Hacker News new | past | comments | ask | show | jobs | submit login
Thinking About Smart Contract Security (ethereum.org)
134 points by ikeboy on June 18, 2016 | hide | past | favorite | 80 comments

> The reason for this fundamental conclusion is as follows. All instances of smart contract theft or loss – in fact, the very definition of smart contract theft or loss, is fundamentally about differences between implementation and intent.

This is, I think, to its core the fundamental problem with any kind of rigid language in contracts. It's nice to see an acknowledgement of its existence, but disappointing to see no acknowledgement of its severity. We see this all the time, not just in code, but in law and policy as well: an overly-prescriptive law can be just as problematic as an overly-vague one. And imperatively written smart contracts are about as prescriptive as you can get.

This is of course in addition to another critical shortcoming for smart contracts: they are capable only of interacting with informational assets (of which "money" is a subset). You can't possibly create a smart contract to purchase a house, because at the end of the day the person that physically occupies the house is in the position of power. Any smart contract enforcement mechanism would necessarily rely upon some outside system, which defeats the whole purpose of the thing in the first place.

I have high hopes for cryptocurrencies, in no small part because they inherently deal with only information (again, money is a subset thereof). But I'll be honest: I remain extremely skeptical that smart contracts as we currently understand them will ever see general adoption. It strikes me as an emotionally understandable, but rationally ill-advised, radical departure from hundreds of years of political philosophy and sociology... not in a way that inspires the term "disruption", but rather in a way that evokes "out of the frying pan, and into a boiling pot of lava". I'm all for "a better contracts system", but given that a contract (even one with a non-human entity) is by its very definition a social instrument, I just fail to see a reasonable way forward for what is essentially contractual bytecode.

As I explained in another thread [0], there is a reasonable argument that so-called "smart contracts" are not legally contracts at all, because they are not intended to give the parties recourse to legal enforcement of their terms. (This is the basic raison d'être of smart contracts—enforcement de machina rather than de jure.)

If a judge accepts that argument, then contract law would not apply to smart contracts, and the usual considerations of intent in contract law would not be relevant. Of course the intent underlying the code that implements the smart contract would remain relevant, but unless the "contracting" parties agreed on meta-provisions for arbitrating disagreements about the intent of the code (legal or otherwise), it seems reasonable to accept the default interpretation supported by many members of Ethereum's community: what the code says goes.

In short, legal arguments may not be dispositive, because smart contracts may not be legal contracts. In that case, determining the intent behind the code may be a morass best avoided as many assumed it would be, by ignoring it and letting the code decide.

(Of course, the ideal form of arbitrating meta-provision is code compiled against a spec enforced by a tool-chain that includes formal verification—both because it is self-enforcing and because it bridges the gap between intent and what the code actually does. But that seems a long way off.)

0. https://news.ycombinator.com/item?id=11932003

I agree broadly - and the current DAO was a terrible idea on many fronts, but I'll discuss one quibble in case it starts a broader discussion.

> You can't possibly create a smart contract to purchase a house, because at the end of the day the person that physically occupies the house is in the position of power.

It's likely that if something like this ever succeeded, there'd be many parties that would provide bridges between real world assets (dollars, a house, entry to an electronic lock) + real world contracts that might bridge to crypto contracts (so a trustee may hold a house under US law for a crypto title owned by others - similar to how a custodial bank holds financial assets on your behalf). You're right that the enforcement mechanism might be decoupled, but that doesn't make it worthless, as the trustee could still use the enforcement mechanism on the real world side. On the cryptocontract side, parts could be enforced like payments.

So why might crypto contracts be interesting in this case:

- There are too many parties involved and coordination costs are high (crypto contracts that millions of people collectively negotiate together)

- The adherents are international, and may prefer a standardized form of law accessible cheaply and easily to all

There are clearly an infinite number of risks - but this is just an example of how it might still be beneficial.

One other point. Everyone in this recent DAO hack discusses cryptocontracts as set in stone - and the be all, end all once published. Still, you could always inject in a party that adjudicates, but only in extreme scenarios (technically, they might have root access when a few parties with conflicting incentives agreed).

You might ask, doesn't this defeat the whole purpose of crypto contracts if third parties are involved - but there still may be value if the third party role is substantially diminished, or if previous forms of negotiation that never happened due to coordination cost now occur.

