Hacker News new | past | comments | ask | show | jobs | submit login
Critical Update on DAO Vulnerability (ethereum.org)
550 points by tasti on June 17, 2016 | hide | past | favorite | 601 comments

This is what concerns me about contract programming. With human contract law, if there's a minor typo or loophole, participants can generally see the spirit and intent, and at worst go to a judge who will usually enforce the intent. But with software contracts, only the characters matter and there's no intent anywhere: either you get paid or you don't.

ETH is advising, "Contract authors should ... be very careful about recursive call bugs, and listen to advice from the Ethereum contract programming community," which indicates there's some subtle behaviors to be aware of and secure contracts are apparently not easy to write.

Lest you think, "we'll just be careful, review and QA it", consider the bug[1] in the "Programming Pearls" binary search. Bentley was clearly an expert who had proven the algorithm correct and the algorithm had 20 years of careful study by thousands of professionals. Yet it had a simple overflow.

How do _you_ know your contract is secure?

1. https://research.googleblog.com/2006/06/extra-extra-read-all...

Unlike traditional contracts, the idea was that smart contracts were going to eliminate the need for enforcement or dispute resolution. So that law is enshrined in code.

But this incident has set a precedent, at least within Ethereum, that the project leadership will intervene to enforce the spirit of a smart contract.

So what now are the benefits of Ethereum smart contracts over the traditional legal system?

The way I see it, at least with traditional contracts you have the benefit of a trained and experienced judge making the call in case of a serious problem.

Agreed. If this soft and hard fork idea really goes through, it seems that now you are in fact getting the worst of both worlds: For your contract, you have to write code that apparently is very hard to get right and bug-free[1], while at the same time you are at the whim of a "community" -- whose decisions (sorry, "suggestions") can apparently be announced by one guy in a blog post -- not to deem what you are doing an "attack".

PS: Also a second thought: Given that the "attacker" used apparently existing functionality of the DAO and that the DAO site clearly states "[n]othing in this explanation of terms or in any other document or communication may modify or add any additional obligations or guarantees beyond those set forth in The DAO’s code", I am wondering: If this (as measured by the DAO code: rightfully obtained) ether is now taken from him/her, might this not be an opportunity to sue the developers implementing this fork in a real-world court?

[1]: http://hackingdistributed.com/2016/06/16/scanning-live-ether...

I think this comment on the original blog post says it very well:

"To be clear, if this happened due to an exploit in the software, then I can accept a hard fork fixing the issue. However, if the DAO team made a mistake in the way they designed their smart contract, as an issue of principle, they should not be "bailed out" by the Ethereum team because they are "to big to fail." Hard lessons like these teach the cryptocurrency community at large to do their homework and to be excessively (and obsessively) diligent with their security."

I agree with this.

Do you own ethereum that will undoubtedly fall in value if the attacker is allowed to start dumping their earnings? It's within the network at larges interest to fork, so that is what will happen.

"Do you own ethereum that will undoubtedly fall in value if the attacker is allowed to start dumping their earnings?"

No, I do not own any ethereum and have had only a casual interest in the entire project. My own investments have been in "Oh By Codes"[1] most recently :)

[1] https://0x.co

> Agreed. If this soft and hard fork idea really goes through, it seems that now you are in fact getting the worst of both worlds: For your contract, you have to write code that apparently is very hard to get right and bug-free[1], while at the same time you are at the whim of a "community" -- whose decisions (sorry, "suggestions") can apparently be announced by one guy in a blog post -- not to deem what you are doing an "attack".

That's not really fair. His decree does not make it so. It still must be accepted by a majority of the miners, and this is and always has been a known property of the system. The collective will of the miners ultimately trumps the contract system. However, consensus there is purposely extremely difficult to achieve, and likely only possible in extreme cases like this.

Since this was a known property of the system, and since the agreement is inherently democratic, I don't see how this is a problem. Hard forks are simply another behavior of the network. Nothing more, nothing less.

The troubling issue with the system that this highlights is that a majority of users can agree to implement a fork which invalidates an existing contract.

As you say, that's a known property of the system. And it might be one of those things that's only viable in practice when the network is young. But can a CFO be considered to have satisfied their fiduciary duty if they write a contract which can be subverted in this way?

Ya, it's a tricky issue to be sure. But the miners are strongly incentivized to act in a way that minimizes harm to the currency itself. If they start accepting hard forks left and right then ether will lose all its value extremely rapidly. So i'm not really sure the slippery slope argument applies here.

I think this really can be considered a 'one time thing'. It isn't like miners can be pressured by a government to halt contracts for terrorists or other things. They have to be convinced and agree with the argument being made. There isn't a sole individual to whom pressure can be applied here. Granted, Vitalik may wield some influence, but if he started advocating things that were clearly not in the best interest of Ethereum, people simply wouldn't take on his suggested upgrades.

EDIT: I'd also add that for the record, as a DAO token holder, my personal opinion on what should be done is this: A soft fork to prevent ether from moving out of the child DAO, and then nothing. Just burn that ether forever. This avoids the moral hazard problem while minimizing harm to the overall ecosystem. People like me who made the mistake of investing still feel the pain, but Ethereum itself moves forward.

I respect that position, the moral hazard question is quite significant, particularly this early in the lifecycle of this network.

This basically sounds like, should we bail out Greece?

Commenting on your second thought: I hoped that people behind DAO (and Ethereum?) will stick to the terms they themselves proposed but it seems they will push hard for forking the chain (see: Ethereum blog).

The DAO was officially introduced by slock.it with "the code of the contract is the absolute truth, any other description is just a guideline", which was hailed as a new miracle by the investors, but now that it doesn't mean mountains of gold the founding principles are suddenly not important anymore, it seems.

The "hacker" simply used the DAO as it was meant to be used (i.e. according to the smart contract code), and deserves the funds. If there is a hard fork, I hope he sues slock.it for controlling the DAO, and for stealing the funds he is owed according to their own terms ("The contract is king").

Whenever they're about to lose, those with the power to do so usually change the rules to ensure they win. Cryptocurrency developers are rarely an exception to that.

Actually, the Bitcoin devs deserve a huge amount of credit for not attempting to "improve" the block reward or total supply during their multi-year bleed down from $1200->$200.

Maybe someone can write an insurance contract that future DAO authors can hire, as an alternative to interventions. It would have to be bug free.

Step 1: Write an insurance contract against the malicious use of Ethereum

Step 2: Find someone foolish enough to accept the other side of the insurance contract, in a world where "insurance fraud" is no excuse

Step 3: Use Ethereum maliciously, stealing your own Ether under another identity

Step 4: Collect insurance

Step 5: Profit (in Ether)

Step 6: Good luck turning your Ether into actual money when people figure out how broken everything about it is

This is a smart response. The insurance company could also review the contract code in order to provide cover -- this would give investors extra confidence.

Suppose that I want to make a medical device, and I want to get liability insurance for when a bug in its code administers a lethal dose of radiation to a patient.

Is there any extant insurance company that would want to review my code in exchange for a lower premium?

If not, why would one be willing to do this for a flash-in-the-pan cryptocurrency, but not a useful, real-world device?

For an insurance policy like that, they wouldn't offer any policy without auditing the device, including the code.

Sounds like kernel space code.

It might also be a question of survival. If $36 million+ is drained from the DAO itself unintentionally at such an early stage, can they continue, and how confident can anyone be that their implementation will be successful if the reference implementation itself is not?

If the DAO is not ready for survival now, then no amount of protecting it will make it ready for survival. What will make the DAO survive is code that only contains bugs that are too difficult to find relative to the value of finding them.

> might this not be an opportunity to sue the developers implementing this fork in a real-world court?

That would make for a very interesting trial, where a very rigid ideology would be put to the test.

> the project leadership will intervene

The project leadership can only propose change. Change requires "ratification" by a majority of miners as well as the support of node operators and holders.

> So what now are the benefits of Ethereum smart contracts over the traditional legal system?

The contract can only be invalidated by a significant majority / supermajority of the community through the consensus process. Therefore this is unlikely to happen often if ever, and if so, only in very extreme, clear circumstances in which the entire community is in jeopardy. [0]

[0] Theoretically.

Not a single TheDAO proposal has even been close to reaching a quorum [0] to pass a vote. How is this ratification supposed to happen?

[0] https://dao.report/?sort=popular&keywords&status%5B0%5D=1&st...

So far there hasn't been a single serious proposal, so naturally nobody is voting.

That's not true.

Proposal #5 "Moratorium on proposals" only reached 8.86% of 20% quorum before voting ended.

Yet the moratorium is already in effect... as you can see there aren't any other real proposals out. Everyone is waiting to sort out these huge bugs in the framework.


I'm a Dao member (or at least I was this morning..!) and didn't vote on that one -- I didn't see the point in voting on proposals that are polls as opposed to votes on moving money to a specific address. There are forums to discuss general strategy, doesn't need to be a poll.

>But this incident has set a precedent, at least within Ethereum, that the project leadership will intervene to enforce the spirit of a smart contract.

It is the beginning of a precedent but precedent is fairly weak because Ethereum in its early stages and very experimental (many hard forks are in Ethereum future). Bitcoin rolled back the blockchain at one point as well but it wouldn't happen today.

>So what now are the benefits of Ethereum smart contracts over the traditional legal system?

My view is that smart contracts can most useful for low value contracts that you would never want to take to court. No judge wants to listen to two people arguing over 18 dollars.

Even if we agree that Ethereum is still in its early stages we have to ask whether this response is setting a good or bad precedent going forward.

Will the project leadership offer a soft- and/or hard-fork every time a poorly-implemented smart contract is exploited in a manner that is not intended by the contract creators?

If every smart contract is going to be "guaranteed" in this way, then this introduces significant overheads for the project and can also create moral hazard.

Alternatively, if only some contracts are "guaranteed" but not others, this can introduce opportunities for favouritism or discrimination...

Are cases only considered when they affect the ether price or where there is personal involvement with the contract? Is that fair?

Interventions and their resolution can also quickly get politicized just like the bank bailouts from the financial crisis.

It is not clear this is setting a good precedent.

Edit: reworded for clarity

Not to mention: you can use the mere claim of yourself knowing a bug in a smart contract to force the other side to do as you say. If it's sufficiently hard to check for bugs, the other party might accept the cost of doing as you say as cheaper than the cost of checking for bugs again.

This was a plot mechanism in some SciFi story I read a few years back. Edit: one of the in-universe early Revelation Space books.

In this particular case the contract holds 15% of all ether.

The fork won't be enacted unless a majority of the community agrees to run its code. That's not likely to happen except in extreme cases, like this one.

I don't think such a scenario is entirely neutral.

Because it implies that some contracts will have a greater probability of being "bailed out" if they are backed by more ether.

It may turn out to be a bad thing because it will establish the idea that not all Ethereum contracts are created equal.

And this can lead the system to be more centralized.

Is 15% really that extreme? This is a game; nothing of real value in the world is being created or destroyed (that wasn't already during mining). I personally hope the ethereum community decides to play this game out and not bail out the DAO. It's way too early in the social experiment to change the rules.

Lots of people have traded serious amounts of real money for those game tokens.

I agree that 15% may not be that extreme, but 15% is not all that's at stake. 100% of all ether existing has so far lost 20% of its value (relative to other currencies at the time of the article's writing). I wouldn't be surprised if it continued to drop further. This may cause enough panic among miners to actually get a majority to agree to a hard fork.

Edit: for the record, I don't own use Ethereum or own any ether, so I would also hope that a hard fork doesn't happen to bail out a single contract, but I have no financial incentive on the line.

In other words, this contract is too big to fail?

Perhaps, but:

a) It is being bailed out by referendum, not mandate. Everyone gets a vote, if you don't want to install the patch, don't do it.

b) The funds to bail it out are those stolen by the attacker. Nobody is asking people without DAO tokens to suddenly contribute their ether to restoring the DAO or take debt.

Is there really an attacker and stolen funds though?

I mean, the contract executed exactly as specified.

If the system was well designed, there would be no way to undo the results. Such a system may never exist, but the fact that ethereum can sometimes change contract results means it isn't living up to its ideals.

I disagree in part with (b). A hard fork could split the community and cause the price of ether to crash further. While miners who fork may not actually lose ether in the process, they may actively cause it to lose whatever value it has left.

Of course, miners not associated with the DAO would never normally consider risking such a thing, but the rapidly falling price of their ether may convince them that it's the safest move.

1) TARP arguably had a referendum immediately afterward in the form of the election.

2) The American people were paid back.

Exactly. This is being pitched as a negative, when really, consensus-based changes are probably always for the best.

Precisely, because this company is at the root of Ethereum. They can do these kinds of tomfoolery, and anyone who uses and trusts Ethereum is to blame for not doing their homework.

> But this incident has set a precedent, at least within Ethereum, that the project leadership will intervene to enforce the spirit of a smart contract.

This is really too bad. The best outcome would be for the community to learn from this and build tools and practices that make new contracts significantly more reliable.

Smart contract design practices will have to undergo the same kind of gradual hardening that web servers have over the past 20 years. Let's hope it happens a bit quicker.

Disagree. Over time, there will be less and less human intervention and people will be able to rely on a system of contracts assembled from tested and trusted components. And avoid expensive litigation fees.

Look, self-driving cars required humans to take over and require updates to deal with new challenges -- until they don't, or very rarely do.

In the place of litigation fees you pay software development fees. Not that I am really against it as a developer.

Smart contracts are different from self-driving cars in that the former have competing intents within while the latter have a common goal of "not hitting anything".

If anyone can intervene, intervention will happen, even if it takes a new law to make it so.

The only way to eliminate the human interpretation factor is to eliminate the possibility for human interpretation. This is effectively impossible in a pre-singularity world, so there can be no such thing as a contract enshrined in code which is binding.

Interesting from a practical perspective; I hope that ideologically we exercise enough restraint to prevent this historic circumstance.

Perhaps that is only a reasonable hope for values under $50-100M USD.

> the idea was that smart contracts were going to eliminate the need for enforcement or dispute resolution

Well that's the fantasy of the century. Has no one learned this lesson with Bitcoin? An electronic currency doesn't magically wave away the fact it's being built and used by humans.

IMO smart contracts are more about decentralized "serverless" services than they are about law contracts.

Personally I hate the term "smart contracts" because of the confusion they create on what they actually are.

I prefer robo contracts. Implies cheap and no humans (with pros and cons of all robo services). Code is only as smart as the humans who program it.

Yep. Ethereum just rendered themselves pointless.

This real highlights the genius of Satoshi imo. If she had not disappeared she would have surely become a benevolent dictator for life and thus a single point of failure. By being anonymous and going silent, that outcome was prevented.

The miners have always been the arbiters. That's implicit in verifying transactions via their consensus.

Keep in mind Ethereum is less than a year old, the DAO is even younger. It's still new, risky, and fraught with problems that need to be solved.

If you're not familiar with anarcho-capitalist theory, there's a concept called a DRO -- dispute resolution organization [1] -- that can perform arbitration functions in a decentralized manner, i.e. without a monopoly on judicial services like the state.

In the future, as the infrastructure matures, I'd be willing to bet DROs will arise to handle these types of disputes. Forthcoming DAOs can be more competitive by integrating dispute resolution clauses into their contracts.

For example, maybe there's a flag that must pass before any transaction takes place, and can fail if X% of DAO stakeholders vote to halt transactions and defer to a DRO for arbitration.

Hard to say exactly how things will evolve, but what's great about Ethereum is that contract law has the potential to evolve at a much quicker, cost effective pace than does the monopolistic, bureaucratic justice system we have in place today.

[1] https://en.wikipedia.org/wiki/Dispute_resolution_organizatio...

What's crazy to me about the whole thing isn't the bug in the DAO nor the fact that it's being taken advantage of. As you say, it's all very early stuff, and there's no surprise that it hasn't been fully worked out yet.

What does surprise me is that people poured the equivalent of tens of millions of dollars into this new, unproven thing. To me, this says that while Ethereum itself may be technologically fine, the community is completely bonkers.

There is a lot of speculative fervor going on. It's like any fad, except you can count the "value" generated by the waves of PR.

The underlying tech is clever though; the speculation is just a side-effect of cryptocurrency systems that they attract a lot of people who attempt to make a quick buck from during the rapid growth phase.

As others have pointed out, this is not a bad thing b/c speculation is one legitimate way that cryptocurrencies can bootstrap themselves, even if (over time) their strengths are not likely to result in more speculative behavior than is found in other established currencies.

Isn't pouring millions of dollars into new, unproven things the entire premise of venture capitalism? Great risk for great reward.

The outrageous investment in Ethereum/DAO does seem to highlight a desire for governance models outside of the corporatist status quo we live under today, though. Personally, I don't think it's bonkers to yearn for something better. But it's a hope that needs to be tempered with vigilance if people are going to avoid being duped.

Usually the millions of dollars comes after there's some sort of promise shown. This is basically the equivalent of doing an IPO with nothing but a nice-sounding business plan, and having people shower you with money only to discover that, oops, your real business plan is to take the money and flee to the Cayman Islands with it.

To be fair, people poured millions of dollars into a drunken pirate investment company (pirateat40). "I'm going to take your money and drink it away, har har" was somehow better than the alternatives, which often involve basically-impossible-to-circumvent paperwork requirements(buying stock without a phone/mailing address, say), obtrusive spy-on-your-customer policies, risk of having your wealth appropriated by governments like the government of Venezuela and so on.

Consider the fact that many who bought ETH did so with BTC, and that these BTC might have been acquired for a lot less than what the equivalent ETH are now worth.


Or their other options are ripe for disruption

This is fascinating. How do ancaps propose that DRO's will enforce their judgments? With violence? What's to stop the losing party from just gathering a bigger militia and shooting back to prevent collection?

The most effective way is likely ostracism, or some other penalty based on reputation. If someone doesn't pay their debts, people just stop trading with them. I'd posit that most people are interested in restitution, rather than punitive measures, which would be the primary goal of a DRO -- making the victim whole again. This is why DROs would likely function similar to an insurance agency.

The non-aggression principle is a central tenet in ancap philosophy which would preclude violence in most cases, however, it is permitted in self defense of ones person or property. Still, most people who subscribe for a DRO probably aren't going to want to pay the high costs for a standing militia. Would you voluntarily pay taxes for the War on Terror, or the numerous other military boondoggles across the globe, if you had a choice and knew the actual costs?

This ventures into the territory of private defense agencies, which decentralize security services, and is a deeper subject. If you want to dive in, I'd suggest Michael Huemer's book "The Problem of Political Authority: An Examination of the Right to Coerce and the Duty to Obey" in which he debunks the Hobbesian war of all against all scenario. "Practical Anarchy" by Stefan Molyneaux is also a decent (and free to read) overview of how ancap voluntarism could work, but Huemer's arguments are more comprehensive.

"If someone doesn't pay their debts, people just stop trading with them."

... Unless that impacts their bottom line. In reality, this is unsolvable - if it were, boycotts, divestments, and employer blacklists would be far more effective. You can always find scabs that will compromise on principle in order to put food on their table.

> The non-aggression principle is a central tenet in ancap philosophy which would preclude violence in most cases, however, it is permitted in self defense of ones person or property.

What if someone disagrees with the non-agression principle or uses a very liberal definition of "self defense"? If I'm the only one who is permitted to use violence to defend myself, does this mean I have to carry a weapon with me at all times (and hope the other one doesn't have a bigger gun/has hired the more expensive security force)?

The collection could be written as part of the smart contract that wants to use the service of the DRO (of course that part would have be be bug-free…).

Generally, I think ancaps would argue that violence wouldn't occur because it is too costly (as they do in the context of private defence agencies [1]).

Anyway, I believe this argument is flawed, in the sense that people have resorted to violence, despite the fact that it was nonsensical in economic terms (I'm looking for the quote of some prominent intellectual who argued around ~1914 that no big war could ever happen again, because it would be devastating in economic terms. He was proven both wrong and right in the sense that it indeed was devastating for the economy and that it occurred anyway as we know. If somebody knows the name of this gentleman please let me know).

[1]: https://en.wikipedia.org/wiki/Private_defense_agency

A counter-argument is that most of the American population did not want to enter either of the world wars, but were dragged into it by state and corporate interests who, unlike the general population, did stand to profit enormously from the war. PDAs would not have the authority to do this.

As far as I understood it though, ancap wouldn't forbid any of the corporations that did profit from the war. (Or, in fact couldn't forbid it as this is the whole point). So what would prevent those corporations from engaging in the same war propaganda that the states did?

One solution would be for (some) individual contracts to be programmed to have "curators" with an expanded role. These curators would have dictatorial powers (via a supermajority vote of the curators) to nullify and replace the entire contract. However, they would promise to do this only in case of a genuine software bug, or if ordered to do so by a court with jurisdiction over them, not for any other reason. There would be many curators. Many of them would be professional curators, similar to professional accountants or trust executors, who work for huge firms which, like Big Four accounting firms, have a lot to lose if any of their members are caught misusing their power.

I see a different problem here: Ethereum and the DAO were not in a mature state to handle this amount of money. For example, there is a limited support for upgrading contracts in Ethereum and the DAO was not reviewed enough to handle hundreds of million dollars.

Also, there are methods to make the software ultra secure using formal models.

I always wondered why there was such a rush to launch the DAO. As opposed to what Ethereum itself did: develop a proof of concept for over a year, then release a beta version and provide bounties for security bugs, all the while collaborating with testers and security researchers to stress the software.

>I always wondered why there was such a rush to launch the DAO.

So Slock.it could raise money, obviously. A common complaint right around when Slock.it launched the DAO was that Slock.it planned to offer the first funding proposal on it but only provided a brief 2-week period for review and debate before the voting started. It had the appearance of an attempt at railroading the crowdfunding process for a quick payoff.

Fortunately cooler heads uncovered the problems and spoke out, putting the brakes on. Now it's a big learning experience for the ~23,000 people who blindly jumped on the hypetrain and put money into a flawed investment vehicle. You'd think the first 7 years of Bitcoin would have taught people a lesson that this technology is risky, but dollar signs in the eyes tend to obscure hindsight I guess.

> ~23,000 people who blindly jumped on the hypetrain

I haven't touched ETH or the DAO personally, but it is unfair to label every investment in them irrational. Over the past 5 years cryptocurrencies have provided multiple opportunities to convert, say, $10k into $100k or even $1M within a year or two; once your networth exceeds a certain amount, risking 1-2% of it on an opportunity like that is arguably wise - i.e. would be worth repeating - even if it does fail spectacularly.

It is certainly true that as long as that reasoning delivers 10-100x+ returns to some of the people some of the time, a giant fount of speculative money will continue to moisten a lot of scammers, con artists, and insufficiently-careful SW developers though.

TheDAO effectively turned into a massive bug bounty, a pot up for grabs.

Indeed an important question that will be decided soon is whether the "hacker" will get to keep the reward pot, or whether the rules of the game will change to deny it.

I am curious if a huge DAO-like organization could avoid being a target solely by keeping very of its wealth liquid at any moment... i.e. what would have happened if 99.99% of the DAO's eth were loaned out... would the hacker have bothered? (assuming it wasn't an inside job)

It's pretty obvious and simple. Because they want to run away with your money NOW. Ethereum had money already so they could survive while waiting to scam you even more.

Core problem: If contracts can be upgraded while in use, everything reduces to a game of Nomic.

That depends on whether you think of a contract as an interface or as an implementation.

A contract should present an interface that includes a declaration of its behavior. The declared behavior should be well defined, and if a bug in the implementation is discovered, the contract should be updatable to fix the bug. There could even be futures expressing the probability that a contract will be found to have a bug.

The willingness of participants to use a contract would depend on the chances that something about the interface is bug-prone, untested, etc.

As long as bugs do not result in reversal of money flow, the incentives seem to align properly toward a well-defined approach for declarative contracts.

What you're trying to solve is something very similar to the recursive self improvement problem that MIRI[1] and friends are trying to solve in the sphere of "friendly" artificial intelligence. If something rewrites its own source code, how can you assert invariants that can be relied upon? So going and looking over there at what they've come up with may be fruitful.

[1] https://intelligence.org/

Very interesting! Looking at the papers and going to read them. Any specific papers you'd recommend?

"Tiling agents" would be the most arguably relevant. Provably correct agents that approve the construction of other probably correct agents obeying similar invariants.

Is "probably" there meant to be "provably"? I assume so, but I'm not sure.


Thanks! Looks very interesting!

Sorry, not qualified to have an opinion. Opening this question to the floor?

Note that this probably means that designing contracts of this sort of "friendly AI complete" in some sense, and therefore not a good thing to be betting on in the short term.

> A contract should present an interface that includes a declaration of its behavior. The declared behavior should be well defined, and if a bug in the implementation is discovered, the contract should be updatable to fix the bug.

The first part, a "declaration of...[future] behaviour," is basically a normal contract.

Indeed. However in a normal contract, the implementation is specified fairly loosely the laws (and enforcement mechanisms) can change drastically over the life of the contract.

There ought to be a way to have highly vetted primitives. In meatspace legalese, boilerplate words and phrases are the closest we get to this... once a contract (or open source license, etc.) has been through litigation, its vulnerabilities become better known.

If a dispute gets decided the "wrong" way because a few clarifying words were absent, the contract is modified and future deals use the new contract.

Why is that a problem?

Contracts can be upgraded if they're designed that way. You can have a wrapper contract that just calls out to other contracts, where the addresses of the other contracts are updateable. You can even make the callee run in the context of the caller, so all the data is held at the caller, which calls an external function that manipulates it.

Doing this is a tradeoff. On the one hand it lets you fix bugs and vulnerabilities, on the other your users have to trust you not to abuse your power.

It completely obviates the point, because a contract no longer means what it says, it means what Bob says. So just wire your money to Bob, it's simpler.

While I prefer non-upgradable contracts for the same reason, there are mechanisms to reach some middle ground, like:

1) a significant delay between the announcement of an upgrade and the actual upgrade (enforced by the blockchain)

2) a mechanism to opt-out or cash out before the upgrade happens

Are you referring to this kind of upgrades https://gist.github.com/Arachnid/4ca9da48d51e23e5cfe0f0e14dd... ? Because you have an important limitation if you use that approach.

Until such time as a College of Hortators gets invented and people start including standard provisions to defer some decisions to them. Yay, the courts have been reintroduced.

Formal verification is the right approach. Do you know of any specifics for this goal that exist for ETH now?

Vlad Zamfir, Greg Meredith, and Emin Gun Sirer are working on this for Ethereum's next consensus algo, Casper. Not aware that they've published anything on it yet though.

I agree completely. 'Smart' contracts are terribly flawed in this regard. Operating outside of contract law is a weakness, not a strength.

No-one can write bug-free code, so why are these people building a huge, expensive system that relies on no bugs being found?

No-one can write bug-free code

No, we can. We just don't, because it's very expensive, and we lack proper tooling to make it cheaper and/or faster. The flaw as I see it is that ETH jumped the gun, and tried to move to software law enforcement without investing the right amount of time/money in the code.

Worthwhile goal (though the desirability and practicality remains debatable), bad execution.

> No, we can. We just don't, because it's very expensive, and we lack proper tooling to make it cheaper and/or faster.

Eh, it depends on how amenable your standards for correctness are to formalization. Also when it comes to security, where clearly bugs tend to hurt a lot more, we're almost always at the mercy of "unproven" (in the formal sense) algorithms. Don't get me started on quantum computing's effects.

Reasoning about concurrent programs (let alone distributed ones) is something where I don't think we've got many reasonable schemes, even at the academic level. Though it's great to hear the Ethereum foundation is willing to drop some cash on that problem! I wish luck to anyone who takes them up on that, it's something I'd love to work on if I didn't have existing projects.

The Ethereum virtual machine isn't concurrent even though the network is. The model is a relatively simple serial sequence of operations, state machine style.

The Ethereum VM is only a small issue, the contracts running on it are the actual problem. DAO isn't falling to an ethereum bug.

With enough effort, you can prove that your code conforms to the specification, but how do you prove that the specification conforms to your expectations?

You struggle to even do that. You can normally prove that some code conforms to a version of the specification that is explicitly formalised, but in practice, a large number of bugs are specification bugs and that will only increase the more you are forced to formalise the specification.

> No, we can.

There's no evidence of that, and lots of evidence to the contrary.

Sure there's evidence of that. Maybe not in the move-fast break things social/mobile/local web world, but in the mission/safety/life-critical and real-time systems engineering world there is. Just takes a quick google search, for example:


"As one example of Ada in an undergraduate setting, students at Vermont Technical College in the U.S. used the SPARK language (a formally analyzable subset of Ada) to develop the software for a CubeSat satellite that recently completed a successful two-year orbital mission. SPARK was chosen because of its reliability benefits. The students had no previous experience in Ada, SPARK, or formal methods, but were able to quickly come up to speed.

Of the twelve CubeSats from academic institutions that were included in the launch, the one from Vermont Tech was the only one that completed its mission. Many of the others met their doom because of software errors. The Vermont Tech group credits its success to the SPARK approach, which, for example, allowed them to formally demonstrate the absence of run-time errors."

I've read similar success stories for Lisp and Haskell. Rust will likely add more evidence as it becomes more widely used. Agda and Idris are also capable in this respect.

The problem is too many engineers are just day-jobbers, who want to crank out LOC and quickly add features that get them paid, regardless how sloppy their work or the tools they use may be, or how much work/cost it adds to the maintenance overhead down the road. That work can either be done up front writing bug-free code, or later during maintenance putting out fires, but it can't be avoided. Programmers who chose the former use the excuse "bug-free code is impossible so we don't have to try" to justify pushing the work off on the maintenance team later. But it's demonstrably false.

You can write a formally verified, simple Hello World program and prove that it adheres to both your design and implementation specifications. You can this all the way down to how the specific processor will run the resulting machine code.

The catch is that this is difficult and the time and cost both scale non-linearly with the complexity of the software. But if you can do it for dead-simple programs running on hardware you understand very well, you can do it for complex software as well. Just be prepared to pay millions of dollars for it.

> But if you can do it for dead-simple programs running on hardware you understand very well, you can do it for complex software as well.

Not necessarily when you're bounded by reality and finite amounts of time and energy. Just because you can count to 2^8 doesn't mean you can count to 2^128.

> No-one can write bug-free code

Perhaps, but nobody can write a bug-free legal contract either, and no legal system is without bugs.

Sadly, for the legal system, many of the bugs are due to corruption, so they are actually more akin to systematic exploits being done again and again by malicious actors (who often happen to be wealthy or powerful).

Also, in terms of how drastic this bug is, suppose $5M gets stolen over a few days. If the community can strengthen itself and become resilient to a whole class of attacks, that is likely far superior to a meatspace improvement in contract law, which would likely take years to become law (and would be selectively enforced once it did).

> Perhaps, but nobody can write a bug-free legal contract either, and no legal system is without bugs.

The difference is that when there is an issue with a legal contract you can defer to an arbiter (a judge) and discuss whether that is a bug or a feature as soon as a divergence of interpretation is detected.

Hell, even just having a sentient empowered human in the loop is sufficient, with fully automated response systems we'd never have survived the cold war as a civilisation, the first false-positive detection (and there have been several) would have ended it.

You are describing human judgement or human discretion. It's probably a given that AI will surpass humans in judgement and discretion of many things in the coming years and would be at least as able to avoid reacting to a false-positive as any human.

The problem (and the thing you propose as a solution) is deferring to an arbiter. This is not human judgement as much as it is human authority. We conflate the two in meatspace because of the social rank conferred upon such positions (this is the same drive that makes humans bow before gods and dictators)

The very idea of decentralization is a different authority model than what is typically in human institutions. In theory, institutions managed in a decentralized and anonymous way have the potential to achieve a form of democratic governance that is far more resistant to corruption than any form previously invented.

In meatspace, a judge must be chosen, elected/appointed, confirmed, etc., and when that judge needs to be replaced we take an entirely different (largely unknown) judge and do a full-scale migration to that new judge's "firmware".

With smart contracts, we can divide the execution into many smaller smart-contracts, each with a specific domain of expertise. This makes versioning, incremental improvement, and extreme transparency possible.

If you listen to us SCOTUS argument, particularly when a case involves discussion of the intent of specific words in a law, it becomes clear how utterly mutable all of the constructs are. While the SCOTUS is a world-class institution in terms of its overall quality, it is reinforced using a highly centralized model of human authority, with all its problems.

There's nothing preventing a contract from adding fallback modes that require interaction from human agents. Indeed, most of the more high-assurance contracts will probably require this.

I agree, for now. What I argue is that just like nobody can write bug free code, nobody can write bug free contracts as well. I think this might have a good use case down the road once all the bugs are worked out. That said, it's not ready for prime time yet.

Indeed, but you have bug-safety law around the world which incorporates something like :

"If there is a typo, error, fraud, crime etc. a contract is considered invalid or the part of the contract that is flawed"

With software bugs you have something similar :


Who decides what a typo is?

"Oh, that contact for 1000 dollars is really 10 dollars because they 'missed' a decimal place. You still have to uphold your part though."

Corruption of judges can be a problem in that space and that is in part what this is attempting to solve. A lofty goal, maybe even impossible, but certainly worth the time to try.

I actually found a typo of a 100x magnitude in a Washington, D.C. law about ten years ago. Submitted it, and it was administratively adjusted. No need to even take it back for another vote. I believe is happens with much greater frequency than anyone outside the business of maintaining legal documents imagines.

[even had a typo in the first publish of this comment!]

Sounds like a story worth telling; details?

Just realized someone actually read my comment!

Situation was basically a table rendered in prose format. I can’t recall the precise verbiage, but it read something like: In 2015, the requirement shall be 0.05%. In 2016, the requirement shall be 0.7. In 2017, the requirement shall be 0.09%

Very subtle typo which, had it been treated as The Truth of The Text would have bankrupted anyone attempting to adhere to the regulation.

> administratively adjusted

That sounds like a terrible amount of power to give someone without a vote.

for obvious fixes, that’s not actual power: They could not do that if the correct answer weren’t obvious.

If I offered a new car for 10€ — obviously it should have been 10k€, so others cannot expect me to fulfil that (ask your local police).

If I had offered it for 8.5k€ and suddenly claim it should have been 10k€, it’s far from obvious that this was a mere error, so I’d likely have to stand for it.

If I offered a used car for 10€, the case becomes murky.

This is hacker news. If this was some code rather than in meatspace and you trusted a single client to modify a turning complete config file for everyone else you'd call it a massive security vulnerability. I don't understand how having humans involved changes that. Yes, they probably have good intentions but has that assumption ever worked out in human history? If it's not used today for something nefarious, it will be used tomorrow.

> This is hacker news

Which is why people don't understand basic human institutions and are surprised when they run into issues trying to re-invent from scratch

Grace Hopper said it best 'The most dangerous phrase in the language is, "We've always done it this way."'

A legislative body is a conflict resolution mechanism, and one that is basically in the business of writing the code of law (literally). For something to be considered a typo, there must be negligible conflict over that interpretation. If not, the legislative body addresses it again or it’s handled by the judiciary. The legal register who maintains the official version of the text works at the behest of the legislative body. These things are not occurring without supervision.

I UPvoted your comment.

Aside from everything. In writing a contract, it's very common to write price with numbers and letters in brackets next to them. E.g. 1000$ ( one thousand dollars ), exactly because typos happen.

The decision what a typo is is made by the parties, in case of dispute then by several courts ( based on the evaluation of the contract ). That's at least in continental law system.

There's a way to specify a 3rd party court ( non-corrupted one, called arbitrage ) which can solve disputes for that contract.

Corruption of judges problem is being fixed also in several ways. Usually decisions in high courts are decided by 3 judges ( again continental law ) and sometimes a jury ( prevailing in anglo-saxon law system ). Also there is a way to appeal the decision of the court to a higher court(s).

It's impossible to corrupt a 3rd party judge (shouldn't all courts be third parties?), or 3 judges? I agree it's the best system we have today, but it won't be tomorrow.

There are relatively few cases where $1000 and $10 are both reasonable numbers. It should be pretty obvious to both parties from context which is the 'correct' interpretation.

To a rational person without ulterior motives yes, but remember in my country "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause" means "Go ahead and take papers (cash) from peoples cars without warrants, and then the burden is on them to prove they obtained it legally"

I certainly distrust the American legal system enough to use something like this in the future.

I don't know why you're getting downvoted, seems like a very prudent and informed sentiment to me.

> How do _you_ know your contract is secure?

It most likely is not, looking at the recent post on contract security, most if not all examples ever posted as best practice are flawed and can be exploited:

https://blog.ethereum.org/2016/06/10/smart-contract-security... (currently down, cached version https://webcache.googleusercontent.com/search?q=cache:https:...)

that's the gist of the problem

Turing machine, meet halting problem.

The halting problem is easy to solve for Ethereum programs by design. Programs are made of instructions, each instruction requires fuel to run, and fuel is limited, so every program must halt eventually.

I'm not familiar with Ethereum programs, but it seems to me that it's not possible to answer the practically-identical question, "How much gas does this program need to start with to guarantee it will either get into a loop or halt of its own accord before it runs out of gas?"

Or, to put it another way, it sounds like the language is Turing complete in roughly the same way C is Turing complete even though every C program ever instantiated is actually a linear bounded automaton because there's no such thing as an infinite tape.

Like, I can announce that my C-like language will always halt after a trillion-trillion operations and therefore the halting problem is "solved" for it, but for all other purposes it's almost exactly as difficult to reason about as a Turing machine.

100% agreed and anyone who expects these types of smart contracts to replace typical contracts is overlooking this.

The real void smart contracts fill is the type of contracts that cannot be trusted to be enforced by the current court systems.

For example, consider prediction markets. Just about any economist or rational person will tell you these are a huge boon to the world, but the CFTC shut down InTrade just a few years ago. It makes a lot of sense for these types of contracts to move onto ETH or similar.

Why are prediction markets a huge boon for the world?

Isn't that just a fancy term for betting anyway?

The entire finance industry does a fancy form of betting. Risk and reward are packaged up and bought and sold by people according to their preferred allotment, and once the outcome is known the spoils (or losses) are correspondingly shared.

Prediction markets can also be called "information markets" because they expand the class of things we can understand the risk characteristics of beyond the traditional instruments.

Lloyds of London began by issuing insurance on shipping vessels so that ship owners shared the risk of a wreck across all their fleets, reducing the devastation of losing a ship for each individual owner. Prediction markets let us do this for a host of other outcomes.

A prediction market is nothing more than a betting market, the innovation (attributable to Robin Hanson, I believe) is the idea of the binary future, which makes the probabilistic outcome work nicely with a traditional futures contract structure, and allows for a lot of nice intuitions based on price movement.

They provide a far more accurate insight into the likelihood of events than any other alternative. You can think of it as betting if you like, but it's betting with lots of positive externalities.

Consider a business that needs to reason about the probability of a law passing, severity of global warming, or any number of other difficult to predict events. Prediction markets would provide by far the most accurate insight.

It's wisdom of crowds + skin in the game.

>Consider a business that needs to reason about the probability of a law passing, severity of global warming, or any number of other difficult to predict events. Prediction markets would provide by far the most accurate insight.

Surely such prediction markets are a guarantee of corruption?

That or I just don't understand - if a market exists that takes bets on human actions such as passing laws, how long someone will live etc, the betters will have a very active interest in doing everything they can to make a large profit, of which corruption alone is the most obvious target.

I mean in a way you're right - it is wisdom of crowds, albeit crowds of people that "know" only because they're corrupted the final event.

They don't guarantee corruption, because if the corruption shows up on the prediction market it has occurred (or will occur) elsewhere already, and if large amounts of money are betting on a certain outcome, others will follow, and thus the payout won't be as large.

> Consider a business that needs to reason about the probability of a law passing, severity of global warming, or any number of other difficult to predict events

Like the probability of a smart contract being exploited via a loophole? ;)

This is OT now, but in addition to the corruptive effects of traders influencing results they are betting on mentioned by mootothemax, another possible negative externality is the conservative effect the prediction market would have on the traders. Eg. if you got a whole population to bet on the market, suddenly it is in the interest of the majority to uphold past predictions, thus making society resistant to change.

EDIT: Moved to the correct location in the discussion tree.

It's very frustrating for me to see "probability of a law passing" and "severity of global warming" being thrown in the same basket.

While the first lends itself naturally to be framed as a binary prediction market (and there are good reasons to believe that the market will produce reliable forecasts), "severity" doesn't lend itself to be framed in this way (in Taleb terms, it is a non-linear payoff from a complex domain, "4th quadrant"). Ignoring that there is a lot of ideology involved in defining the exact terms, in my mind it is just unreasonable to expect prediction markets (or any mechanism for that matter) to deliver reliable results in this case.

Even when not accepting the Taleb argument regarding our ability to predict, at least it should be acknowledged that it is not straight-forward to generalize from binary outcomes to open-ended ones.

Presumably he meant a specific prediction like "Greenwich will be permanently flooded by 2025" ?

> Just about any economist or rational person will tell you these are a huge boon to the world

True, but I think said people still haven't taken the whole Taleb idea to heart. I'm pretty sure there are certain domains where the wisdom of the crowd is no wiser then a chimp throwing darts.

As an extreme example, assume you ran a prediction market that predicted the value of the s&p500 x days from now. Would you expect to make money based on these predictions?

This is not to say that they can't be useful in certain domains. It is well known that they do well for binary outcomes like sport events and elections.

They might also be valuable in situations where there are behavioural factors that prevent the spread of information (e.g. whether a project will finish on time). However, there might be simpler mechanisms (like whistle blowing) which could solve the problem or it might not be a problem at all (Bent Flyvbjerg's research on mega projects suggests reliable forecasts are simply undesirable and "true" forecasts are known sub rosa anyway)

A relaxation of the law or more exemptions a la IEM could be beneficial from a research perspective, but I wouldn't expect a "huge boon" just because. These are a lot of words to basically say, it's not a black and white issue.

> As an extreme example, assume you ran a prediction market that predicted the value of the s&p500 x days from now. Would you expect to make money based on these predictions?

The S&P already is a prediction market for the future value of the S&P. So no, there would be no additional information here.

I agree that wisdom of crowds does not always work, but remember that this is not just wisdom of crowds, it's wisdom of crowds PLUS skin-in-the-game.

All of the things in quadrant 4 are difficult to predict. I would trust the predictions of people who have put money where there mouth is far more than the predictions of those who haven't, and I think Taleb would too.

Prediction markets already widely exist and have been around for ages, just not in America. You can bet on all kinds of real world events, not just sports, in many countries.

Adding a prediction market to ethereum or some other crypto coin isn't going to revolutionise anything.

I am fascinated with prediction markets, is there an existing place to do this now with ethereum?

Augur and Hivemind are the two that get talked about the most. Neither are out.

I'm mostly an ethereum skeptic, but maybe this doesn't actually indicate that all smart contracts are doomed? Maybe all it means is that bespoke ethereum contracts are risky, and people will have to use boilerplate contracts that have proven robust in the past.

I sort of assumed this DAO thing was intended in this spirit, as an experimental stab on the path to robust contracts.

> I sort of assumed this DAO thing was intended in this spirit, as an experimental stab on the path to robust contracts.

With millions of dollars in prizes if you could exploit it?

My hope is that the people putting millions of dollars into it are well off people who are OK with putting their spare money into something obviously risky and experimental.

Edit: If this is not how it is, I'd be interested to know who is putting money into the DAO, sociologically speaking. I hope nobody's investing their life savings in it.

My impression is that the DAO people are early adopters mostly from the Ethereum Foundation itself, so the "150 million dollars" number that is bandied about would be mostly paper profits from a much smaller investment. It doesn't mean they ever had 150 million dollars in actual money between them, or any practical way to get it.

With millions of dollars in prizes if you could exploit it!

There are bugs in critical shared software infrastructure like Linux, libc, OpenSSL, and so on as well and not just a few minors ones.

Why would it be any different for "bespoke ethereum contracts"?

If an ethereum contract was the size and complexity of any of those projects I would certainly expect it to contain many errors.

Another way to say the same: there is no slack. Errors can be sudden and complete.

Compare with "old fashioned" contract law or e.g. national currencies or gold. The errors there (theft, counterfeit and fraud) tend to impact only one or a few transactions. It's all more localized/

In case of broader failure of old fashioned money (e.g. national currencies being destroyed through inflation): at least this is a very slow process that is usually being telegraphed years in advance.

This hopefully provides further evidence that smart contracts currently are not and probably never will be a replacement for traditional contracts and court systems. Instead they are a low-cost alternative for specific off-the-shelf problems (like ownership) for which battle-tested implementations will eventually exist.

In that sense smart contracts are a tool for a specific purpose (and maybe a replacement for people who don't have the luxury of a working court system) as opposed to the end-all-be-all solution that some make it out to be.

Attempting to enforce the spirit of the law is a problem in its own right though. The flexibility of written law is repeatedly abused. Whether it's politicians taking land from their constituents, or drug laws being used to drive racism, we really shouldn't be looking at the flexibility of written law as a good thing. Or at the very least, we should be acknowledging that it's a double edged sword.

Ethereum's smart contract language is not one which makes it easy to write secure smart contracts. There are dragons everywhere, and the DAO is far and away not the only smart contract to incur their wrath.

In general I am in favor of moving to programatic, unforgiving law. But we need to do so at a pace that matches our technological progress. Today, the technology is not there to make advanced contracts. Simple ideas like 'this coin is owned by this person until a signature from this key transfers ownership to someone else' are pretty easily enforceable. Bitcoin has a scripting system with a variety of safe scripts in widespread use.

But as soon as you start aiming at things like 'this investment fund is owned by this group of people and is able to make investments under conditions X, Y, Z, and can split... etc.', you've outpaced what we currently know how to do safely.

I don't know much about Ethereum, but why aren't the contracts declarative? Surely, it would be much easier to see the logic behind the contract and avoid the impossible task of a bug free turing complete language.

The Turing-completeness of the language is the whole point of Ethereum. That's what differentiates it from other (Bitcoin-like) crypto currencies. It allows anyone to build arbitrary business logic--an exchange, a venture capital firm, a game--that is run directly by the participants in the blockchain.

In retrospect, a declarative language might have been a better choice. There's a tendency in open-source projects to make things Turing-complete because it's too hard to agree on what the declarative primitives ought to be. (Hence JavaScript.) This is not what you want in contracts for substantial amounts of money. It's passing the buck to the users.

>This is what concerns me about contract programming. With human contract law, if there's a minor typo or loophole, participants can generally see the spirit and intent, and at worst go to a judge who will usually enforce the intent. But with software contracts, only the characters matter and there's no intent anywhere: either you get paid or you don't.

It's much worse than that!! What you've just said applies to building an airplane or getting to Mars, too. Mother nature won't care what you meant to do.

But this is worse: mother nature might give you turbulence, but She won't carefully cycle or time the turbulence in a code injection vulnerability to try to get your avionics to lock up at some particular moment. With these kinds of systems, you have humans actively doing everything in their power to break the system, even using the most subtle possible tricks. It's not just noise: it's a malicious attacker.

It's not enough to "get it right". You have to get it right against someone with lockpicking tools, budget, time, and no legal, social, or moral checks and balances. By that standard, every vehicle NASA has ever built is completely broken, and NASA has never built a single thing that works.

It's not just about code that's correct. It's about code to held to literally supernatural standards of correctness.

It's a social problem.

I'm surprised no one has mentioned: Human contract law still applies in this case. DAO members can still go to the FBI and try to find the "attacker". They can still ask the courts to try to take their Ethers back.

> How do _you_ know your contract is secure?

Ideally, using formal methods [1], one can write a provably correct program. Just because software can have bugs does not mean it must have bugs. Human contract law has no analogue.

Personally I'd be wary of any electronic contract that wasn't formally verified. The DAO exploit is unsurprising.

1. https://en.wikipedia.org/wiki/Formal_methods

> participants can generally see the spirit and intent, and at worst go to a judge who will usually enforce the intent

Stuff like patent-trolling (and patents) suggest to me the law isn't so consistently trustworthy as you suggest.

I don't think that is the same - There is no claim that rules of written law always gives the most favourable outcome. But rather that the written law (or contract, in this case) allows for the reality of human error or omission by leaving space for human interpretation, enforcing the underlying intent, rather than strictly enforcing 'bugs' in the contract.

After all, there are almost always small mistakes in complex systems. The system of case law is, essentially, a structured way of turning differing interpretations into a stricter framework over time.

There are no bugs, there is just the contract, and the intent, and the difference between the two.

My point is, the institution of law needs to be trusted, yet patent-trolling exists because the institution has failed to apply fair judgment and common sense such that ridiculous legal structures have prevailed.

A bug is the difference between the intent and the produced document.

I disagree. While the use of the word 'bug' is often stretched (i.e. feature requests being made in the issue tracker), the contracts in this case are not purely the product of a writer - they are also a contract, as in a written, explicit agreement. Calling an unintended consequence a bug may be true from the perceptive of the writer, but not necessarily from the perspective of the second-party, who may have agreed to the written contract, but not the "intent". Hence a document with two parties does not have objective bugs in that sense, unless both parties agree, which is not the case in disputes requiring a judge.

I agree with your analysis there.

But my point was the patent trolling exists because the law is unfavourable. Not because there is a system of mediation in place. If the patent system should be abolished or not doesn't really relate to how inconsistencies in contracts are handled, as far as I can see?

My own skepticism isn't so much stemming from any belief that the current legal systems are particularly great as it is from the learned reflex to be wary of anyone rewriting a system from scratch.

The legal system is complex and messy sometimes because moneyed interests have been keeping a thumb on the scales and sometimes because the world is complex and millions of people have spent hundreds of years patching bugs and extending the code to handle all the weird corner cases.

Smart contracts are a neat idea, but it is also kind of like the guy who wants to rewrite the production system in a weekend.

smart contracts are still a good idea, separate from implementation concerns.

I also consider the strictness, and lack of third-party mediation a "pro", not a "con".

Patent law is not contract law.

Are they not overseen by judges and lawyers also?

Formal proofs. These are reasonable to do with modern proving systems, and contracts with formal proofs would be a reasonable output for a specialist in this area, equivalent to a lawyer for regular contracts.

There is nothing stoping you from getting involved in a much more complex scheme of contracts. You could easily set up a system where a web of trust filtered, community funded "court" creates a wallet that is used for mitigating disputes. If a judgement (done by key signing votes) goes against a user you decrement how much they are going to get after the period ends and you increment how much the claimant gets. If nobody gets into a conflict at the end of the period everybody votes to send back all the money to everyone's respective wallets.

Your word "easily" translates to "I haven't really thought hard about it and I am not an expert but it seems easy to me." That is a trap for beginners to cryptographic systems. Getting it right in all details is HARD, as has been proven time and again by failures. The theory is hard, the implementation is hard, and making it usable is hard.

If there are ever more compelling use cases for smart contracts this will create a market for smart contract validation or development.

Interactive theorem proving is already at the level that verifying something like the DAO (a few hundred lines of code!) isn't too complicated. By the time smart contracts become relevant we'll probably have all the tools in place to make this an industry instead of a research project.

Of course. But human contracts require human judgment and it is precisely the psychological fear/mistrust/puzzlement of proponents of machine contracts that leads to their political adoption of the idea. I don't think there's necessarily an objective risk/reward analysis behind preferring one over the other, just a matter of personal temperament.

>This is what concerns me about contract programming.

It is really the whole cryptographic ambition for trust less systems that is possibly problematic.

I'm trying to be open minded. I'll concede that maybe they are will be proven right with time, but maybe not.

The problem is in a trustless system, there's still trust - trust in the code. And if there's one thing I have ZERO trust in, it's software.

Just remember, when the developers inevitably appear with suggestions about how to stop the hack, roll back the blockchain, or come up with other schemes to block the hackers, they are showing everyone that all the talk of blockchains being decentralised, or being beyond the control of governments or other powers... is a complete lie.

If this hack can be stopped, then it demonstrates that the currency can be manipulated, that the decentralised system is not so fault tolerant or uncensored after all, and that people out there know this.

Also remember that this isn't the first time this idea of 'lets rollback a blockchain due to a hack/attack' has been floated or even tried. The first major blockchain rollback almost completely destroyed the cryptocurrency [1]. Since then, some major hacks have happened and the community/developers rejected the idea of a rollback [2][3]. That was a hard lesson, and hopefully the current developers will learn from the short history.

Also to your point, yes, Ethereum is not as decentralized as some would like to claim, either from a stakeholder perspective, or from a mining perspective, or even from a 'who holds the power' perspective. I suspect that's what makes it so efficient though, in terms of changing protocol, or making decisions on behalf of stakeholders.

[1] http://247cryptonews.com/vericoin-lack-integrity-bailout-min...

[2] https://www.cryptocoinsnews.com/official-nxt-decision-blockc...

[3] http://www.newsbtc.com/2014/12/17/opal-recovers-1-7-million-...

One could argue that at this point in its history it stands to benefit more from that efficiency than it would from more robust decentralization.

When adoption is low it stands to reason centralization would be high, and so it enables them to move faster to increase adoption, and hence lower centralization as other players and stakeholders enter the game.

However it does also stand the risk of allowing the current influential parties (the developers or miners) to influence the system in their favor. So far though, I don't think this has been the case, but we'll see how this situation plays out.

There is no doubt that centralization is more efficient than decentralization. The problem comes when developers or other stakeholders don't understand or underplay this feature.

Also, centralization/decentralization is a a scale, not discrete boolean values.

It will definitely be interesting to see how this plays out. Good luck to everyone involved.

If there is consensus that this is a problem and shouldn't be allowed, then there presumably is also consensus for even a hard fork if necessary. As an outside observer, I don't see why this is a demonstration that the decentralised system can be manipulated, is not fault tolerant, or censored.

Since if this is a problem and will be fixed, it will presumably be by consensus. We already know that with consensus the entire system can be changed (or forked, if you like). This is no secret and there was never any claim otherwise. This is exactly what they mean by decentralised.

What should worry you is if a change happens without consensus, but there is no such indication here.

slock.it are now implying that opponents of the proposed hardfork are probably the thief and asking people to contact them with information about the identity of anyone who organizes opposition to it: https://twitter.com/christopherhesh/status/74379447973649612... It's going to be a very interesting kind of "consensus", that's for sure.

Ah, vigilantism. How incredibly fitting into the whole cryptocurrency ghetto. So very unprofessional.

Let's call it self delusion. A "lie" needs the intention to deceive. I think most developers of these systems truly believe that they are building the First Distributed Republic or something like that.

Vitalik Buterin, the co-founder and Chief Scientist of Ethereum, just called for a DAO and ETH trading halt at all Ethereum exchanges: https://www.reddit.com/r/ethereum/comments/4oif2x/dao_attack...

Apparently all that talk of decentralisation goes out the window when you're losing money. Ha

Actually, I'd say the fact that he has to publicly ask for exchanges to stop the trades, and can't simply press a button or send out an order, shows the decentralization.

Decentralization doesn't prevent coordination.

I think you're missing the point. The fact that one man can bring the whole of Ethereum trading to a halt with an announcement really demonstrates just how much power he has. So it doesn't matter that he doesn't have a physical kill switch if the end result is the same.

He wouldn't have that power in just any old circumstance. He could have the power to launch nukes, but if that power would only work if all of the world agrees, I'd still not be afraid of him.

I mean, they don't have to honor the request to do so.

> I think you're missing the point. The fact that one man can bring the whole of Ethereum trading to a halt with an announcement really demonstrates just how much power he has.

The reason for this is that ethereum exchanges are not decentralized and the "program" that the owners of the exchanges execute on their brains partly allows "dynamic mental code update" by Vitalik Buterin.

The announcement didn't come out of the blue. Exchanges don't want stolen funds to go through them so it is also in their interest to halt trading.

...but they didn't halt trading until they were asked to, so clearly it wasn't totally in their interests?

Exchanges are in a difficult position once the 'head' of ethereum tells them to stop. It's a sign that the blockchain might be forked, so any further trades they make might be undone - they simply have little choice but to stop after being told to do so.

> but they didn't halt trading until they were asked to, so clearly it wasn't totally in their interests?

Not at all. This is a classic "coordination problem". It is advantageous for many participants in the overall system to take an action, but only if the other participants are ALSO taking the action. In such a case, a widely followed and popular leader is one possible coordinating mechanism. And it does not give that popular leader the ability to do ANYTHING, only things that actually ARE popular but require coordination.

a widely followed and popular leader is one possible coordinating mechanism.

That's the exact opposite of decentralized. Are we going to have to redefine the word?

I don't agree. Centralised control would mean one person can change anything. Decentralised doesn't mean that nobody can propose a solution - only that others have to agree on it before it goes live.

How do you imagine decentralised decisions happening otherwise? Everyone choosing their own solution without ever talking to each other and seeing what is most popular?

I'm not sure whether we are redefining it... I suppose it depends on what definition you were starting with!

My idea of "decentralized" includes things like "continues to function perfectly well if any one person or small group is removed from the process" and "continues to function perfectly well if any one person or small group becomes malicious".

In this case, if Vitalik Buterin were not around to announce the problem, someone else could announce it and that would provide a coordinating signal for all of the independent players to act on. If Vitalik Buterin were malicious and decided to announce a rollback of a big spend he had done, then the independent miners and mining pool operators would (I hope) choose to ignore the announcement and refuse to participate.

I guess to me, having a centralized group or individual make decisions seems to violate "decentralized", but having one of several possible groups or individuals make announcements which signal the population to take action does not.

Nobody has to follow the leader. Want to keep your exchange trading? Go ahead - nobody can stop you. It just so happens that everybody agrees this time.

> but they didn't halt trading until they were asked to, so clearly it wasn't totally in their interests?

I didn't stop eating excess salt until my doctor asked me to do so - and it was totally in my interest.

A surprising number of people seem to believe in the near-perfect efficiency of markets, that every participant is making optimal decisions based on their own goals.

This is, of course, absurdly optimistic.

Why, has anyone thought that decentralization means no one has a lot of power? I figured that people who prefer decentralizations prefer feudal power over centralized power.

>and can't simply press a button or send out an order

And the governmental powers-that-be can press a button and prevent citizens from exchanging cash?

The US government freezes bank accounts all the time.

Bank accounts aren't cash. They're a ledger of your balance with the bank.

Yes, easily by devaluing the currency.

Governmental currency printing has zero effect on the negotiated transaction between two people, and it does precisely nothing on my ability to choose to continue using that currency. That's the underlying freedom; use dollars or blueberry scones if you want. You just need to find a willing counter-party.

The anti-fiat crowd should think for a minute on how money actually works in practice.

Huh? What does halting trading has to do with compromising decentralization? You do know what "decentralization" mean right?

They're now talking about essentially blacklisting the hacker's ETH address, how is that decentralised?

Halting trading is a show of force too, if they believed a single thing of what they preach they'd let the free market continue its course with the hacker walking away with the money.

Looking at your comment history it seems clear you have an agenda here, so I'll ignore the ad hominem.

Decentralization doesn't mean complete lack of central control, or anarchy, it means that balance of power is in the periphery with the broader organization largely controlled by protocol and policy. Issuing an edict in a crisis doesn't necessarily imply centralization if the member nodes can ignore the edict.

In the history of organization structures, for example, Peter Drucker in 1946 wrote the "Concept of the Corporation", a study on General Motors, which was arguably one of the early detailed studies of Decentralized governance in an organization.

The "free market"? I don't think that's what "free market" means.

how is that decentralised? [..] Halting trading is a show of force too

Decentralisation does not preclude "force". The one really has nothing to do with the other. Unless your idea of "decentralization" is actually the solipsist view that every person is an island, and social structures hold no benefit for survival.

If it takes a vast majority of participants to agree, then not really. It's decentralized, not 100% immutable. Will get harder as it gets larger but at this stage it is good to still have the ability.

Vast majority however means most mining pools. In practice that's not that many people making the decision.

At this stage yes. That's why I don't hold ether as being solid enough yet to be a store of value, aside from the fact that it's being inflated at ~25% pa. Needs to go through these teething problems now while that is still the case.

Why would that be different at later stages? Bitcoin grew more centralized with time, not decentralized: The miners with the most powerful equipment also have the most ability to become even more powerful.

Why is that different for Ethereum?

It's not that simple. In the end it's what users actually use that matters. Mining on a fork that sees no use would be suicidal. So miners need to follow users, or their investment is for nothing. And users tend to follow developers, at least until there is a contentious fork.

So while there is no clear single party that makes decisions, active developers have the most say.

It's not that it's centralised, it's that the cost of the precedent set by a fork and rollback doesn't mean it is seen as a terminal failure.

As 'fuel' for programming smart contracts it's still a valuable tool but it doesn't make writing those contracts easy.

And if it can't be stopped, the argument about decentralized apps being "unstoppable" won't be that appealing anymore after all :)

It's sad, being able to write blockchain apps like with ethereum and lisk is cool tech, but we'll have to deal with the idea that once is out, it's out. Programming NASA style.

> If this hack can be stopped, then it demonstrates that the currency can be manipulated, that the decentralised system is not so fault tolerant or uncensored after all, and that people out there know this.

My thought exactly. And despite putting a little money into the DAO myself, this is the kind of risk I was willing to take. I should lose my money. Miners should vote strongly against this fork.

I know in the Bitcoin community this wouldn't be accepted, not so sure about Ethereum though where the developers have a lot more control (than they should IMO).

This is FUD, broadly speaking. The devs have put out a patch for miners which allows them to decide whether or not they wish to fork over these transactions. Centralization is not required for this decision, instead, distributed consensus.

The counterpoint to your statements is simply that consumers need safety with their money. It is no badge of honor to let unsophisticated technical people lose money for some extreme libertarian ideals.

> This is FUD, broadly speaking. The devs have put out a patch for miners which allows them to decide whether or not they wish to fork over these transactions. Centralization is not required for this decision, instead, distributed consensus.

With all respect Peter, this is not FUD and OP is raising a valid concern. Yes, the miners vote on the patch - but given the infant state of the ecosystem and the large loss incurred, even further controversy or delay in finding a resolution may cause them permanent economic harm; so it would appear that there is little leeway in the choice involved.

> The counterpoint to your statements is simply that consumers need safety with their money. It is no badge of honor to let unsophisticated technical people lose money for some extreme libertarian ideals.

Yes, that's certainly the argument, particularly that if there is majority agreement than the protocol change is justified. But this doesn't at all invalidate OP's concern that fundamentally algorithmic contract's aren't binding if such an alteration can be adopted. The case could be made that in a more mature ecosystem such case specific alterations are more potentially damaging than useful and that this is a transitional phase, yet I think the burden of proof is on the one responding.

>so it would appear that there is little leeway in the choice involved.

I think we agree on this. The reality is that an active choice will still have to be made by a consensus group, though. It's not a matter of something being forced down the throats of a majority by an oligarchy, it's utilizing the existing consensus mechanism.

I think OP should be well warned here as to what is binding with smart contracts, for sure. This isn't any different than risk calculations in Bitcoin, though -- early days advice was to wait six blocks for transactions over $20, because the cost of subverting the network was very low. This is part of the give and take of mining and distributed consensus with current technologies.

I agree with your points. But the miners who actually have a say, if I am not mistaken, are the big ones and the pool owners. These are just a small fraction of all people running mining software.

A soft fork will undeniably require distributed consensus. It is the number of people with the actual right to vote that may be worrisome.

Perhaps the pool owners should extend their voting rights to their pool contributors, pooling votes as they pool mining shares.

(Disclaimer: I hold a small amount of ETH and participate in a mining pool.)

Or, pool owners could announce their position, and you could switch pools. This has happened in Bitcoin, albeit very occasionally.

It looks like the developers are proposing a soft fork to block certain transactions, followed by a hard fork to allow retrieval of funds.

[1] https://www.reddit.com/r/ethereum/comments/4oiqj7/critical_u...

The only way any of that can happen is if most of the community agrees to run the software implementing the change. If you know of a way to get more decentralized than that, I'd like to hear about it.

> all the talk of blockchains being decentralised

All the talk of /ethereum/ being decentralized.

True! It's definitely a situation where the 'market cap' of bitcoin gives it some extra stability. If the DAO contained bitcoins, it would be a far smaller % of the total and there would be fewer calls to roll back the logs.

If there is network consensus to do the rollback, then the blockchain stays decentralised.

What is 'network consensus'? It certainly isn't giving everyone a vote as to whether they think the rollback is a good idea or not. Instead, it's connected people wielding influence.

A majority of hashpower as "ratified" by a sufficient number of nodes and holders.

Connected people always have influence in any human system, because, you know, emotions.

So can random people who agree with each other completely control everything that happens with the currency? So if there is a company who they dislike can they just decide that they have no money?

Majority of ethereum holders would want to rollback. That is consensus. If they don't hard fork they can keep running an old node. What is the problem?

The incentive here isn't to pick the side of the fork you agree with; it's to pick the side of the fork you believe will win. So you can't really say that the rollback side winning means that most miners agreed with the rollback - rather it means that most miners thought the rollback side would win. There's a strong element of "self-fulfilling prophesy" here.

How do you know? Of course, it could be established using "safe" blockchain voting technology...

The longest fork wins.

Isn't that basically measuring which side has more hashing power? It's not obvious to me why that necessarily represents "the majority of ethereum holders". Or am I missing a mechanism?

The hashing power is the voting power. Since it is not obvious how one could even define what "the majority of ethereum holders" even means (and who says that every ethereum holder who is a physical person has to have the same voting power? If this were the case one would simply split your ethereum "account" into many who are hold by stooges).

Majority is consensus?

It has been proven impossible to reach full consensus at scale in a fully decentralized, asynchronous system (the FLP theorem).

So, in computer science terms, consensus algorithms are about approximating distributed consensus in the face of benign and malicious threats or communication failures, which devolves to "quorum / majority" pretty quickly in a crisis.

After the crisis, some kind of compensation, reconciliation or excommunication has to happen with the portion that disagreed.

So that means if you are against majority thought you are shit out of luck. Just think of any time when majority consensus hasn't been the optimal solution.

If you believe that there is a better way to find a consensus in a distributed system than majority you are free to implement a system based on it. I consider it as quite plausible that such a system exists, but cannot even imagine how it might look like.

There is a better way but it unfortunately requires the system to have an understanding of what the decision is about - in other words, no longer decoupling the mechanics of the decision from the meaning of the decision.

A distributed system can easily make a majority decision that is unwise, like if the votes are based off of bad information. But if the different options of the decision could be formalized and checked/proven as part of the decision making process, based off of axioms and values that participants all agree on, then perhaps the most rational decision could be selected even if it's not what the majority was initially in favor of.

Also just remember, that Rome was not built in one day. Progressing mankind with a functioning DAO is most likely worth much more than even a $200M failure (worst case scenario) if you look at how it could increase world productivity/efficiency.

The developers appear to be treating this as a dev environment - "We were starting a new team (welcome @hiddentao, @evertonfraga and @luclu) and I was pushing for weekly releases, without proper testing. Meanwhile the DAO happened, and we wanted to make a release that had support for events subscription without realizing the performance impact it would have..."


I realize this is the wallet development but they are absolutely related and shows the culture of this software is not as professional or thought out as it should be.

But if the hack can't be stopped, then… it demonstrates that the currency can't be manipulated…? Wait a minute.

It's a size issue not a security issue or put another way the insecurity is the small size.

Once it gets bigger the security goes up as events like this affect the currency less and less.

Hopefully this will make the idiot "investors" realize what a piece of crap Ethereum (and anything related) is.

We already knew that blockchains are vulnerable to 51% attacks. There are real problems with points of centralization (including the developers), but events like this don't prove anything.

Edit: to be clear, the 51% attack I'm referring to is actually the defense of the network by developers/miners/users that the parent post is complaining about.

They do if the developers suddenly come up with schemes to block the attack or hack the DAO. vbuterin has posted on reddit a plea for any DAO holders who were about to 'split' their holdings to contact him - presumably he has a way to hack the DAO more effectively and so grab the money before the attackers grab it.

But when did he know how to do this? Was it a secret that he was sitting on, or has he only learnt about it from the existing attack?

If this is just a 51% attack then we didn't learn anything about etherium qua etherium or blockchains qua blockchains... but we'll learn something about the lower bound for being big enough that they're not a realistic possibility.

It's an interesting question - is the DAO 'too big to fail' ?

I wonder how different ether will turn out to be, will they bail it out by rolling back the blockchain?

Rolling back the blockchain would have some pretty serious ramifications, as the possibility of that becomes greater it makes sense to sell as quickly as possible into another chain to retain value.

Applications are open for YC Winter 2022

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact