so-called “recursive call vulnerability” or “race to empty” from the DAO Framework 1.1 as can be seen on line 580:
// we are setting this here before the CALL() value transfer to
// assure that in the case of a malicious recipient contract trying
// to call executeProposal() recursively money can’t be transferred
// multiple times out of the DAO
p.proposalPassed = true;
Three days ago this design vulnerability potential was raised in a blog post which subsequently led to the discovery of such an issue in an unrelated project, MakerDAO. This was highlighted in a reddit post, with MakerDAO being able to drain their own funds safely before the vulnerability could be exploited.
Around 12 hours ago user Eththrowa on the DAOHub Forum spotted that while we had identified the vulnerability in one aspect of the DAO Framework, the existing (and deployed) DAO reward account mechanism was affected. His message and our prompt confirmation can be found here.
We issued a fix immediately as part of the DAO Framework 1.1 milestone.
The important takeaway from this is: as there is no ether whatsoever in the DAO’s rewards account — this is NOT an issue that is putting any DAO funds at risk today.
"""
Slock.it are the cheerleaders of the DAO (and were the likely recipients of its funds had it not been hacked). They previously boasted about how their audit of the code found no issues other than a slight rounding error if the DAO became worth trillions of dollars. It's entirely in character for them to post further messages reporting how wonderful, secure and perfect their code is, in the face of terrible problems.
I find it truly amazing that a project with hundreds of millions of dollars at stake could have such a simple bug. After they discovered the first bug, it seems like they should have sat down to carefully audit all other places where that could happen - because it seems like the attackers certainly did!
From reading the article on Smart Contract security (https://blog.ethereum.org/2016/06/10/smart-contract-security...), I get the feeling that the programming model might be somewhat to blame. The "obvious" ways of implementing something are subtly broken, in ways that are very difficult to anticipate without a very deep understanding of the protocol. The programming model demands that the program be capable of calling functions that are not under the programmer's control, and which can do nearly anything. This is very, very difficult to get right, and very easy to screw up, as anyone who has tried to write a sandbox environment can attest to.
In my understanding the attack vector was anticipated for the executeProposal() function, but the attacker is using a recursive call of the splitDAO() function.
This blog post[1] from the Ethereum Team describes the possible attack.
i'm surprised they don't have inbuilt support for some kind of async transfer primitive. so instead of doing:
address.call.value(amount) and the call being synchronous
you do:
address.call.queue_value(amount) and then at the end of your contract execution it runs the asynchronous calls that have been queued
a lot of the DAO calls (all of them??) to external addresses don't need the result so having an asynchronous transfer primitive would have just solved the problem.
these external callbacks are very dangerous. for example you have function _entry_ call function _logic_ and everything is ok. then someone decides to change function _logic_ to perform an external callback and this breaks the behaviour of function _entry_. when you have this non-local side effects from changes you will create security bugs very easily.
I have a (maybe naive) question: why is the person draining ETH from DAO called "attacker"?
I seems to me that the idea behind smart contracts was to have unambiguous description of what are participants agreeing to. The "attacker" is doing precisely this - I had not heard of any bug in Ethereum implementation that is used, only "bug" in DAO's smart contract. So he is allowed to do this, by contract definition.
Isn't the whole idea of that kind of contracts worthless if people are still rolling back effects of it when "it does not what it was meant to do"?
Obviously you're right, that's tautological! The "attacker" didn't do more than what the system allowed her to do.
People have expectations about what the DAO is and isn't. I'd guess that very few people bothered to read the source code of the contract, let alone look for vulnerabilities. So you have a group of people who have agreed on an informal contract (we pool money, votes are weighted by the sum I've put…) but it turns out that the implementation is not correct w.r.t the informal specification. That's called a software bug and abusing a bug to your own profit makes you an attacker in my book, just as much that using a flash 0-day to drop a rootkit makes you an attacker.
People should have been more careful, but hey, I'm not sure I would have.
The terms of The DAO Creation are set forth in the smart contract code existing on the Ethereum blockchain at 0xbb9bc244d798123fde783fcc1c72d3bb8c189413. Nothing in this explanation of terms or in any other document or communication may modify or add any additional obligations or guarantees beyond those set forth in The DAO’s code.
Doesn't it state that, by definition, that DAO contract is bug-free, so it cannot be exploited? This is exactly what separates DAO case from flash-0-day-rootkit case.
> The terms of The DAO Creation are set forth in the smart contract code existing on the Ethereum blockchain at 0xbb9bc244d798123fde783fcc1c72d3bb8c189413. Nothing in this explanation of terms or in any other document or communication may modify or add any additional obligations or guarantees beyond those set forth in The DAO’s code.
Nice. So if the community ultimately succeeds in preventing the "attacker" from withdrawing his funds, which he acquired in perfect accordance with the DAO code, which is the entirety of the agreement, could he publicly bring suit for violation of contract?
I think he could, but he would be bringing a lawsuit against a decentralized community with no leader. Also, the community still has to accept the fork, if no one does (or very few), he keeps the money. At least that's how it works from my understanding.
It's not a bug by definition of what contracts are. A contract can't have a bug because the implementation IS the specification. That is the whole point of the system. Even the DAO website says so itself. The code itself has the ultimate say:
> Any and all explanatory terms or descriptions are merely offered for educational purposes and do not supercede or modify the express terms of The DAO’s code set forth on the blockchain; to the extent you believe there to be any conflict or discrepancy between the descriptions offered here and the functionality of The DAO’s code at 0xbb9bc244d798123fde783fcc1c72d3bb8c189413, The DAO’s code controls and sets forth all terms of The DAO Creation.
Nobody should have entered this contract if they disagree with the above. Yet now, suddenly most people who are a part of it seem to disagree with it!
What you call an informal contract could also be seen as an incorrect interpretation of a contract.
If you're not willing to call that simply an incorrect interpretation, you end up with two systems - software and people that push the blockchain forward - that interpret contracts differently. You also give precedence to the latter, which will lose the ability to effectively enforce its interpretation the more distributed the system becomes.
Ultimately you have to choose between having one true interpretation of contracts defined by software or being unable to enforce contracts as interpreted by a non-deterministic system.
Choose the latter and not just is there no advantage over real world systems, it's worse at enforcement.
Totally agree. Which interpretation is correct is a decision for the Ethereum community to make (or whoever is in charge, I don't know muck about the governance).
From the article:
> The development community is proposing a soft fork, (with NO ROLLBACK; no transactions or blocks will be “reversed”) […] preventing the ether from being withdrawn by the attacker […]. This will later be followed up by a hard fork which will give token holders the ability to recover their ether.
> I have a (maybe naive) question: why is the person draining ETH from DAO called "attacker"?
George Soros wasn't (afaik) breaking any law or contract when he drained a billion dollars from the Bank of England in 1992. I think most people in the UK would be OK with describing that as an attack.
A better analogy is probably Thaksin Shinawatra, where the rules are very much still up in the air, and where depending who has sway in Thailand, he can expect vastly different treatment.
"George Soros wasn't (afaik) breaking any law or contract when he drained a billion dollars from the Bank of England in 1992."
I also like this analogy. I am also reminded of the Hunt Brothers and their (successful) attempt at cornering the silver market which was then thwarted by a rules change by COMEX[1]:
"But on January 7, 1980, in response to the Hunts' accumulation, the exchange rules regarding leverage were changed, when COMEX adopted "Silver Rule 7" placing heavy restrictions on the purchase of commodities on margin. The Hunt brothers had borrowed heavily to finance their purchases, and, as the price began to fall again, dropping over 50% in just four days, they were unable to meet their obligations, causing panic in the markets."
> I have a (maybe naive) question: why is the person draining ETH from DAO called "attacker"?
It's just a philosophical distinction. Suppose someone who had never built a software program in his life, successfully got a patent for "online marketplace for smartphone apps", and then went and successfully sued random weak-looking people for uploading their apps to the google play store.
Obviously he's abusing the system, and obviously he's a parasite preying on the weak with zero moral justification, in a way that threatens the very foundation of the tech industry... But what he's doing is not illegal; he's just exploiting a flaw.
Is he an attacker?
/shrug
Depends on how you define things, but the context makes the meaning clear in this case, I think.
I understand what you're saying and don't necessarily disagree, particularly as I don't know enough about the subject to form a strong opinion. I would intuit that one might argue the contract was in error if there's a clear indication of intent.
Most software does not constitute a contract. If I run an internet connected computer I don't enter into an agreement with anyone on the internet to use my machine even if its OS has security holes enabling this. The DAO was supposed to be a contract specifying and enforcing in a formal and automatic way what the participants can do.
The DAO's 'terms and conditions' were the contract code itself. During the crowd sale, it was often said that 'investors' need to look at the code because that is the only binding agreement. I guess it turns out that's a lie too.
I expect the attacker either found a contract allowing them to short ether, or made some similar arrangement. Unless it's an attack on tech itself for personal reasons, someone's getting a lot of real money today...
> During the crowd sale, it was often said that 'investors' need to look at the code because that is the only binding agreement. I guess it turns out that's a lie too.
No, it turns out that that's completely true, and that's the problem.
And as such, the contract would include clauses to protect against that. If the contract did not, one of the parties likely can take advantage as they wish.
It is the same with Ethereum. If the DAO 'contract' does not include the terms, the 'lawyer' who wrote it just didn't do a very good job and it is open to taking advantage.
Well, that was kind of inevitable. Building a financial system out of pure code with no humans in the loop and no legal structure is building a self-distributing bug bounty piñata. It's decentralised, so there's nobody who can throw a breaker and shout "stop!"; cryptocurrency transactions are irreversible, so thefts are permanent; and it's somewhat anonymous, so thefts are hard to trace.
It also demonstrates that being first-to-market trumps security. If the DAO had waited until a full formal verification system exists and had been applied, they wouldn't have been able to pick up the $160m of overenthusiastic money keen to rush headlong into the hands of hackers.
I find it endlessly amusing that people are willing to bet their cold hard cash on "this code has no bugs".
When widespread old and tested code like OpenSSL has massive security bugs, what chance does something as new and in-development as Bitcoin/Ethereum have? An in the case of Ethereum, the contracts themselves?
> I find it endlessly amusing that people are willing to bet their cold hard cash on "this code has no bugs".
It's not "this code has no bugs" it's "this code has less visible bugs than the lower hanging fruit". If it's harder to find than any bug in any system with bitcoin (or other ethereum) in it, then people will find that stuff first. Bitcoin gave us out here in the IT world, for the first time in history, a realistic way to measure the large-scale security of various kinds of systems. Microsoft, for example, has not had the bitcoin from any of their wallets stolen. With every flaw that's found, we get the chance of learning how not to fail in the future.
Furthermore you have to invest in something. And it's remarkably hard to invest these days. Just try buying a house with ethereum, see how frustrating it is.
While I agree with your point, there is at least something to be said for blue sky codebases being able to use more secure languages/platforms and secure coding practices from the get-go, versus legacy codebases. Prevention of overflow and UAF vulns come to mind as an immediate win.
If they had some sort of fraud-related authorized structure, which was able to "reverse" the result of an obvious software bug, I would say that it should've been much more stable financial system.
Except that would require human intervention. And the whole reason why people love cryptocurrencies is removing the "man in the loop", with administrative power to deny, reject, roll back, or deem illegal their transactions.
It's like these people have never seen War Games.
(It also attracts the kind of people who think that banks, financial institutions, VISA and Paypal are "very likely" to defraud them while something entirely new and unproven with no legal structure is somehow less likely to defraud them or lose their money. See also people who think that bitcoin might be more stable than the US dollar.)
(Not to take this post too serious, but I'll take the bait)
I'd argue that the solution proposed by Ethereum in this blog post is not antithetical to mainstream Libertarianism. It actually fits perfectly well into the role the majority of libertarians believe a state should take.
To begin with, from my understanding they merely proposed a solution which the community has to agree to implement. Just like modifying the bitcoin codebase.
It's still ultimately an additional layer of decentralization in between. Taken as a whole - even if Ethereum takes action against the attacker - what DAO represents would still be very very far from the representative democracy style system that libertarians take issue with.
Importantly, libertarians are not all anarchists (or 'crypto-anarchists' or 'anarcho-capitalists' to be more accurate) who believe in total decentralized control structures. Mainstream libertarians wish for a minimal state or "night-watchman" state, a not the total absence of a state.
This the most prevalent myth about libertarianism and the faulty premise of most attacks against it.
Even many hardcore anarcho-capitalists are against the idea of decentralized judicial and law enforcement systems - as they see it as unworkable.
In the book "Anarchy, State, and Utopia" [1] popular libertarian thinker Robert Nozick argues that
[..] only a minimal state "limited to the narrow functions of protection against force, theft, fraud, enforcement of contracts, and so on" could be justified without violating people's rights.
Therefore supporting the solution Ethereum proposed does not make you less of a libertarian. But it does make you less of a crypto-anarchist.
Doesn't necessarily make you less of an anarchist either. Anarchy isn't an absence of rules or decisions, it's having decision making mechanisms that are non-hierarchical (now, the preferred size of those decision making structures and how to keep them from becoming psuedo (or real) States in their own right is a whole different discussion). In this case, one could argue that miners are making a decision collectively through a very imperfect mechanism (subject to possible hijacking, attacks, and tyranny of the majority), but still a non-hierarchical one.
My knee-jerk reaction is to say the libertarians rarely have power during crises anyway, and democracy insures that those who "do nothing" lose their power in the face of interventionist opponents come election time.
Not that they were libertarians, but the presidents during the 1920-21 Depression[1] acted slowly, and the economy bounced back incredibly quickly. From the article: However, by the time Harding had called his conference, the country's economy had already shown signs of rebound, and by 1922 was starting the economic boom of the 1920s[13] and merely allowed for President Harding to claim success.
developer asks token holders to spam the network to delay the attack o.O
griff [10:05 AM]
@channel The DAO is being attacked. It has been going on for 3-4 hours, it is draining ETH at a rapid rate. This is not a drill.
You can help:
If anyone knows who has the split proposals Congo Split, Beer Split and FUN-SPLT-42, please DM me We need their help!
If you want to help, you can vote yes on those aforementioned split proposals. especially people who’s tokens are blocked because they voted for Prop 43 (the music app one).
We need to spam the Network so that we can mount a counter attack all the brightest minds in the Ethereum world are in on this.
please use this: for (var i = 0; i < 100; i++) { eth.sendTransaction({from: eth.accounts[4], gas: 2300000, gasPrice: web3.toWei(20, 'shannon'), data: '0x5b620186a05a131560135760016020526000565b600080601f600039601f565b6000f3'}) } to spam the chain
Congratulations! A month after the first real test of the "distributed", "safe" cryptocurrency featuring "enforcable" contracts, it turns out it's none of this.
The meaning of the word "safe" seems to vary from person to person. The ETH and contract devs think safe means having a static PL to capture contracts.
But in reality it is safe as in, whoever exploited the vulnerability now has a "safe" source of income in a few weeks.
Perhaps it is a lesson better learnt now than later when the stakes are even higher.
> whoever exploited the vulnerability now has a "safe" source of income in a few weeks.
Well, that would be safe (in the sense that you got money according to the contracts in the ETH network), but the problem is that the developers are trying to take this money away from the exploiter! I.e. they're trying to undo whatever action was enforced by a cristalized contract everybody agreed upon!
Well, she doesn't, they will block the attacker outright by a centralized decree. What's the better proof that decentralized solutions work than blacklisting accounts and making ad-hoc forks for each attack.
The DAO code that the stolen ETH is held in doesn't allow spending for 27 days, by which time the Ethereum developers hope to have 51% of node power on the fork that blocks transactions involving this address.
The comments here are generally spot on; it's a combination of problems -- upgradability is designed to be hard because other people's money shouldn't be easy to steal, programmers are not used to making whole programs reentrant, existing documentation underplays risks, or alternately just tells people to do the wrong thing.
A better language would help, better documentation would help, better standards about how to write the programs would also help.
And, of course, more eyes are helpful. I'm an outsider to Ethereum, and got a very polite response, overall the community has been great. That said, there just aren't enough people looking at these contracts right now.
> That said, there just aren't enough people looking at these contracts right now
I hope this doesn't kill the project. Having programs that give you money when you find bugs in them could be a very powerful incentive to develop new tools to write correct code.
Reading their blog about "smart contract security" [1] is just mind-blowing. Like, I thought that was the core of the product, but somehow they've designed a language which makes it extremely difficult to not get your smart contract hacked? And now the solution to this situation is going to be better documentation and IDEs? Oy.
Me from a month ago: "... having had a quick scan over the language documentation, it looks to me like a bog-standard imperative mutable language. One that is very young, and with few if any features designed for being used in a high-security environment. It appears to be based on raw event-based programming, a style of programming very easy to mess up and hard to declare and preserve invariants in. It looks like a very dangerous programming language to be trying to write financial contracts in. At least it's not dynamically typed, does seem to avoid excessive coercion, and should be memory safe; it could certainly be worse. But it could be better, too." https://news.ycombinator.com/item?id=11726734
I don't know off the top of my head what I would design into my contract language, but Solidity has numerous things in it that I would not.
I guess in their further defense, the way I'd want to design the contract language is what is right now some really cutting edge programming language theory. I'd be looking very hard at the Total Functional Programming languages [1]. "Total" here is not just an enhancing adjective, it defines a specific characteristic of the languages with regard to how they terminate. But it still would have legitimately been research to figure out how to correctly convert from a programming language to its cost-to-execute correctly enough to be in a financial application. I believe TFP research right now is mostly focused on how to write TFP code that practically accomplishes things without having to write some pretty mathematically-complicated circumlocutions, not modeling costs.
I also would have looked at doing something with FRP, not because it's the hottest new thing necessarily, but because the ability to express every participant's obligation in a single block of code like a thread rather than an event-based setup would have made these contracts much easier to write and audit.
The combination of these two things is probably an entirely untouched domain, or at least effectively so.
Ethereum is a fascinating idea. It's not hard to imagine something architecturally like it being huge in 50 years. It's not hard to even imagine it as the basis of cstross' unspecified "Economy 2.0" in Accelerando. But it might just be 5 or 10 years too early to work now.
withdrawRewardFor(msg.sender); // be nice, and get his rewards
totalSupply -= balances[msg.sender];
balances[msg.sender] = 0;
paidOut[msg.sender] = 0;
the state is modified after the callback in particular the balances variable.
however, earlier in the function it moved funds to a new dao based on the balances variable.
// Move ether and assign new Tokens
uint fundsToBeMoved =
(balances[msg.sender] * p.splitData[0].splitBalance) /
p.splitData[0].totalSupply;
if (p.splitData[0].newDAO.createTokenProxy.value(fundsToBeMoved)(msg.sender) == false)
so presumably an attacker can call splitDAO and then recursively call splitDAO and the funds will be transferred twice. there is also some complications around rewardToken because this state is modified before the callback but apparently it is all zero at the moment.
if this is the bug the attackers are exploiting then maybe if they generated rewards it would stop the drain of funds.
however, the fact the draining is still going on and the DAO people are likely to know how they are doing it and it hasn't been stopped reduces my confidence that this is how the attackers are doing it.
EDIT: to add i don't think you can cash out the new DAO for 28 days so this is probably not how the attackers are doing it.
This makes sense to me, but where's the actual code that calls into the attacker's contract and lets the attacker call back into splitDAO?
And how on Earth is it a good idea to allow one contract to call another? There are any number of more sensible ways to communicate that don't have this problem: allow contracts to pass messages to other contracts, allow contracts to subscribe to each other's events, etc.
so the 'vulnerable' code is calling a function in another contract and it is this function that is doing the external callback. this is why security is so hard. everytime you add an external callback you need trace all of your callers to check that they are correctly re-entrant or everytime you use another function you need to trace forward to make sure it doesn't have any external callbacks.
Remember that when they say it's a suggestion, it's truly a suggestion. If a majority of the miners refuse to accept the update, then what anyone at the Ethereum foundation wants them to do is irrelevant.
There is definitely a lot of social pressure to consider here, but there is still no central switch. I'm generally not a huge fan of cryptocurrency (as currencies that is, I love the tech), but I fail to understand why so many people who are oppose this move so rabidly. They're in the same situation with respect to forking that they were yesterday: whatever 51% of the community decides to do will happen.
Rubbish, this is as centralised as you can get. Of course it will go through, because the alternative will cause forks and chaos. Miners have little to no choice but accept this decision from on high.
By the same standard, any theoretically forkable open source project with an even slightly non-isotropic community surrounding it is "as centralized as you can get". What exactly is decentralized then?
A lot of social pressure is probably an understatement. slock.it are implying that people who oppose the hard fork are likely to be the attacker and asking people to contact them with information about the identity of anyone who organizes opposition to it: https://twitter.com/christopherhesh/status/74379447973649612...
Yeah, but that's slock.it (not the Ethereum foundation) who were the same ones who found a similar bug in their code elsewhere are just plastered over it while claiming that there was no risk. They have a history of being cocksure about their programming, and didn't even think to take a quick look at the rest of their code. It's unsurprising that they're being scuzzy about this too, and I think the Ethereum community is pretty fed up with them at this point :P
If users truly want to embrace the decentralization then I see issues with the Ethereum maintainers doing very centralized and specific fixes to solve individual problems.
DAO != ETH, but I see how this is an act of self-preservation due to the amount of stakes the maintainers have themselves in ETH.
How easy is to tell if you're getting tainted coins? Just the mention of this sort of hard fork means anyone who is exchanging coins for USD or BTC is at risk of being stuck with a hot potato, with impacts on convertibility and confidence in the whole system.
Sounds someone already got stuck with the hot potato. Was it definitely the hacker? if so, how did the contract's design make the coins unspendable? sounds like it would have been an odd contract to enter into.
Sounds like the powers that be have said, 'I have altered the deal. Pray I don't alter it any further.' If you're going to do this sort of thing, you need a transparent policy describing the circumstances under which you're going to do that and who will make that decision.
It's almost as if complex contracts need to come under a system of laws and an adjudication process. Otherwise might is right (in this case might being all profit to the superior hackers, or to the people who can make the decision to repudiate the letter of the contract)
I don't think they're going to roll back transactions but rather build in the functionality to "give token holders the ability to recover their ether".
I'm not expert on etherium code (just started looking at it now) but it looks like the DAO didn't look for similar issues with the latest security fix.
There's a pretty significant lesson here, and it's not that the DAO authors were careless. They were, and so were all of the investors, but the core problem is not the DAO.
It's Solidity. It's the Ethereum virtual machine. Even today, security vulnerabilities are being found in code strategies that are generally considered 'best practice'.
Writing a safe smart contract on Ethereum is extremely difficult, and most people playing with Ethereum don't seem to realize this. There's a pretty well understood maxim, "don't roll your own crypto." Etherem's smart contracts ARE cryptography, and their safety depends on implementation details that are completely hid from users during tutorials, and that even the language designers are only still discovering.
And it's one of the major reasons that the Bitcoin devs have not been excited about Ethereum. It's a project whose ambitions have outpaced our ability to engineer safely.
One day we can have safe smart contracts. But the Ethereum of today is not well designed, and is not a good foundation for smart contracts. A simple hardfork to fix this DAO mess isn't going to be enough. The whole virtual machine needs to be redesigned.
And my money is quite seriously on Bitcoin figuring out the safe way to do smart contracts faster that anyone else. The vast majority of experienced experts in this space are still spending the majority of their time on Bitcoin. As popular as Ethereum has become, Bitcoin still owns the mindshare, and there are good reasons that Bitcoin has chosen not to pursue smart contracts at this time.
> Writing a safe smart contract on Ethereum is extremely difficult
Writing may be difficult. It's reading that should be easy. Unless you can read the contract, you can't put your money there and an example of Etherum contract looks like this:
It's almost as if a cryptocurrency system used by the grey market and black market sections of the internet contained actual blackhats. What a surprise.
Much as I hate to link to reddit, for effective and biting criticism of cryptocurrencies: http://reddit.com/r/buttcoin
And USD are used for all kinds of illegal things; solutions include restricting paper transactions to $100 units of currency (so that large amounts of currency are bulky and heavy) and all kinds of restrictions on transactions over $10,000.
This wasn't the impression I got of Ethereum. Nor am I terribly shocked at their talk of a hard fork. They always seemed more "pragmatic" about these things than typical bitcoin fans, more of a "if a majority of the participants are OK with it, what's the problem?" attitude. Which is IMO more realistic.
The DAO, though, that always seemed slightly fishy to me. "A company for carrying out an undertaking of great advantage, but nobody to know what it is right now".
Buttcoin in my experience has been less about insightful criticism and more about ... well, the kind of criticism the name suggests.
Yeah, I mean, did anyone NOT see this coming? All these crypto currencies are a disaster already, then someone has the bright idea to have them execute code. Gee, what could go wrong.
Well, their language is disappointing. They allow programs to ignore function return values, a misfeature inherited from C which has no place in a contracts language.
Then there's the possibility of forcing early program termination via stack overflows.[1] Having to protect against that inside each program is just silly. The contract engine should have been designed so that if a contract program crashes, anything it did is rolled back.
I recall reading in the Bitcoin docs that the Forth-like scripting language was non-Turing complete. In addition, nothing particularly complex was using the scripting at the time.
I guess this sort of thing would be the reason. One thing is finding bugs in ordinary software, where the bugs are accidents. It's hard.
Another thing entirely is where you are looking for adversarial bugs. Just look at security articles that appear on HN now and again. They're incredibly complex, and it's not like you can turn off the firehose. When you fix one gap, someone will find another.
I haven't done a lot of reading on ETH, but I would imagine the smart thing to do would be to have some small number of contract types that a lot of people can stare at and try to break. The more attention is distributed among various bespoke contracts, the harder it gets to secure them.
It's like everyone building their own awesome cars, with special bells and whistles, and then asking these non-security engineers to design a lock. Everyone will end up re-learning some painful lessons.
I always though that Etherium had a huge attack surface. Each script has to be security audited, etc. That's the thing about Bitcoin. It's as simple as possible while still being secure and useful and has been beat up and audited by the best security pros in the world. Distributed Systems are not easy. Secure distributed systems with Byzantine fault tolerance are even harder. Etherium is just trying to do too much.
Doesn't this show an issue with the Distributed Systems on Ethereum, with every script that has to be audited individually, and not with the platform itself?
I'm with you on the fact that proper auditing is an absolute must, as this DAO fiasco shows, but I don't think this event exposes any flaws in the Ethereum platform itself.
I recently attended an Ethereum workshop that was scheduled for two hours. Three hours later and most of the audience were no more wise about Ethereum than when they first entered the room. It certainly didn't help that workshop was led by web developer (a passionate Ethereum supporter) who had no interest in the concensus algorithm or other dense technical issues, but what was quickly apparent to me was that Ethereum has a steep learning curve. With such technologies, it is important to take more time to understand the concepts and the details. Maybe in the rush for VC money, some developers have failed to grasp that.
I've held a similar opinion, but lately with the run up in the Ethereum price I was worried that I was missing something other people saw. Apparently this isn't a vulnerability in Ethereum itself, but it may still have serious consequences for the network.
There are plenty of proposals to add complexity to the Bitcoin system. I hope that people promoting those proposals pay attention to this example of the problems complexity will inevitably cause.
I started archiving the slock.it #general slack channel when this attack began. This is where most of the discussion has been taking place. Here's up until a few minutes ago:
Oh, nobody saw that coming. Completely unforeseeable.
What other mature, ready-for-primetime autonomous altcoin networks can I dump my savings into for no apparent reason?
Edit: "DAO token holders and ethereum users should sit tight and remain calm. Exchanges should feel safe in resuming trading ETH."
No they shouldn't. They should running screaming for the exit doors. Less than two months after the launch of this mysterious "DAO" with an entirely bogus value proposition, 1/3 of the money put in, worth presently some $39 million USD in real money, has been confirmed stolen.
WTF. There is the equivalent of millions of dollars in this blockchain? How?! Who willingly puts real cash up front for this kind of thing? Just... what?!
Yeah, I know, right? I don't trust actual, qualified fund analysts to pick real investments for me, I stick largely to index funds. Yet a bunch of cryptoweenies have decided to pool their money in cryptoweenie form in some kind of insane, fragile investment club, so a bunch of cryptoweenies stupid enough to think this is a good idea can collectively vote on what to do with each others money by simple majority vote, without restriction? No. Just no.
Right now the proponent of this fraudulent scheme, slock.it, is actually urging people to spam the blockchain to slow down the rate of theft. Yet the true believers are claiming this is a "learning experience" that will make it all better in the long run. It's beyond satire.
Public blockchains have been around since 2008 (Bitcoin). If you don't like it, I'm not going to try to change your mind. But this kind of shocked response from people who have seemingly been living under a rock is really almost a kind of spam in these threads.
I don't understand why the site should be suffering so much? All these sites seem to suffer when a link gets posted in a few places. Do they all have something in common?
Ethereum is a P2P accounting system, like Bitcoin, but allowing users to upload automatic contracts that decide autonomously what to do with the tokens they possess.
For example, you could upload a contract that lets some specific set of accounts withdraw money unless the balance goes under 500 ETH (which is the basic Ethereum currency).
"The DAO" is such a contract but with more complex logic that amounts to a kind of venture fund. If you send money into it, you get to vote in proportion on proposals for "The DAO" to fund projects.
That contract was hyped enormously as the future of financing etc and indeed received an enormous amount of ETH from people who hoped it would benefit the Ethereum ecosystem.
In the first weeks after its recent launch, the contract logic was shown to have economic flaws that would most likely lead to bad fund performance, and it seemed as if the incentives for voting on proposals didn't work: no proposal ever made it past the threshold.
And now it turns out that despite the assurance of security audits, the logic (written in Ethereum's contract language Solidity) had a serious bug that allowed an attacker to start draining all of the fund's assets.
Now there are a couple things I still do not understand.
1. How do I exchange this cryptocurrency for something that I can go and buy a sandwich with at the Deli?
2. Why is there a need for this instead of using traditional methods with contracts, banks, etc? Money as is, is a collective illusion we all subscribe to anyway, and these things aren't any more different from that. What is the purpose of this cryptocurrency?
3. Who on earth are putting all these millions of dollars into these systems and how?
1. You just make an agreement with someone who would like to buy your tokens for some national currency. If you ever played an MMORPG or Diablo 2 or something, you know that "imaginary" digital items can be traded for "real" money. There are many exchanges where you can do this conveniently.
2. For one example, consider how tedious it is to open a new bank account; with cryptocurrency, you just make a new keypair. Smart contracts improve on normal contracts in that they are executed automatically and cheaply. One of the first theoreticians of smart contracts wrote:
"A canonical real-life example, which we might consider to be the primitive ancestor of smart contracts, is the humble vending machine. Within a limited amount of potential loss (the amount in the till should be less than the cost of breaching the mechanism), the machine takes in coins, and via a simple mechanism, which makes a freshman computer science problem in design with finite automata, dispense change and product according to the displayed price. The vending machine is a contract with bearer: anybody with coins can participate in an exchange with the vendor. The lockbox and other security mechanisms protect the stored coins and contents from attackers, sufficiently to allow profitable deployment of vending machines in a wide variety of areas. Smart contracts go beyond the vending machine in proposing to embed contracts in all sorts of property that is valuable and controlled by digital means."
3. Lots of different people. Many of them probably purchased the tokens when the network was young and the exchange rates were much lower, or mined the tokens themselves. The sum of the market value of these networks starts at zero and gets bigger as the tokens become scarce and valuable.
>> consider how tedious it is to open a new bank account
You make it sound like a person needs to open a separate bank account for every transaction, which is clearly not how people manage their finances.
I'm in the same eli5 boat. I can't fathom why anybody would put real cash into such a system. It comes across as "because I'm rich as fuck and can gamble away my money on a stupid tech system that is not realistically viable". Just... why would anyone use this? It makes no sense, unless this just offers a way to attempt to hide one's identity while participating in illegal ventures.
I know a lot of tech nerds. Not one of them would ever join a system like this. I just don't get who is voluntarily subjecting themselves to this insanity. Can someone out there who has actually used Ethereum explain why they've done so? I would really appreciate some kind of insight into this whole concept, as I just don't understand.
No, I mean if you want a new bank account, for example because you started a new business, you need to put on pants go to a bank office and fulfill whatever the bank demands.
The banking world is extremely interested in blockchain technology and smart contracts. Browse through financial news and you'll see the extent of it—it's huge.
Your conviction that blockchains are stupid insanity seems to me like it will be proven very wrong in the next five years.
In the country of my current residence, there are government plans running that provide additional benefits beyond simple salaries. These are food-tickets, leisure and vacation credit that are allocated on plastic cards. I loathe these. They are a way of faking actual payment. These credits and tickets are not accepted everywhere, unlike the currency of the country is. They carry second-class monetary value, and the system is set up in a way so that these leisure credits time-out after 2 years of allocation. Imagine your dollars or euros disappearing due to expiration. Nonsense.
Beyond their inconvenient use, they are not valid outside of the country either. In essence, they have created a closed ecosystem, making sure that you can only spend this 'money' within their own system. You cannot transfer these funds outside of walled gardens, in this case the country's legislative boarders. I see cryptocurrency the same way. If everyone starts using it, it will have universal value. However, to use it, everyone would need to have access to internet and mobile devices. I do not see that happening anytime soon. And please don't reference the number of mobile devices. Internet infrastructure is much more expensive to build than to supplement everyone with cheap phones. [1]
I cannot really relate to your vending machine example either. In case of a vending machine example you are quoting that 'anybody with coins can participate in an exchange with the vendor.' This only works if the universally agreed currency is the one expected by the vendor. Your vending machine would not accept my Eastern European Monopoly Money whereas the expected input is in Euro. Same for cryptos: where the expected input is that of a currency backed by financial institutions trading in the same currency, I will laugh at you when you attempt to pay in bitcoin, dogecoin, ether (literally the primordial Greek deity of pure air), whatever.
With point three you suggest that the real value of these systems are for people who got into the Pyramid Scheme early. Again, I think these institutions are frauds, and I would not be surprised if it surfaced that the creators of this blockchain system planned to pull off such a scam in the first place.
National currencies must also be exchanged for other currency when you want to spend in some other currency regime. I can't spend my SEK elsewhere without exchanging, just like with BTC and ETH.
Even so, an asset can be valuable even if it's not used as daily currency. You can't buy a Coke with gold.
Correct me if I'm wrong, but the patch is not in the DAO contract. It's in the Ethereum platform. I don't know what the alternative would be to prevent the attacker from draining the DAO, but this patch seems incredibly hacky. Will this just be an ever-growing oopsie transaction blacklist in the code?
I don't know about ever-growing. The community is very actively discussing the implications of this bug, whether and how to mitigate it, etc. Probably the failure of "The DAO" will be an important event in the Ethereum history that people will refer to, for example to point out the importance of contract security diligence... But yeah, your concern is shared by many.
Cryptocurrencies are digital tokens. Ownership of these digital tokens are kept in a ledger called a blockchain. Every transaction or transfer of tokens is recorded in the blockchain. Everyone can also see the blockchain as it is a public ledger. Both Bitcoin and Ether are cryptocurrencies. Bitcoin was the first to demonstrate blockchain technology. In practice, these tokens function like programmable money. However the usefulness of Bitcoin is limited. Ethereum was developed to expand the original concept so more things could be done with these digital tokens. Ethereum made the programmable tokens more powerful with features like smart contracts. It is worth noting that each cryptocurrency has its own blockchain which can be confusing.
DAO is an autonomous corporation that runs on top of Ethereum. The digital token in the Ethereum ecosystem is called Ether. So the DAO raised somewhere around ~$150M USD in equivalent Ether funds during its IPO-like phase.
The interesting question for now is - is that illegal what that unknown party does? If The DAO code is the contract - then using the code in this way would be like using some fine print clauses in a contract.
It's not as bad as it seems. The hackers have their ETH locked in a Child DAO, so they will not be able to get the ETH out for a long time,by which a fix will be issued. The entire Ethereum Ecosystem is collaborating on a solution.
Interesting side point to this: some people wondered why DAO units immediately traded at a discount and many thought it presented an "arbitrage" opportunity, but this hack illustrates why it was always rational that the DAO should trade at less than the redemption value. The value of DAO units is capped on the upside, but not on the downside, and this hack is one way (of many) that downside risk could manifest itself.
"Ethereum is a decentralized platform for applications that run exactly as programmed without any chance of fraud, censorship or third-party interference."
Oh, it is absolutely right (as far as we know). But "exactly as programmed" doesn't mean "exactly as intended" it means "exactly as programmed", with bugs and vulnerabilities and all.
' “This is the land where dreams–dreams, do you understand–come to life, come real. Not daydreams: dreams.” There was about half a minute’s silence, and then with a great clatter of armor, the whole crew were tumbling down the main hatch as quick as they could and flinging themselves on the oars to row as they had never rowed before. . . . For it had taken everyone just that half-minute to remember certain dreams they had had–dreams that make you afraid of going to sleep again–and to realize what it would mean to land on a country where dreams come true. ' - C. S. Lewis’s Voyage of the Dawn Treader
No, it isn't directly related to Ethereum(ETH). The DAO is a thing built on top of ETH that is supposed to operate like a decentralized corporation direct through direct democracy of it's constituent investors. It's website is, https://daohub.org/
Am I misreading this? The suggested solution is hard code an account hash into the source of Ethereum? If that's the case, how can that be taken seriously? It sounds like Ethereum should just start over entirely. The experiment part I failed.
- 2,436,828 Ethereum has been routed to the address starting "0x304a554a310c7e546" [0]
- This is worth roughly $46,000,000.
- This has happened because there is some weakness in the Ethereum security
- The conversion between Ethereum and USD is dropping significantly, now down to 16. [1]
Due to this security threat, the developer is telling people to try to effectively DDOS the service in order to stop all transactions. Also, people are being told to split, but I can't see why.
The fact that many scripts written suffers similar vulnerabilities unless extensive (and, seemingly failure prone) mitigations are applied, suggests that the root cause is a known design flaw in the ethereum smart contract architecture.
Doubly so when the latest reviewers of this systems and custodians of the DAO include the system's creators.
When building systems that provide irreversible transaction processing, safe only under perfect use is not sufficient.
Ethereum is a general purpose system: it has sharp edges. We can use the same reasoning to condemn C/++'s pointers (people trip over themselves all the time, even serious audits occasionally miss big bugs), but we still survive with C code running much of our lives. If there's issues with implementing in ethereum code directly, there are many ways of addressing it and only some of them view the issue here as a 'flaw' rather than a 'hard to use feature'.
Ethereum just has to work. It doesn't have to be pretty. It doesn't have to be easy. Being pretty will help it work, but there's enough money on the table, and TheDAO demonstrates this, that it will advance on alternative institutions if it works.
TheDAO may never be 'safe' or 'perfect'. It only has to be safe right now, from the threats that real, interested parties are capable of implementing. This list of threats is quite large at 250,000,000$, and will be larger when/if TheDAO/its descendants hit 250,000,000,000$+.
I can't read the page but I was under the impression that recently someone found a problem with the DAO and then they put all DAO activity on hold until they could fix it. Perhaps someone is exploiting that problem or another one they found.
An attack has been found and exploited in the DAO, and the attacker is currently in the process of draining the ether contained in the DAO into a child DAO. The attack is a recursive calling vulnerability, where an attacker called the “split” function, and then calls the split function recursively inside of the split, thereby collecting ether many times over in a single transaction.
The leaked ether is in a child DAO at https://etherchain.org/account/0x304a554a310c7e546dfe434669c... even if no action is taken, the attacker will not be able to withdraw any ether at least for another ~27 days (the creation window for the child DAO). This is an issue that affects the DAO specifically; Ethereum itself is perfectly safe.
The development community is proposing a soft fork, (with NO ROLLBACK; no transactions or blocks will be “reversed”) which will make any transactions that make any calls/callcodes/delegatecalls that execute code with code hash 0x7278d050619a624f84f51987149ddb439cdaadfba5966f7cfaea7ad44340a4ba (ie. the DAO and children) lead to the transaction (not just the call, the transaction) being invalid, starting from block 1760000 (precise block number subject to change up until the point the code is released), preventing the ether from being withdrawn by the attacker past the 27-day window. This will later be followed up by a hard fork which will give token holders the ability to recover their ether.
Miners and mining pools should resume allowing transactions as normal, wait for the soft fork code and stand ready to download and run it if they agree with this path forward for the Ethereum ecosystem. DAO token holders and ethereum users should sit tight and remain calm. Exchanges should feel safe in resuming trading ETH.
Contract authors should take care to (1) be very careful about recursive call bugs, and listen to advice from the Ethereum contract programming community that will likely be forthcoming in the next week on mitigating such bugs, and (2) avoid creating contracts that contain more than ~$10m worth of value, with the exception of sub-token contracts and other systems whose value is itself defined by social consensus outside of the Ethereum platform, and which can be easily “hard forked” via community consensus if a bug emerges (eg. MKR), at least until the community gains more experience with bug mitigation and/or better tools are developed.
Developers, cryptographers and computer scientists should note that any high-level tools (including IDEs, formal verification, debuggers, symbolic execution) that make it easy to write safe smart contracts on Ethereum are prime candidates for DevGrants, Blockchain Labs grants and String’s autonomous finance grants.
Hang on. So because this one contract is poorly specified, they've decided to change the universe to prevent its existence? Wow. That's some fiat power right there.
Whilst it's bad that people's money is being stolen, this could end up being a good thing for cryptocurrencies. Investors burned by this will certainly be demanding more robust security around cryptocurrencies in the future.
This pretty directly contradicts a lot of the hype around Ethereum. Yes, bad contract code is bad, but a lot of money is about to evaporate. If it isn't easy to write secure contracts then there is a serious deployment problem.
This is what really annoys me about the Ethereum VM, there was no need for turing completeness. Bitcoin has a perfectly good scripting system that they keep adding opcodes to, and is not vulnerable to some of these kind of attacks.
It's a giant pain in the ass to code Bitcoin. In a few years, all of these kinds of attacks will have been tried against various Ethereum contracts and it will be hardened and still easy. It will still be very cumbersome to code Bitcoin.
Could you point me to some resources showing recently added opcodes?
Last time I looked at the Bitcoin code they had actually disabled some of the original opcodes due to security concerns. I'd be interested to see that this trend had reversed.
Sorry, I should probably edit my comment to say "over the years" and not necessarily recently.
I think my point was more that the conservative approach Bitcoin takes works better on the long term, and there's still proposals that slowly get implemented.
I first got into Bitcoin in 2011, and since then there's been plenty of new opcodes, and as you say some original ones that got disabled as they presented risks.
Latest one I can think of that got implemented would be OP_CHECKLOCKTIMEVERIFY in 2014/15 (?), but I haven't really kept up with the BIPs that much with all the infighting
well the market price of ETH went from $22 earlier today to as low as $15 in the last 30 minutes so I would say a lot of value has evaporated even if the eth itself hasn't.
Just an idea - why not contact the attacker (via a public message), and offer him or her a deal - they get to keep say 1% of the stolen amount, given that they upload a smart contract that guarantees the money is sent from the stolen account to a "trusted" address (from where it will go to DAO 2.0). That way everyone wins, hacker gets paid a fair amount for finding the security hole, no messy forks.
Because smart contracts are (often) contractual obligations on real world things, they only hold as much power as the apparatus of coercion (usually the State) will allow them to hold. That is, you must trust the political authority first and foremost before you trust the contract. This is very different to bitcoin, which operates purely in the digital realm, where you can trust the ownership of the btc without requiring trust of the political authority. So bitcoin solves a trust problem and this makes the less efficient distributed architecture worthwhile (it would be much cheaper and far faster to operate a digital currency in a centralized way). But if you have to trust the political authority for digital contracts on physical goods, what is the point of the extra cost? I'm dubious there is any real benefit.
At the risk of being heavily downvoted, I think it is discussable if the hackers deserve their money or not when all the security and ethics are based on code since hacking is a pure part of it. Note that I said "discussable" and not right or wrong.
I do not understand Ethereum well, but it seems like bigger contracts (with 10$ million worth of value) could be built on top of smaller ones which have been proven (with time) to be correct and not contain mistakes.
We all know that smaller pieces of code can be more easily reviewed and understand. I think that this applies for simpler contracts with smaller value. If a contract has been running for a while without being exploited, then it means that it is pretty solid, and others can build on top of that contract.
It is an interesting dynamic, because there is an incentive to exploit bad contracts, and the contracts that have ran a long amount of time and and that have not been exploited yet are thus trusted to be unexploitable (because no-one exploited them)
If that is how it works, it means that Ethereum will eventually because a fail-proof system. However, one should not mistakenly create contracts from the ground up or using untrusted sub-contracts. The ones who do so will see their contract exploited and everyone will learn from that mistake.
Edit: Seems like Vitalik Buterin asking people to get that patch if they agree for the Ethereum ecosystem to move in that direction is just creating opportunity for fragmentation in the community. It would make more sense to let that "exploit" become a lesson instead of trying to work around this non-issue.
This is massive. I observe with great interest how it will be handled - Ethereum is still young enough that doing a hard fork can be the sensible choice, and people can agree to do so (since such a large portion of ETH is now owned by baddies).
It has been said before, but there ain't no drama like Blockchain drama. No TV show, no book, nothing has me following it's story as Bitcoin and the other blockchains that come after it. Greatest drama of the millennia, so far.
This is an example of why I created my mantra for high-assurance security: "tried and true beats novel and new." Another is to wait at least 10 years for specific tech and techniques to prove themselves out before betting lives or entire businesses on them (startups an exception).
The blockchain and DAO models are very new. They introduce new mathematical constructs, complex code, security issues we haven't thought about, coordination among many for such issues, and so no. Ethereum even includes an interpreter or something, which has its own set of risks. So, I refused to bet on such models given enormous risk means stuff is going to happen to them that isn't going to happen to regular, financial processing. We also have mitigations for most of its risks.
Today is a good example. This is the kind of thing you're not going to see the Federal Reserve, VISA/Mastercard, most banks, or even large eCommerce sites announce. It probably won't be the last announcement of an unusual issue. So, anyone wanting stable currency + commerce should avoid stuff like Ethereum unless they're just investing small amounts to help them experiment & improve. Risk/reward doesn't make sense on such immature tech.
The DAO is written by consultants specializing in Ethereum contracts. They have core developers on their team. They are good, but one mistake is all it takes. (And their business idea to sell a "DAO framework" is probably going to be hard after this.)
The bug that was exploited here has been public for a week before someone decided to try it in practice. There was time to dispense back everyone's ether, had they taken it seriously. But taking security seriously requires an almost superhuman distance to your work.
The Ethereum developers is actively debating whether to put in logic to replay the blockchain in order to give back everyone's ether. While that's probably a good idea, it also means the company behind Ethereum can reverse any contract. That puts them in a difficult situation, as any smart contract platform will have dissatisfied parties at all times. (In comparison, none of the Bitcoin thefts have been reversed, and it's not clear they could have been as development is much less tightly knit.)
It's the most exciting thing since the fall of MtGox. The money at stake is comparable (the DAO is about a fourth of what MtGox was in perceived value).
While it is easy to cherry pick past comments and pretend it was insight instead of luck, I have to say my intuition was pretty quickly validated that so much money in something so untested and complicated was excessively risky:
I see a lot of confusion mixed with the good old HN hate for crypto which is justifiable but just to be clear, the breach was with a single piece of software written on the Ethereum network (the DAO). Not a vulnerability with Ethereum. The eth that is locked is the funds that were paid to that contract (TheDAO), not the network's funds.
I was giving it until the splitting time was up. So much idealistic naivety. Would have been interesting to watch. I'm sure there'll be more attempts at DAOs yet. Lesson learnt at least.
For me, the interesting part is that the creators of Ethereum have decided that the owners of the address in question have committed a "crime" and to change the way the blockchain works in order to punish them specifically. Sure, users can "vote" by choosing whether or not to accept the fork in the code that does this, but because of the way it's set up, the community isn't going to take it that way. I'm afraid that this sets a precedent that would discourage development (what if we change the way the entire internet works every time someone hacks a website?) and also allow powerful entities within the system an unfair advantage (would we do this for everyone who used a contract of which they didn't understand the full implications? Or is this only in the case of the DAO because of it's high profile?).
As far as attacks go, this seems to fall more within the "for the lolz" category, than an actual attempt to draw money. If they had kept it reasonable, say a couple of hundred thousands worth, this would probably have gone unnoticed for a long time (maybe long enough for the 27 day payout window to expire).
> At the time of deployment, it was discovered that the solidity compiler is not deterministic. AST nodes are identified by their raw pointers. So if we iterate over data structures, different raw pointers might result in a different iteration order.
> We originally wanted to let the community deploy The DAO and then just check the bytecode, but this was not possible at the moment of deployment. So instead a fixed transaction bytecode was provided for the community to deploy.
Shouldn't they have waited to deploy until they figured out how to make it verifiable?
In all seriousness though, when it comes to cryptography, cryptocurrency, and smart contracts, people are playing with fire, and they don't realize it. You can't fix a smart contract the same way you can fix a website. The fact that it's function is not good enough to push it out to the public.
Most software projects don't have that problem. Most software projects, it is okay to push buggy beta code out to the public. Because most software projects don't steward large amounts of money in an irreversible payment system.
I cant help but imagine the attacker party/their associates read reddit and online forums, and thus would be vocal in criticizing the soft/hard fork decision. The theft of $50m is being rendered useless in front of their eyes - a maddening situation I'm sure.
It looks to me like the "thief" has already won; it has turned into an ideological debate; I would be surprised if ~any proposal to fork reaches a majority.
Oh, I didn't know that you could make recursive calls on the DAO! Gosh, to me plain for loops (what people call Turing complete) itself looked a bit too much, from scaling point of view. I wrote my thoughts on the same 23 days back, when there was an article on CoinBase praising Ethereum in comparison to Bitcoin[1].
I have no axe to grind against Eth vis-a-vis Bitcoin. Infact support both. But, try to look at parts of the former skeptically which I think are over sold, without being looked at critically.
Why do everyone mixes a decentralized system with a self-controlled system? Decentralization doesn't mean there is no power to regulate or no coordination between users/agents, it is just a model of architecture for a system where power belongs to local entities. That absolutely doesn't mean that there aren't rules and bodies to defend them [1].
[1] https://www.intgovforum.org/cms/wks2015/uploads/proposal_bac...
I currently don't own any etherium. I'd like to point out that those who are saying that this mean there's a "too big to fail" concept within etherium are missing the key point that when the US (and other places) did too big to fail bailouts it was a concerted effort between unelected central bankers and government officials who are percieved to not necessarily have the best interests of the people in mind. At least if etherium makes a decision that the DAO is too big to fail, it will have done so via consensus, and parties that don't like it can take their assets and leave.
Many people here stating that its purpose is tainted if they can just undo what the attacker did. After all, why not just have a centralized authority after all?
I haven't researched this deeply, admittedly, but I think the idea is that they're using consensus from the community in order to undo what the attacker did. In other words, if the community didn't support it, it wouldn't be possible to do at all. Contrast this with a centralized authority that didn't need community involvement at all.
This works for the obvious thefts and high profile contracts but what about smaller contracts and more gray areas? Will the miners know about or care enough to actually efficiently resolve disputes fairly? Will there be a fork for the person who lost 500$ because of a bug in his contract? I’m worried that miners policing everything won’t be sustainable and in the end code will be the final arbiter on Etherium and as we all know writing code without bugs is an unrealistic expectation to place on people.
What concerns me is that they want to do a soft-fork to handle just this case. One shouldn't fiddle with the protocol every time something like this happens.
I don't really understand smart contracts yet, but wouldn't it have been possible to implement the DAO in a way such that forks/cancellations could be "voted" on by the network somehow, versus requiring whatever this is going to require? Code fork? It least the fork would have been "decentralized" then... this does not bode well at all.
It seems to me that the DAO is a large enough player in the Ethereum community that this plan is likely to succeed. If it does, it will be the first example I know of where a 51% attack was successfully executed against a popular blockchain.
Whether or not this is a desirable thing depends on your goals. From the perspective of the Ethereum community, which is heavily invested in the DAO, it makes a lot of sense. Even if this vulnerability causes you to write off the DAO as a failed experiment, it makes sense to recover some of your lost value before you exit.
However, for my goals, this causes me to write off Ethereum as a cryptocurrency I will never, ever use. It's breaking the fundamental benefits of the cryptocurrency to fix the problems of one group. And further, if this is possible for Ethereum, it makes me think that a 51% attack is more plausible for other cryptocurrencies. This worries me. I'd like to see more research put into defending against 51% attacks.
> On August 15 2010, it was discovered that block 74638 contained a transaction that created over 184 billion bitcoins for two different addresses. This was possible because the code used for checking transactions before including them in a block didn't account for the case of outputs so large that they overflowed when summed. A new version was published within a few hours of the discovery. The block chain had to be forked. Although many unpatched nodes continued to build on the "bad" block chain, the "good" block chain overtook it at a block height of 74691. The bad transaction no longer exists for people using the longest chain.
While this does demonstrate a 51% attack, I think there's a key difference here. With the 2010 Bitcoin fork, the problem was a bug in the core infrastructure which was broken. The 51% attack broke the core infrastructure, but that core infrastructure was already broken. In that case it was a matter of choosing which way the core infrastructure breaks.
In the current Ethereum situation, the core Ethereum infrastructure isn't broken. The problem is with the contracts in the DAO. So creating an intentional fork is breaking the core infrastructure--which isn't broken--to fix the problem of a single majority stakeholder.
I don't mean to indicate the Bitcoin fork wasn't a problem--the fact that bugs can break core infrastructure also concerns me. But it's a very different problem from the one the DAO is creating here.
As an outsider, this is stunning to me: why isn't there a contract revokation mechanism? Considering these things are programmable, it could be something as simple as a killswitch hash sitting in a lawyer's safe somewhere, right?
It seems that's a very expensive exercise with very predictable results. And "human control" is a very malleable concept, too. Obviously, there are humans in control of Ethereum somewhere, and obviously the DAO was set up by humans, too. For a decentralized commercial entity to have a lawyer on retainer doesn't seem like an inappropriate betrayal of principles to me, but of course the DAO people see it differently.
I mostly invested only in bitcoin. I knew already that they will win at end anyway. I think I invested around 10% in dao / ether. More for fun then anything else.
It looks like it stopped at 6am central us. Maybe someone ran it as a scheduled job thinking they could be sneaky about it before becoming inattentive?
An attack has been found and exploited in the DAO, and the attacker is currently in the process of draining the ether contained in the DAO into a child DAO. The attack is a recursive calling vulnerability, where an attacker called the “split” function, and then calls the split function recursively inside of the split, thereby collecting ether many times over in a single transaction.
The leaked ether is in a child DAO at https://etherchain.org/account/0x304a554a310c7e546dfe434669c... even if no action is taken, the attacker will not be able to withdraw any ether at least for another ~27 days (the creation window for the child DAO). This is an issue that affects the DAO specifically; Ethereum itself is perfectly safe.
The development community is proposing a soft fork, (with NO ROLLBACK; no transactions or blocks will be “reversed”) which will make any transactions that make any calls/callcodes/delegatecalls that execute code with code hash 0x7278d050619a624f84f51987149ddb439cdaadfba5966f7cfaea7ad44340a4ba (ie. the DAO and children) lead to the transaction (not just the call, the transaction) being invalid, starting from block 1760000 (precise block number subject to change up until the point the code is released), preventing the ether from being withdrawn by the attacker past the 27-day window. This will later be followed up by a hard fork which will give token holders the ability to recover their ether.
Miners and mining pools should resume allowing transactions as normal, wait for the soft fork code and stand ready to download and run it if they agree with this path forward for the Ethereum ecosystem. DAO token holders and ethereum users should sit tight and remain calm. Exchanges should feel safe in resuming trading ETH.
Contract authors should take care to (1) be very careful about recursive call bugs, and listen to advice from the Ethereum contract programming community that will likely be forthcoming in the next week on mitigating such bugs, and (2) avoid creating contracts that contain more than ~$10m worth of value, with the exception of sub-token contracts and other systems whose value is itself defined by social consensus outside of the Ethereum platform, and which can be easily “hard forked” via community consensus if a bug emerges (eg. MKR), at least until the community gains more experience with bug mitigation and/or better tools are developed.
Developers, cryptographers and computer scientists should note that any high-level tools (including IDEs, formal verification, debuggers, symbolic execution) that make it easy to write safe smart contracts on Ethereum are prime candidates for DevGrants, Blockchain Labs grants and String’s autonomous finance grants.
With all due respect, this wasn't very constructive. HN is full of new and strange acronyms. Most of us either skip the article about it if we're not interested or simply google the term.
Ethereum is a blockchain based cryptocurrency that also lets you submit programs to the blockchain that nodes around the world run in exchange for a small fee.
I don't know what Uncles are, other than the brother of your father.
The DAO is a smart contract, basically a program, that runs on the Ethereum network. It's a bit of a venture capital fund that was open for 30 days to new investors. People submit investment proposals to TheDAO, and the investors decide if the investment proposal should receive funding. If it does, profits are sent back to TheDAO and distributed to the investors
Well I mean the topic just assumes one knows everything there is to know about the subject, and to me, that's just wrong. I had no idea what any of that stuff meant, so I went to research it, and came back even more confused than I was when I started.
Nevertheless, I thank you kindly for taking the time to explain.
Context-free headlines are a pattern on HN, and apparently are acceptable. Examples include this submission and things like "Buffer layoffs" which was not about staggering layoffs, but about a company named Buffer. Who knew?
So the attacker can buy very cheap eth/dao right now, then somehow stop/reverse the attack/send money back/claim it was white hacking and effectively launder all the money he gained legitimately.
I'm curious how much of Hacker News' kiss of death is trying to access the page in the browser, and how much is following that up when it doesn't immediately work with pinging, "curl -I -v", etc.
Designers of rulesets (laws, board games, markets, control systems) ignoring Gödel's incompleteness theorems should themselves be ignored. Just like we ignore inventors of perpetual motion machines who ignore the laws of thermodynamics.
Not sure where you're saying Gödel's incompleteness theorems come in, but I agree that DAO is a game of Nomic.
Now... the ability to hard-fork is kind of in the rules as well. So it's a Nomic with a complicated endgame. Some guy just won the Nomic, but now he's finding that not only do you want to win, you want to win subtly, or else a majority can vote to undo your win.
But anyone who still thinks DAO is an investment vehicle is missing the fact that it's a high-stakes game, and cleverer people than them are going to win it.
"Not sure where you're saying Gödel's incompleteness theorems come in, but I agree that DAO is a game of Nomic."
I know what he means - he's suggesting that you can't ever get a bulletproof or watertight set of rules or guidelines for a system because ... blah blah ... Gödel's incompleteness theorem.
This is a very tempting idea and I myself have given it a lot of thought over the years.
The problem is, Gödel's incompleteness theorem applies to a system that contains the complexity of the set of all real numbers. But there are plenty of systems that do not have that much complexity and there are plenty of rulesets we could create and implement that would also not have anywhere near that amount of complexity.
So the analogy sort of falls apart there. It's still worth thinking about, though - the more complex your system of rules/laws/regulations/etc. becomes, the closer you are to a system that is mathematically guaranteed not to be airtight.
Good luck explaining that to lawmakers.
EDIT: YES, CORRECT, SORRY - I did mean to say the set of natural numbers, not the set of real numbers. Mea culpa.
Godel's theorem applies to systems that model the natural numbers (specifically, Robinson arithmetic), not real numbers. The first-order theory of the real numbers is decidable. (The second-order theory is not, since you can define the natural numbers in that, and then Godel's theorem applies.)
Your general point, of course, that Godel's theorem means a specific thing, and people should stop abusing it as if it means "everything has loopholes!", remains correct.
> The problem is, Gödel's incompleteness theorem applies to a system that contains the complexity of the set of all real numbers
As others have corrected that this should be naturals, I'll just also note that you can derive incompleteness just from addition and multiplication over naturals. So while you're correct that plenty of systems don't need full multiplication, you run into limitations quickly. Then you need proper theorem proving to recover the missing verification power.
Uh, I'm at least 70% confident that Gödel's incompleteness theorem applies to sufficiently strong systems of integer arithmetic, and extensions to those, and doesn't need real numbers.
That being said, saying it can't be bulletproof or watertight is too vague.
There is both a first and a second Gödel's incompleteness theorem.
The first shows that a system T which can do arithmetic has some statements that it can express, and which are 'true' , but which cannot be proven to be true by T.
The second shows that a system T which can do arithmetic cannot show that it is self consistent, unless it is not self consistent.
Neither of these seem to be a problem for smart contracts.
It is possible for a system to be self consistent. The smart contract or the system that the smart contract uses does not need to prove itself to be self consistent, so the second theorem is not a problem.
If there is some mathematical statement that can be expressed by the system that the smart contracts use, which the system cannot prove whether it is true or false, this is also not a problem. Which, Ethereum doesn't even have a proof checking thing built into it yet, so I don't see how this would be applicable.
I think that you are probably over-applying Gödel's incompleteness theorems.
Also, I don't think its so much complexity in the "wow these laws are complicated" sense, so much as "strength" in the "how many things can be talked about / shown to be true" sense.
You /might/ be able to do some weird program/proof analogy there, but I really don't think that applying it to law (by a law/program analogy) would really show all that much.
I would think that the law can be understood as being sort of like a function (these inputs result in these outputs), and a function can be both be complicated and total. The law doesn't really do much with formal proofs, as it is now anyway.
Keep in mind that there is also a Gödel's COMPLETENESS theorem.
anyway Ethereum feels like a cult. There's something weirdly disturbing for me about the ethos of blockchain technology, and how it jarrs with "The DAO" (note the capitalised definite article. There Is Only One. Hardly distributed or democratic). Also look at how a bunch of ethereum shills pack its "Curator", for which, by the way, The DAO is "incredibly privileged"[1]. What? Your own organization is incredibly privileged that you appointed yourself to it?
Even the name "ethereum" is pretentious and showy, again anti-distributed ethos.
I don't get a strong comfort level that this organization is any better than the current central banks.
Looks like security agencies are placing extra guards at important national security sites like the statue of liberty, NSA, and Best Buy: http://i.imgur.com/5c9H6DO.gif
It does not matter if the money is virtual or not. It matters whether it is regarded as valuable. If a large group of people trust a certain currency to hold a certain value it becomes relevant to those people. They might invest other forms of money or energy in to that currency. If something happens with that money or currency people do panic, because something they have invested in is under attack.
And even with Monopoly, during that game the virtual monopoly dollars hold value. Just during the timespan of the game. They give you certain privileges during that game.
ETH is advising, "Contract authors should ... be very careful about recursive call bugs, and listen to advice from the Ethereum contract programming community," which indicates there's some subtle behaviors to be aware of and secure contracts are apparently not easy to write.
Lest you think, "we'll just be careful, review and QA it", consider the bug[1] in the "Programming Pearls" binary search. Bentley was clearly an expert who had proven the algorithm correct and the algorithm had 20 years of careful study by thousands of professionals. Yet it had a simple overflow.
How do _you_ know your contract is secure?
1. https://research.googleblog.com/2006/06/extra-extra-read-all...