Will The $50m Heist Of The DAO Take Down Bitcoin’s Rival Blockchain?
Just a few short days ago I mentioned the arrival of The DAO, a company without any employees, management or leadership that lives entirely upon a public blockchain, at the end of my article on What Venture Capitalists look for in a Blockchain Startup, stating that “They expected to raise about $5m and their growing pains are the sort of thing Pamir would note as signs they’ve arrived too soon.”
That lack of maturity turned the celebrated financial innovation of May into a blazing wreck last week, as a feature of Solidity, the smart contract programming language of the Ethereum blockchain, permitted an unknown individual to drain a third of the $150 million The DAO had raised.
The Solidity smart contract programing language is Turing Complete, or full featured, and one of those features is known as recursion. A function in a program can call a copy of itself, and that copy can in turn call another copy of itself, with the process continuing until it reaches some sort of limit. This recursion was combined with a feature of The DAO that was suppose to solve the issue of a single investor or group of investors having too much control of The DAO. The DAO is essentially a decentralized venture capital firm, where the investors in The DAO directly vote on which projects to invest in. If you do not like how investors are spending the money, you could split your funds into another DAO to preserve your funds. It turns out, when this splitting function is combined with the recursive feature of Solidity, ether can be sent to the new DAO before The DAO registers a deduction from your balance. In other words, you could drain the funds until every ether had vanished.
In this instance, the attacker used recursion to take control of 3.6 million ether, valued at $50m at the time, out of the total of 8 million raised. Ether is the cryptocurrency of the Ethereum blockchain, and that 3.6 million represents almost 5% of the entire Ether supply today. So why not steal the remaining 8 million ether? A conversation with the alleged hacker reveals that he or she did not believe that there was enough liquidity in the ethereum markets to liquidate $150 million of ether and that there would be more drastic measures taken by the Ethereum technical community if all the ether were drained.
Note the words I chose. Many consider this a suspicious transaction, not a theft. The alleged hacker behind this has made a very interesting public statement and this paragraph in particular matter. (Note that the alleged hacker has yet to provide cryptographic evidence that he is indeed the hacker).
I am disappointed by those who are characterizing the use of this intentional feature as “theft”. I am making use of this explicitly coded feature as per the smart contract terms and my law firm has advised me that my action is fully compliant with United States criminal and tort law. For reference please review the terms of the DAO.
Many of those who invested in The DAO prescribe to the idea that “The Code Is The Law”. For, you see, in the event that something like this occurs, a flaw in logic that enables someone to abuse the system and cheat investors, there is no one to sue at The DAO. The only judgement on whether or not the release of funds is legitimate is built directly within the code of a smart contract. There are a lot of interesting implications to this. Does this mean that every smart contract should be audited by a legal professional with a technical background? Maybe this will create an entirely new field of law. Or perhaps this is the fatal flaw of smart contracts.
The final results for this entire series of events is simply beyond prediction at this point. The DAO seems likely to survive, albeit with a haircut due to a lack of due diligence in the smart contract. The DAO Attacker may escape with a portion of the proceeds, but despite the brave talk of lawyers and lawsuits, Title 18 Section 1030 of the Computer Fraud & Abuse Act could be the tool the DOJ would bring to bear if the Attacker can be identified.
What financial regulation authorities like the Securities Exchange Commission will do is purely a guess at this point, but the “unregistered securities” phrase has been heard from people not given to idle chatter. This article on American Banker is a good example of the legal discussions happening regarding The DAO.
While these are the typical ways that we have enforced consumer protections in the past, blockchains are able to enforce their own form of consumer protection through consensus. With 5% of ether at stake, and what looks to be the failure of a product which held almost 15% of all Ether, Ethereum founder Vitalik Buterin has outlined solutions involving a “soft fork”. A soft fork would involve something like all Ethereum miners updating their software so that the account involved in the suspicious transaction is unable to do anything. A miner is essentially a person or organization that verifies blockchain transactions in exchange for transaction fees and the opportunity to create new ether.
Others have suggested a hard fork, which would involve picking a checkpoint in the blockchain prior to the suspicious transaction beginning and discarding everything that came after that. There was some hope that the mandarins among The DAO membership could figure out a counterattack to return the funds, but this seems to be fading. There are a series of options participants in The DAO could do to counter the attack, but they are complex, in methods, in numbers of people involved, and timing.
But why do these decisions matter between a hard fork and a soft fork? Because the decisions may put into question the immutability of Ethereum’s blockchain. The security of a blockchain with a Proof Of Work consensus mechanism is governed by it’s hashing power. The fact that a hard fork, which rolls back all transactions back in time, effectively erasing recent past transactions, is possible presents major doubts to the immutability of the Ethereum blockchain.
Because of ethereum’s relative immaturity, it is secured by only about 3.9 TH/s, compared to Bitcoin’s 1,700,000 TH/s. This makes Ethereum far more susceptible to centralization risks, such as Vitalik Buterin working together with a small number of miners to make the choice of whether to roll back transactions, create a new software that effectively makes certain types of past, present or future transactions invalid in a biased manner, or doing nothing at all. Suddenly trust is brought back into an equation that has been promoted as trustless.
This is similar in some ways to the hack of Mt. Gox in the Bitcoin ecosystem. In February of 2014, the largest bitcoin exchange, Mt. Gox, lost 650,000 BTC , which was worth over $400m USD at the time. This loss represented 5% of Bitcoin’s entire supply at the time, contributing to the continued decline of Bitcoin’s price from $800 in the beginning of the year to $300 at the end. Interestingly, many had called this moment the end of Bitcoin. Yet here we are today, with an unbelievable rebound of Bitcoin price to nearly what it was then. So is this the end of Ethereum and Decentralized Autonomous Organizations? I think not. But is the technology quite ready for live commercial applications with $150m on the line? I know one hacker that says yes.
by 