(the canonical Bitcoin example is escrow, where the two parties can verifiably escrow money which in the real world always required a third party actively involved, and a third party in the cryptocurrency world steps in only if there are issues that the two parties can't resolve and cannot take the money itself - 2 of 3 multisig).

- The adherents are international, and may prefer a standardized form of law accessible cheaply and easily to all

I think this is undervalued, and probably going to become even more important in the future. Largely because it's something that the current legal framework simply doesn't provide.

We have tenuous legal agreements between nation-states (largely of the "we choose to obey now because it's in our best interest" variety). And we have legal systems that apply in a single country. But we really don't have an ironclad anything in the ether (ha!) between those.

More than you think. One of the selling points for why some organizations, especially financial or legal, advertise they are in specific countries is a strong, consistent enforcement of specific things like banking integrity, contract law, I.P. law, whatever. It's important enough to business sector that it's on the international ratings for what countries are best to do business in. Also, Switzerland makes a killing in the financial sector using this approach.

So, picking the best jurisdiction for something like this plus getting all parties to agree to settle disputes according to its laws would be a positive step for such organizations. Knocks out a whole category of risk. These decentralized schemes often pretend they won't need lawyers but they exist in real world for good reasons. Best to know what they can or can't do in at least all the common, criminal situations.

Any smart contract enforcement mechanism would necessarily rely upon some outside system

Absolutely. This drastically limits the scope of smart contracts. You can do all kinds of interesting stuff with the contracts and digital money, like ponzi schemes, simple gambling games, and so on, but you can't link them with the real world without relying on some third party trust. And once you require trust, then you might as well implement the whole thing in the real world.

Incidentally, this is also the killer problem with Slock.it's (the DAO creators) other project, their 'digital locks', physical padlocks that would open or close based upon smart contracts. They were fundamentally flawed because it's impossible to prove that a physical lock is tied to the blockchain. There's no proof that it will honour a smart contract, so the whole system again relies on third party trust.

I don't see why this is a fundamental problem. At worst, a simple legal shim of the "third party law firm legally bound to do X if smart contract dictates so" would bridge pretty effectively.

Smart hardware locks sounds interesting. I'll have to read up on what they tried -- it sounds like a technically interesting problem.

It's a pretty fundamental problem for a "trustless", "decentralised" system to require either a significant amount of trust, a third party to fix things or both in most conceivable practical use cases.

If you're requiring a third party law firm to ensure offline parts of a smart contract are enforced and mediate disputes, you might as well write the contract in something the law firm actually recognises as a contract.

See my other comment, there are gradients of trust not simply trusted or trustless.

A simple example why is that 10 MM parties across the world want to coordinate together for a custom contract - this might be challenging depending solely on the current system (coordination cost, different jurisdictions), but there may be benefits to having elements of both systems involved.

Again, this is all speculation - and only time will tell, but I also think it's a debate to be had, rather than suggesting that such a system is worthless if it depends on any real world legal forms.

> You can't possibly create a smart contract to purchase a house, because at the end of the day the person that physically occupies the house is in the position of power

I can imagine a future where blockchain-based logic is used to drive robots, bridging the gap with the real world. To me, blockchains seem like a proto-DNA set to evolve as a base for AI; perhaps we are at ground zero for the primordial soup of future digital lifeforms.

I don't think anything can evolve in a space that wastes that much energy with proof-of-work.

Your DNA doesn't change very much throughout the course of your life. One a program is on a blockchain, much less energy is expended to maintain it compared with the POW used to create the block..

But the definition of evolution is many many changes.

You should look up the definition of evolution.

"Evolution is change in the heritable traits of biological populations over successive generations."

I claimed that there are many generations needed for programs to evolve, which POW limits because the generation of new contracts is not cheap.

>There will be further bugs, and we will learn further lessons; there will not be a single magic technology that solves everything.

Interesting change of attitude! I was just watching a talk[1] from a couple of years ago where Vitalik says "there are a substantial number of applications where you can actually say yes 'I am 99.9 percent certain this is bug free'". Amazing how much a few years of industry practice can humble a young software engineer.

[1]: https://youtu.be/cahj4WJtp20?t=43m45s

True at NASA and in many other places that spend 100x as much per line of code, albeit it's more like 95% surety.

They also spend a lot of time building robust systems that can recover from errors (e.g. the famous story about the guidance computer on the Apollo 11 recovering from cycle stealing and overflows).

100 != 99.9

Do you think you can get to a 100% certainity in anything let alone software?

Ethereum/DAO would be much less of a tire fire embarassment if the management had taken some time to learn anything about the basics of contracts and law, instead of making it up as they go and assuming the entirety of centuries of civilization has no clue what they were doing.

    assuming the entirety of centuries of civilization has no
    clue what they were doing
This is a common assumption in these circles, unfortunately.

I think that there is an interesting outlook here. It seems to me that some people are under the impression that the world is essentially simple, and it is stupid people and institution that complicate it. If we apply careful mathematical reasoning, we could find better solutions to anything.

The interesting thing is that about 100 years ago some mathematicians believed something similar about math itself. They believed that since we have formal procedures to reason about math, eventually we'd be able to understand (i.e. prove) everything we want to know. That hope was finally crushed by the discovery of simple, finite, small mathematical objects, that while subject to mathematical reasoning, are able to forever elude complete understanding and proof. Those objects inhabit a very large, unbridgeable gap between our ability to reason and our ability to fully understand (and prove). Those objects, of course, are what today we call computer programs.

If there's anything that proves beyond any doubt that even systems that operate according to a small set of rules, and subject to mathematical reasoning and manipulation, are still able to defy complete understanding -- even in theory, let alone in practice -- it is computer science.

Yet, even though computer science is the very discipline that proved that complexity that can arise even in the smallest of systems is essential and cannot ever be tamed, it is computer scientists and software developers who often attempt to challenge the very foundation of their own discipline.

Yes! I read a great comment here (I forgot by whom) that said something like

    It's hard enough to prove that a computer program will
    actually *do* something, forget about proving what the
    program *will not* do.
He was arguing against the idea that Turing complete languages should be used in smart contracts. The person mentioned that it's not trivial to even assign a complexity category to the question asked, let alone getting an answer (if you can).

Right, although "Turing complete" is a red herring here, as we can't generally verify the behaviors of programs written in most non-Turing complete languages either. I wrote in another comment that if we place computational power on a scale and put Turing completeness at 10 and FSM at 1 (0 being no computation at all, i.e, return the input), then the computational power that we can always generally verify would lie somewhere between 0 and 1. Even FSMs are PSPACE-complete to verify, meaning we can only generally verify small ones (which is why software verification isn't about finding a language in which all programs are tractably verifiable -- as it is unlikely that such a language would be very useful -- but rather to try and verify specific programs that form a small subset of all possible program, regardless of the computational model of the language they're written in).

So the general intractability of computation is essential and far from limited to Turing completeness. If you find this subject interesting, I'll be giving a talk about it next month[1] (it will be recorded).

[1]: http://curry-on.org/2016/sessions/why-writing-correct-softwa...

Cool, I am indeed interested. I read Aaronson's "Quantum Computing Since Democritus" and enjoyed it, but that's the only source I read concerning computational complexity.

They were indeed very naive. In the history of law, there has always been a divide between those who believe that the letter of law should be applied no matter what, and those who believe that social justice should be ensured. Whatever the terms of theDAO, there WILL be judges to find that what just happened to it is theft. That is why instead of damaging trust in Ether by forking it, the ethereum/DAO management should turn to the law to get its money back.

Smart contracts are a very good thing, but they won't become perfectly safe any time soon (if ever), so the community should recognize that civil and criminal law are a safety net, likely to help smart contract get wider use, because of they create increased trust.

> Whatever the terms of theDAO, there WILL be judges to find that what just happened to it is theft.

I am not completely sure if it went to court and it was litigated fully it would be found that the theDAO smart contracts that were buggy could be rolled back to what was "intended" as there was language that specifically denied that form of reasoning. theDAO clearly fucked up but that doesn't invalidate a contract. The intent in the contract was actually clearly declared, the smart contract was binding in its form. The smart contract's intent was its code. It's code was buggy. Thus one will have to litigate in court whether intent can inferred from buggy code and whether a software bug can be rules as outside of intent. Rolling back transactions like that are really exceptional.

I think it is quite interesting. A lot of people in the stock market have lost money because of software bugs, although everyone didn't agree beforehand that that software was the intent. I think it could go either way with theDAO's software contract if it was litigated.

That said you could possibly sue the implementers of the smart contract for negligence to try to recover the loss, or those that advertized theDAO as a viable investment vehicle for false advertizing or misleading one about safety, both of those are much more straight forward legal avenues.

