Lessons From The Downfall Of A $150M Crowdfunded Experiment In Decentralized Governance
from the in-the-ether dept
Hype around blockchain has risen to an all-time high. A technology once perceived to be the realm of crypto-anarchists and drug dealers has gained increasing popular recognition for its revolutionary potential, drawing billions in venture-capital investment by the world's leading financial institutions and technology companies.
Regulators, rather than treating blockchain platforms (such as Bitcoin or Ethereum) and other "distributed ledgers" merely as tools of illicit dark markets, are beginning to look at frameworks to regulate and incorporate this important technology into traditional commerce.
That progress was challenged recently, when more than $54 million was stolen from The DAO (short for "decentralized autonomous organization") — an experimental and unregulated investment fund built on the blockchain platform Ethereum. As people realized The DAO was being drained, the ensuing panic also crashed the price of Ether (or ETH), Ethereum's cryptocurrency.
Beyond potentially making a lot of people poorer – who probably should have known better than to invest in an experimental "robotic corporation" — the theft has created a massive political rift within the blockchain community, and threatens to undermine trust in a technology described as the "trust machine". In addition, this event raises serious questions about the cybersecurity risks of distributed applications, the (lack of) enforcement of existing securities laws and the potential for increased scrutiny by regulators looking to protect unwary investors.
Prior to last week, The DAO was widely considered a phenomenal success. It enjoyed the largest crowdfunding in history, raising the equivalent of more than $150 million, or about a tenth of the value of the Ethereum blockchain platform on which it was built. While you could conceivably build a DAO for anything, since it was a piece of software, The DAO was created for the purpose of developing the Ethereum platform and other decentralized software projects. According to its "manifesto" on daohub.org:
The goal of The DAO is to diligently use the ETH it controls to support projects that will:
• Provide a return on investment or benefit to the DAO and its members.
• Benefit the decentralized ecosystem as a whole.
In short, it was developed as a venture-capital fund and, importantly, its investors expected returns.
@steve_somers Personally I think it will be spent more smartly than if it was just as pure ETH. Now falls under governance of the many.
— Stephan Tual (@stephantual) May 14, 2016
What is a DAO, anyway? And how does it work? Christoph Jentzsch — founder of the German company Slock.it, which helped create The DAO — explained the concept in his white paper as "organizations in which (1) participants maintain direct real-time control of contributed funds and (2) governance rules are formalized, automated and enforced using software."
As American Banker's Tanaya Macheel writes, DAOs and the smart contracts on which they are built could have a lot to offer traditional financial institutions:
In theory, distributed autonomous organizations (of which the DAO is one of the first examples) are a hardcoded solution to the age-old principal-agent problem. Simply put, backers shouldn't have to worry about a third party mismanaging their funds when that third party is a computer program that no one party controls.
At a time when the financial services industry is trying to automate old processes to cut costs, errors and friction, DAOs represent perhaps the most extreme attempt to take people out of the picture.
DAOs can be deployed on the distributed global computer of the Ethereum platform or other suitable blockchains, including private ones. One mechanism to fund them is through a "crowdsale" of DAO tokens that act like shares of stock, which is what The DAO did. Token-holders can vote on new proposals (weighted by the number of tokens a user controls) to change the structure of the DAO and alter its code. Tokens also can be traded and have an exchange-value. As The DAO's "official website" daohub.org describes it:
The DAO is borne from immutable, unstoppable, and irrefutable computer code, operated entirely by its members.How exactly does an immutable decentralized computer get "hacked"? According to DAO developer Felix Albert, it wasn't. Unlike the failed bitcoin exchange Mt. Gox — where nearly $500 million of bitcoins were lost due to a combination of breach and fraud — the theft exploited a bug that previously had been undiscovered (or more accurately, hadn't been fixed) in its code.
A quirk of robotic corporations is that they take their bylaws literally. Like Asimov's robots, DAOs are built with rules to govern their behavior that cannot easily be revised or overwritten once they are set in motion. Inevitably, these sometimes conflict with our preconceived ideas of how they ought to operate.
Technical analysis of the DAO theft revealed the attacker exploited a function originally designed to protect users:
The attack [on The DAO] is a recursive calling vulnerability, where an attacker called the "split" function, and then calls the split function recursively inside of the split, thereby collecting ether many times over in a single transaction.
It wasn't really a hack at all. It was human error. Making matters worse, The DAO's promoters (in this case, Slock.it Chief Operating Officer Stephan Tual) had said this kind of bug wouldn't be an issue just a few days before the theft (whoops).
“No DAO funds at risk following the Ethereum smart contract ‘recursive call’ bug discovery” @stephantual https://t.co/7EtlWZ8m6m
— DAOhub (@DAOhubORG) June 12, 2016
Lots of potential vulnerabilities for The DAO had been discussed and it was even suggested to place a moratorium on proposals. Meanwhile, its promoters confidently asserted everything was fine:
We are assuming that the base contract is secure. This assumption is justified due to the community verification and a private security audit.
Additionally, Slock.it's blog claimed that the generic DAO framework code had been audited by a leading security firm:
We're pleased to announce that one of the world's leading security audit companies, Deja Vu Security, has performed a security review of the generic DAO framework smart contracts.
On close inspection, the only report they linked in their blog was three pages long. It's unclear whether a rigorous formal audit had ever been conducted. After the attack, people started asking for the audit report and wondering why Slock.it hadn't shared it. The security firm, Deja Vu, even responded on Reddit.
Hi Everyone, Adam Cecchetti CEO of Deja vu Security here. For legal and professional reasons Deja vu Security does not discuss details of any customer interaction, engagement, or audit without written consent from said customer. Please contact representatives from Slock.it for additional details.
Whoever was in charge of auditing the code screwed up big-time. As former Ethereum release coordinator Vinay Gupta explained on YouTube, The DAO was an experiment that was never built to handle this much risk:
We all knew as we watched this happening that this was an emperor's clothes scenario ... there was no way that that smart contract had undergone an appropriate amount of scrutiny for something that was a container for $160 million.
Sure, everyone involved should have stopped it from getting carried away. But what are the actual consequences when a decentralized extralegal robot corporation doesn't do what it's expected to? Is anyone really "in charge" of making sure it works? Is anyone on the hook if the whole thing goes down the tubes because of its creators' (or proposal authors') lack of due diligence?
For one thing, as Coin Center's Peter Van Valkenburgh explains, DAOs are likely to run afoul of existing securities law – potentially implicating their developers, promoters and investors:
The Securities Act intentionally defines "promoter" broadly: "any person that, alone or together with others, directly or indirectly, takes initiative in founding the business or enterprise of the issuer." Given the breadth of this language, developers should carefully weigh the risks of being visibly associated with the release and sale of [DAO] tokens.
Individuals deemed to be promoters of a [DAO] may be found to be in violation of Section 5(a) and 5(c) of the Securities Act. Under these sections it is unlawful to directly or indirectly offer to sell or buy unregistered securities, or to "carry" for sale or delivery after the sale an unregistered security or a prospectus detailing that security. Even if a [DAO] is deemed to be an unregistered security, it remains very unclear how promoting that [DAO] would or would not equate to these unlawful activities, and who—if anyone—would be found to have violated the law. Nonetheless, broad interpretation of these laws may potentially implicate any participant or visibly affiliated developer or advocate.
So DAO evangelists could soon be in hot water, regardless of any disclaimers they put up.
— Stephan Tual (@stephantual) May 19, 2016
To the Securities and Exchange Commission's credit, they have thus far been relatively open to innovations like crowdfunding, as well as the potential for blockchain technology. As SEC Chairwoman Mary Jo White recently said in an address at Stanford University:
Blockchain technology has the potential to modernize, simplify, or even potentially replace, current trading and clearing and settlement operations ... We are closely monitoring the proliferation of this technology and already addressing it in certain contexts ... One key regulatory issue is whether blockchain applications require registration under existing Commission regulatory regimes, such as those for transfer agents or clearing agencies. We are actively exploring these issues and their implications.
Beyond financial regulation, the broader legal treatment of DAOs is a murky subject. With applications running on Ethereum, it's not always clear what the point of enforcement is. You can't exactly sue a DAO in court and then seize its assets. And, while The DAO's creators were in the public eye, that doesn't necessarily have to be the case; it could be deployed anonymously.
Maybe the next DAOs should be anonymous. Avoids the blame game and force us to use tools to build trust despite not trusting the creators.
— alex van de sande (@avsa) June 21, 2016
Even if DAOs are created without a formal legal status, governments may impose legal status on them. As business lawyer Stephen Palley writes at CoinDesk:
If you don't formalize a legal structure for a human-created entity, courts will impose one for you. As most lawyers will tell you: a general partnership, unless properly formalized or a deliberately created structure, is a Very Bad Thing ... [T]he members of a general partnership can end up jointly and severally liable on a personal basis for partnership obligations.
For instance, I don't think this is how the law works:
@SamirPatelLaw @vidal007 @slockitproject Customer protection on blockchain is insured via smart contracts, not legal systems. Code is law.
— Stephan Tual (@stephantual) March 21, 2016
Even if the SEC or other government entity decides to crack down on DAOs, it might be easier said than done. Because they operate on pseudonymous distributed computers, those parties may not be easy to track down (notably, we still don't know who Satoshi Nakamoto is). Even if you did, they might not have any control over it or know what it was doing. Its code also may have been radically altered from its original programming/intent.
But as far as The DAO is concerned, are we in for a slew of lawsuits or calls for SEC action by disgruntled investors? Not so fast. Investors in The DAO may yet be able to recover their losses.
Various prominent stakeholders in the Ethereum community, from Ethereum inventor Vitalik Buterin to Slock.it's Christopher Jentzsch, have suggested that the only sensible solution is to create a "fork" of the Ethereum network that could freeze the attacker's stolen funds and shut down The DAO, with the option to create a “hard fork” to fully reverse the theft and return investors' funds. Some have criticized this approach as a “bailout” or “asserting centralized control.” But it's worth noting that it would require a plurality of miners to adopt it voluntarily; whether they will remains to be seen.
Either way, Ethereum's credibility may be adversely affected. On the one hand, people need to trust that smart-contracts do what they are supposed to — particularly where millions of dollars are on the line. On the other hand, the credibility of the platform is also tied to its immutability. If developers and miners collude to reverse transactions they don't like, that sets a bad precedent.
Additionally, if the community decides The DAO's investors need to take a haircut, it could open up a Pandora's box of legal troubles for its developers and promoters (and maybe even miners and investors), potentially stifling advancement of this important technology.
But wait a minute. Why didn't the attacker see the this coming? Surely if he was sufficiently sophisticated to find a "recursive call" bug, he would have known that split funds would be locked away for 27 days — giving the community time to get wise to his activities and find a solution like the fork.
As previously mentioned, The DAO theft also crashed ETH prices. Savvy readers will note that a DAO vulnerability doesn't mean the Ethereum platform itself was compromised (any more than a nasty bug in Photoshop means that everyone with Windows 10 is at risk).
Was it possible this whole event was a ruse to pull off a "big short", as one user suggests on Reddit? As of now, there's no proof of that, but it's an interesting theory.
But was this even a theft at all? As Slock.it's representative said, "code is law!" If the code doesn't do what you think it does — that's your fault. At least, that's the theory behind an anonymous letter uploaded to Pastebin and purportedly authored by The DAO's attacker:
I have carefully examined the code of The DAO and decided to participate after finding the feature where splitting is rewarded with additional ether. I have made use of this feature and have rightfully claimed 3,641,694 ether, and would like to thank the DAO for this reward. It is my understanding that the DAO code contains this feature to promote decentralization and encourage the creation of "child DAOs".
I am disappointed by those who are characterizing the use of this intentional feature as "theft". I am making use of this explicitly coded feature as per the smart contract terms and my law firm has advised me that my action is fully compliant with United States criminal and tort law.
Adding that:
I reserve all rights to take any and all legal action against any accomplices of illegitimate theft, freezing, or seizure of my legitimate ether, and am actively working with my law firm. Those accomplices will be receiving Cease and Desist notices in the mail shortly.
If the fork moves forward to freeze or seize the attacker's digital assets, could that open up the broader Ethereum community and its miners to legal liability? We'll have to wait and see what happens.
Regardless how The DAO "theft" is resolved, regulators shouldn't be in a rush to impose stricter regulations on Ethereum, which is just a platform, or DAOs in general or even The DAO specifically, should it be reincarnated with better security practices.
While The DAO attack raises serious questions about the viability of creating this "DAO 2.0", that doesn't mean we should stop it from happening. Whether or not you believe all the hype about Ethereum being as important as the invention of the internet, it's an exciting technology that's worth giving the opportunity to grow.
Unlike Bitcoin, which has been around for eight years, Ethereum is only a year old. It officially launched in July 2015, but is already the second-largest cryptocurrency by market capitalization. It's vastly more complex than Bitcoin and still in its infancy; it will have inevitable growing pains on the way to maturity.
Just as the internet wasn't built in a day, neither will smart-contract technology come to fruition without a permissive regulatory environment to grow, much like the Clinton administration's Framework for Global Electronic Commerce did for the internet.
Certainly, vetting DAO code (particularly new proposals) is a big problem. More fundamentally, smart-contract security is an emerging area where people are rightly starting to pivot, following the lessons of The DAO attack. As Ethereum developer Peter Borah writes:
In his response to the bug, Slock's COO expressed shock, referring to it as "unthinkable", and pointing to the "thousands of pairs of eyes" that somehow missed this. It's certainly hard to blame anyone for being shaken by the sudden disappearance of tens of millions of dollars. However, this natural reaction hides the simple truth that anyone who has dabbled in programming knows: bugs in programs are far from unthinkable — they are inevitable.
Making code open-source is not enough. We need mechanisms to create smarter (i.e., fault-tolerant) smart contracts. This could mean more rigorous independent testing, strategies to implement better development practices or, at least, more time to develop through trial-and-error in a lower-risk context. Stakeholder interests also must be aligned to make sure appropriate vetting happens, particularly where voting on code alterations is involved and particularly if we want to develop more complex autonomous programs.
The DAO is an instance of people getting carried away with an exciting new technology, while not effectively managing the new cybersecurity risks that come with it. But just because a group of people screwed up The DAO, it doesn't mean all DAOs are DOA.
While there's an overabundance of utopian thinking in this space, blockchain-based experiments in decentralized governance and peer-to-peer commerce could have immense benefits that offer truly revolutionary potential. Regulators should continue to take a wait-and-see approach and not use this as an invitation to try to shut them down or impose harsh new regulations.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: bitcoin, blockchain, contracts, dao, distributed organizations, errors, ethereum, smart contracts, the dao, thedao
Companies: ethereum, the dao
Reader Comments
Subscribe: RSS
View by: Time | Thread
That's why contracts aren't written in code
It is hard to write code that defines behavior A and only allows A. Well, it's easy, but A is typically very trivial, and ensuring the only A part requires a lot of code as well.
You're better off writing it in natural or legalese and enforcing it as a legal contract, where things like what both parties understood the agreement to mean become important and not what one party later to leverage the literal words on paper to mean.
Essentially, a smart contract needs to be both code + unit tests + regression tests + acceptance tests. And it needs to have a non-code meta layer that essentially says, if it does something other than what we've agreed because the code is flawed, that action is outside the contract.
It appears right now it's just the code portion. Unit tests let you know that your building blocks do what you want and only that one thing (mostly). Regression tests let you know that if you make a slight change somewhere, everything still works *like you already validated even if it doesn't seem like the change you made should affect anything else*. Acceptance tests essentially are the "everyone understands that X means ..." part of the contract. All of these "tests" are code BTW.
Then when a contract violates this, you can easily point to the behavior that's outside the acceptance test, and thus in violation of the "contract" even though the current smart contract as written would let it happen.
What's hilarious is that there's a whole "programming by contract" field which seems to have been ignored here.
[ link to this | view in thread ]
Re: That's why contracts aren't written in code
[ link to this | view in thread ]
Re: That's why contracts aren't written in code
The problem with a non-code meta layer is exactly the problem that they are trying to solve with the DAO. Human language is imprecise. There can be a vast difference between one person's interpretation of a statement and the intention of the writer of that same statement. The whole point is that code is completely unambiguous. It may be a little difficult to see what it will do and what it means, but there is an unambiguously correct way to interpret it. It seems like a much more simple task to ensure the correctness of any piece of computer code than to ensure unambiguousness of any natural language that's meant to mean the same thing.
[ link to this | view in thread ]
"neither will smart-contract technology come to fruition without a permissive regulatory environment to grow"
Well that certainly is one way to twist leaving the door unlocked into good thing. Maybe if these things stopped having more "growing pains" than benefits, there'd be a point in forgetting why fiat currency is so popular.
[ link to this | view in thread ]
Re: Re: That's why contracts aren't written in code
Contracts now are written in a language whose goal is to eliminate the ambiguities introduced by natural language. Where someone attempts to exploit ambiguity discovered after the contract has gone into effect, it's usually resolved by having to go back and determine what both parties understood the contract to mean at the time they signed it.
What these smart contracts are trying to solve are:
1. Using a language that a computer can evaluate and so you don't need a judge or arbitration or lawyers to determine whether one party is in breach.
2. Not allowing for new behavior which while technically allowed under the language of the contract when signed materially differs from what both parties agreed to.
3. Having to completely enumerate everything individually allowed (or disallowed).
They failure is with #2 and #3. The meta-code idea is a first pass at addressing #2 at the expense of throwing #3 in the trash.
[ link to this | view in thread ]
It seems like the bigger problem with "contracts of code"
Laws can be amended. Wasn't the DAO's problem was that it essentially couldn't be amended?
[ link to this | view in thread ]
Great Article!
Savvy readers will note that a DAO vulnerability doesn't mean the Ethereum platform itself was compromised (any more than a nasty bug in Photoshop means that everyone with Windows 10 is at risk).
In cryptocurrencyland, any shakeup tends to dramatically affect the markets -- like the the investors are unsophisticated traders or something. It's helpful if you pay attention. I bought more Ether when the price crashed, then it recovered rather rapidly (but is down some now again).
Plus, it's hilarious to buy something that by its name implies it doesn't really exist.
This DAO debacle is a good thing, as far as the next big DAO is concerned anyway.
[ link to this | view in thread ]
Welcome to the wonderful world of recursive function theory!
Heck, we can't even prove that the discrete log function is hard to compute or that AES encryption is hard to break.
But I have it on good authority (my Congress person) that Congress can write perfect laws the first time out, and these laws can trivially tell the difference between terrorists and non-terrorists.
[ link to this | view in thread ]
Bet one block chain to your ...
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Good article
Moreover, from the springboard of this article, I've been quite absorbed in reading some of the many other articles out there, including a code analysis to the point where I understand what happened at the call-stack level.
As bad as it might seem, these are growing pains. This is exiting technology in many ways, not the least of which is the human psychology involved in creating and maintaining trust. As others have pointed out, you need to trust that the system (The DAO or others) will do what it says, or rather, what its code says.
The so-called "attacker" studied the contract (the code) and used it as it was created to be used. Not as the devs wanted it to be used, but as it was created nonetheless. He/she exploited a loophole, and while it is a shame in some ways, it ought to serve as a reminder / wake-up-call to the community going forward.
[ link to this | view in thread ]
Re: Good article
[ link to this | view in thread ]
How Is Blockchain Transforming Future Landscape of Cyber Security
[ link to this | view in thread ]