Its not that civilization has no clue what they are doing. It just hasn't integrated technological advances fully.

The recent problems were very technical and specific as well as being solvable from a number of approaches.


I have no idea WTF is going on here. I've tried to search around for a clue but the more I read the more confusing it gets.

At first it seemed that Ethereum was a kind of cryptocurrency like bitcoin (something that people could "mine" and exchange), then something about "contracts" that don't require trust, then something about it being effectively "a computer" that never stops, an investment system investing in something no one ever actually names, some story about a hack that drains ether out of the system.

And now this story which has words like... "Governmental", "Rock-paper-scissors", "Casino", fees "stolen" because of constructor bug, "ponzi".

Even forgetting all the confusing jargon, I can't come up with a mental model that makes any sense at all. Is this just an elaborate puzzle game for geniuses? Or are people making and losing real money with this? By "money" I mean something that can be converted into actual US dollars right now and stored in a bank.

A few quick answers:

- Ethereum is a contracting language combined with a crypto currency; to run the contracting language requires miners to not only determine the solution to a puzzle (as in Bitcoin), but also to run code written by contract writers in a virtual machine[1]; the blockchain stores the results of these computations

There's a lot written on the DAO (just search HN), but a quick summary:

- A DAO is an autonomous organization that is self governing, with its by laws written into code - and often the potential to fork off if you disagreed with the majority decisions

- "The DAO" which caused the recent blow up was the first public iteration of this and was an investment fund meant to encourage apps on the blockchain, by letting others fund it and then vote on proposals to receive money

- "The DAO"had substantial flaws in how it was written, tested, and released

- This was very successful by funding metrics, but that is based on a highly speculative currency that had appreciated 30-40X in a few months (otherwise, it might have just been a few million dollar experiment)

- The flaws were pretty egregious (e.g., naming two functions essentially the same - and calling the wrong one, not putting in place proper mutexes) - and many on HN who worked on any mission critical code (e.g., finance, embedded systems) would be surprised at how quickly it was released without testing, community discussion, or a thoughtful rollout plan

- Yes, people are losing money in two ways 1) in "The DAO" itself, if the funds can't be recovered fully, 2) due to the price of Ethereum to Dollars/Euros which people own and trade (which has fallen 50% since "The DAO" issues, but that is still 10-15X up since late last year)

[1] Technically, Bitcoin miners also interpret contract code, but the language is more complex and limited - with the most popular Bitcoin contract to simply lock and unlock bitcoins

DAO also has connotations in software architecture which makes this more confusing. What does DAO stand for in this context?

Who is the author of the DAO contract?

Slock.it, a startup interested in IOT and cryptocurrencies, authored the contract. See the gitblame of the main code here: https://github.com/slockit/DAO/blame/develop/DAO.sol (there are a few other libraries in the repo that have issues as well)

The second link is the most clear resource I've seen thus far. Thanks!

IMO you understand perfectly.

It's a complete aberration that the Ethereum Foundation is even considering pushing a fork (hard or soft). There will be a fork, that is people leaving "Ethereum" for its new shiny successor.

If you want the protection of a big brother, why not invest in the regular stock market? Lots of neophytes trying to get rich quick are now crying for help after realizing they made a mistake. It's really touching.

Any time there is a bug in a smart contract, do we get roll back in Ethereum? There will be more smart contract bugs or operations against intent. I think this is going to become a joke.

Ethereum is not trustable if there is rollback when a contract didn't operate as intended. Can you imagine the stock market operating this way?

BTW has bitcoin ever had a rollback in its existence?

Well if there is a bug in the Ethereum software itself, it would be different. In the sense that miners could decide which branch they want. To be honest they could do this with the current proposed forks as well.

The huuuge problem I see here is that it is the Ethereum Foundation, and Vitalik Buterin himself, who are proposing the fork as a remedy. They should simply say "well duh, fire burns."

No bitcoin never had a rollback. Bitcoin was forked before to fix bugs, but no state was ever reversed and no prior protocol rules were ever violated.

IRL, contract law and courts take precedence over schemes like Ethereum and the DAO, just like arrest warrants do, money laundering regs, etc. Whether this is good or bad, it just is.

In real contract law, there are three elements of a contract.

1. a meeting of the minds: the parties must agree on what is being exchanged

2. an actual exchange, in both directions, it's called "consideration"

3. at least one of the parties must behave as if they are relying on the contract, a party must "make a move" and begin to deliver on the contract.

There may be all sorts of guarantees written into contracts to enhance the security of the either of the two sides. So, these mathematical smart contracts are completely OK under contract law; however, the smart contracts and the surrounding activity must still meet the requirements of a contract.

It is not "a meeting of the minds" for one side to drain the other side of their total balances, and it violates "consideration" as well since nothing is being exchanged for the extra money. So there is ample reason to claim that these were not valid contracts and should be rolled back.

Cuz that's how contracts work, it's the only way they work.

> It is not "a meeting of the minds" for one side to drain the other side of their total balances, and it violates "consideration" as well since nothing is being exchanged for the extra money. So there is ample reason to claim that these were not valid contracts and should be rolled back.

I disagree. From the Explanation of Terms and Disclaimer[1] on the DAOhub site:

"The terms of The DAO Creation are set forth in the smart contract code existing on the Ethereum blockchain at 0xbb9bc244d798123fde783fcc1c72d3bb8c189413. Nothing in this explanation of terms or in any other document or communication may modify or add any additional obligations or guarantees beyond those set forth in The DAO’s code. Any and all explanatory terms or descriptions are merely offered for educational purposes and do not supercede or modify the express terms of The DAO’s code set forth on the blockchain; to the extent you believe there to be any conflict or discrepancy between the descriptions offered here and the functionality of The DAO’s code at 0xbb9bc244d798123fde783fcc1c72d3bb8c189413, The DAO’s code controls and sets forth all terms of The DAO Creation."

The Code is Law. All parties knew, and accepted this before 'investing'. The contract performed exactly as designed.

[1] https://daohub.org/explainer.html

|I disagree.

Excellent! and I disagree with you, so we disagree. Where does that leave us? Simply as two proponents of free speech... unless... unless we have a smart contract between us, one under which you just drained my Ethereum account of ether. Beyond being a proponent of free speech, that gives me "standing" to become a "litigant", a "plaintiff" against you as "defendant". You would get to tell your side to the judge, just like me.

Here are some exaggerated hypothetical examples where you will agree with me; then hopefully you can see how a judge would look at the present situation with the DAO:

If, buried in TheCodeThatIsLaw that AllPartiesKnewAndAccepted, there is encoded an agreement to deliver narcotics to children, or sell children into slavery, or to provide funding to a terror training cell for children, then it wouldn't matter what TheCodeThatIsLaw says, a court would declare it invalid, NotAContract, NotBinding. Even if we encoded it in language that says "this is the funding part, being non-specific about the activities". That's simply how it works. Period. And you can't write a binding contract to give money away, there's no consideration.

TheCodeThatPurportsToBeLaw must meet standards of its own in order to provide additional binding law, the standards I outlined above, a meeting of the minds, consideration, and reliance. So when it comes to challenging the results of TheCodeThatPurportsToBeLaw, courts will look inside, and they will look for AMeetingOfTheMinds, and they will look at what actually happened, how people behaved, and the court will decide if TheCodeThatPurportsToBeLaw fulfills the requirements that all contracts must fulfill in order to be binding.

My point is not that these contracts are invalid; my point is that these contracts are not free from interpretation by courts, and they are not free from meeting the standards of contracts as seen and interpreted by the courts, and not as seen by one party to the agreement who got what they wanted.

And, by the way, contracts can't contain ponzis. No matter how many signatures, lawyers, notaries, and PhDs in economics are involved in forging the agreement, TheCodeThatIsLaw is not the law if the code contains a ponzi. That's how the law works. I'm talking about US law (we are talking .com here) but other countries of laws use similar methods of determination.

IANAL, but I think what might turn out most problematic for TheDAO in the end is not the soft fork/hard fork proposal or even the loss of trust, but their - often quoted - own terms of service[1]:

> The terms of The DAO Creation are set forth in the smart contract code existing on the Ethereum blockchain at 0xbb9bc244d798123fde783fcc1c72d3bb8c189413. Nothing in this explanation of terms or in any other document or communication may modify or add any additional obligations or guarantees beyond those set forth in The DAO’s code.

That document is the single link that connects the Ethereum toy world with the world of real, legally enforceable contracts. If any court actually takes that clause seriously and treats the DAO code as legally binding terms of service, I think that could have two consequences:

1) Intent: The terms written on the website don't say anything about crowdfunding, voting processes or the supposed purpose of the DAO. They do however say very clearly "the code is the law" and even point out that this will cause risks for the investors, should the code contain bugs.

That writing IMO makes the current argument that the attacker violated the "intent" of the contract very hard to argue.

2) Contract amendmends: As far as I know (as a layman), legal contracts may only changed of all affected parties agree to the change. Therefore, if the DAO code should be treated as a legal contract, you could interpret the soft fork as an amendment - even though not all of the DAO token holders were asked for agreement. In the most extreme case, the attacker could sue and demand that his "theft" is cashed out, even if the soft/hard fork proposal is accepted.

[1] https://daohub.org/explainer.html

> ..you could interpret the soft fork as an amendment - even though not all of the DAO token holders were asked for agreement.

DAO token holders can express their agreement or disagreement by choosing which fork they want to attach to.

If the intent of the DAO was to create a decentralized system that people could buy into so that they can vote/participate in investment opportunities presented by other members, then the big question I have is why was the system implemented in such a way as to hold all investment funds up front?

Wouldn't a more secure implementation have allowed members to buy in for a nominal fee and keep their investment funds outside of the DAO until they voted/participated in a specific contract/investment opportunity?

It's a bit of a chicken and egg, where you don't know how much to request from the DAO, if it isn't funded. It's hard to have people softly commit (unless it is a guaranteed commitment), as they could always renege on their promise when it came time to provide money. Also, the vision seemed to be to create many VC funds to consider projects, which required an aggregation of capital.

An alternate way is having each investment opportunity publicize it, but that is a marketing challenge for each project, and may not raise the requisite amount (there may also be greater legal risks to soliciting capital from retail investors directly).

There are a lot of issues with the DAO (long before the hack), so I don't mean that as a justification for launching the current DAO, but rather a potential reasoning for that one aspect. (the bigger question is why didn't they do many proof of concepts + then restrict the amount of money collected with the first production version).


Think about how everybody felt taking part in "the biggest crowdfund ever". Think how the VCs felt, investing in the future.

Now think how the VCs feel when some peers maybe take a swipe at them: "so you invested in that DAO thing?". This (and money at stake) will create powerful forces towards a resolution. This can already be seen in the smart PR campaign to rollback the hack by forking.

The next generation of geniuses is growing up understanding why Friendly AI is hard. That's actually pretty damned encouraging.

Formal verification can be layered on top. One simple use case is as a way of proving termination, greatly mitigating gas-related issues. Another use case is proving specific properties – for example, “if all participants collude, they can get their money out in all cases”, or “if you send your tokens A to this contract, you are guaranteed to either get the amount of token B that you want or be able to fully refund yourself”. Or “this contract fits into a restricted subset of Solidity that makes re-entrancy, gas issues and call stack issues impossible”.

Why not restrict the entire language instead of trying to verify that a program fits into a safe subset? What practical uses are there for general recursion and unbounded gas usage in the context of smart contracts (not to mention multiple inheritance, inline bytecode assembly, and the many other complex features of Solidity)?


1. It's very hard to create a language that is both restrictive yet useful enough, without it being just as hard to verify (e.g. total-functional languages are not nearly restrictive enough to make some global properties easily provable; the only languages that make this somewhat feasible are finite state machines, and their expressiveness is questionable).

2. Even if that were somehow possible, it wouldn't solve the real problem, which is defining the right safety properties. However you verify safety, the hard problem remains what safety means.

1. Starting from a declarative language (think XML), you might not be as expressive, but you would still have a lot of value and mitigate a lot of the potential problems.

2. Safety properties that fall back on current law could be added in case of dispute.

This scenario would still have great value as a smart contract.

1. XML is just a notation, and being declarative is not in itself a guarantee of easy verification: Prolog is declarative and yet Turing complete (though it's important to note that you don't need to be Turing complete to be hard to verify!). So while declarative is an excellent idea, it doesn't help with the problem of deciding what exactly the language can do to be both useful and relatively easily verifiable.

2. Absolutely, but I think the whole motivation behind projects like Ethereum is to replace the law with algorithms. I think that any computer scientist with a basic understanding of complexity would see why this is impossible, but the idea persists. Eventually, someone who's less ideologically pure would find a way to reconcile the utility of cryptocurrencies with the necessity for human law.

The fact that people are making Ponzi schemes and calling them Ponzi schemes tells you everything you need to know about the gullibility of the cryptocurrency community.

This is just a form of gambling. Post-modern Ponzi schemes are gambling games that some people enjoy. The people who play them aren't necessarily stupid, they value the entertainment more than the expected reward.

If you know you're giving money to a ponzi scheme and see all the rules of it, is it really a ponzi scheme/gullibility? It sounds just as interesting as betting on sports / stockmarket / ...

People still play roulette or blackjack, even though they know they're guaranteed to lose in a long run / on average.

A ponzi scheme that calls itself a ponzi scheme is still illegal.

In which jurisdiction?

I think it shows a pretty relaxed attitude. Programming an autonomous ponzi scheme seems like a fun hack to write.

The problem of codifying reality with words and rules is an old one, as old as the law, and no one has come up with a good solution yet. The edge cases seem to be infinite.

Ethereum already seems to be kind of a complex system and all the suggestions in the article sound awfully like trying to put a few layers of patches over the known weak spots. Especially attempts to prove properties of contracts will likely soon make contact with Rice's theorem [1] or require giving up a lot of the expressibility of the used language. The article also points out that there are unsolved hard problems at the very foundation of smart contracts but then kind of ignores that. To me it seems that what is really needed is thinking again about the core ideas, not patching some code issues.

[1] https://en.wikipedia.org/wiki/Rice%27s_theorem

I can't help but think about the way that Nick Bostrom outlines the AI control problem when I read "differences between implementation and intent." Maybe smart contracts (and automated mediation) is a good place to start cutting our teeth on how to specify machine motivation.

He's still calling the DAO risk "theoretical" after all that's happened? A situation that rarely if ever happens to the legal instruments and methods Ethereum intends to replace. One that has them considering forks. One that has investors wondering if they'll loose it all. That... "theoretical"... risk.

Specific vulnerabilities aside, I think any reader should stop trusting the judgment or effectiveness of Ethereum-backed projects at this point. Probably better doing the DAO as a well-managee, centralized non-profit to test crowd-funding scheme while Ethereum continues baby steps toward a distributed scheme that works.

Quite the clown act, innit?

I'm rigorously trying to assess whether my complete inability to find any there there in blockchain-based applications (Bitcoin, Smart Contracts) is a bug on my part or feature.

I'm leaning strongly to feature.

The fundamental problem is that Vitalik (and rest of eth devs) knows the answer, but can't face it. If a tx gets revoked, ethereum turns into nothing more than a private-chain/bank-chain. What about the crypto-law, state revolution everyone in that crew have promised the users :(

What I think might be useful is something like the Rust borrow checker but it would be a currency ownership checker which would check for currency ownership at compile time.

That doesn't really apply here. The code and runtime is correct as in: no coins were generated or disappeared, nobody directly reassigned coins, etc. This was simply a logic error - the code followed the legal/known path all the time. Rust can be great for many things, but it can't tell you "this code does not do what you think you wanted".

> If, in a given case, implementation and intent are the same thing, then any instance of “theft” is in fact a donation, and any instance of “loss” is voluntary money-burning, economically equivalent to a proportional donation to the ETH token holder community by means of deflation.

Don't forget about contributions to the aesthetic as well. Some of the things that are occurring with these technologies will be literally mind blowing.

Is there one, solid as in time tested example of a smart contract working? Sorry in advance for my total naivete

Any spend to a Bitcoin address. It's a small program that other computers can execute and validate the results of.

I don't think they have existed for longer than what your threshold would be.

There are lots of Ethereum contracts that have been working and that they can be pretty certain don't have issues. He goes into details of some types that are generally like that.

multi-signature wallets

> There have been many solutions proposed to smart contract safety, ranging from better development environments to better programming languages to formal verification and symbolic execution . . .

Why is 'human arbitration as a last resort' not on this list?

I thought one of the goals was for the currency to be outside the influence of humans. Unless this arbitration is somehow built into the network and depends on the majority. Which still isn't a great solution.

A lot of projects have ambitions that they can't accomplish on day 1. It would be a safety net. If everything goes right, then it won't get used.

One funny comment about the subject: https://twitter.com/thegrugq/status/744421708371623937

1/2 OT: How do you pronounce DAO? As a word like Dao or as an abbreviation like D A O?

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact