Confidence in the Blockchain and the future of cryptocurrencies have taken a significant hit since the weekend’s attack on the decentralized experiment of the $150m DAO. The DAO was subject to an “attack”, where the attacker was able to drain, but not retain (yet), around $42m USD value of the Ethereum cryptocurrency, Ether. This attack was based on a tiny bug in the “smart contract” underpinning “the DAO” itself. This attack has placed the whole cryptocurrency space in general, and the Blockchain space in particular, under far greater scrutiny. Critical eyes are watching. The regulators are watching and the class action lawyers are watching their pinstripes get freshly pressed with their Hollywood painted smiles and the vulturistic glee associated with the smell of cryptoblood. So what actually happened? Let’s examine the weekend’s activities in terms laypeople can understand. It’s a story reminiscent of Alfred Hitchcock at his twisted best.
At the end of May 2016 “the DAO” became the world’s largest crowdfunding success story to date, raising over $150 million. The crowd sale of the DAO token was to fund what was being touted as a significant decentralized landmark within the new cryptographic paradigm, all based around smart contracts and the Blockchain. It was to mark the inception of a new direction in corporate governance; to mark the move away from the traditional top-down approach of EXCO’s in global corporates, to one where computer code runs corporate governance; computer code based around the wisdom of the crowd to determine how an organization could and should be run.
In this case, “the DAO” was essentially a venture fund. It was designed to finance new Decentralized Autonomous Organization proposals, with funds allocated automatically by the computer code of a smart contract. Funds would be allocated to proposals that received the most votes, duly weighted according to the volume of “DAO” tokens held by the voter – in other words, the size of someone’s vote would be determined by the size of their holding of DAO tokens. This process was to be driven by a smart contract that would automatically disperse funds. It was built on top of the Ethereum platform that specializes in smart contracts and has already established partnerships with significant IT players such as Microsoft. The DAO smart contract turned out not to be that smart.
The attack was not a “hack” in the true hyperbolic “media” sense of the word. It was not some faceless post pubescent hacker stealing funds that were housed within the DAO and then running off to some sun-soaked safe-haven to spend them. It was instead an exploitative, opportunistic attack that centred around a small bug in the smart contract code linking into one of the core features of the funding of the DAO itself.
The original funding of the DAO itself was through individuals paying with Ether, the Ethereum cryptocurrency, in exchange for “DAO” cryptographic tokens. These tokens could be (and still can be) traded on open Cryptocurrency exchanges once the “Initial Coin Offering” was complete. But as part of the process of funding the DAO itself there was an option built into the code that enabled those that had bought DAO tokens to withdraw their original Ethereum “contribution”, after a period of 27 days. This process is known as splitting.
In simple terms, as part of this splitting process the “attacker” noted a very small bug in the underlying smart contract code that meant the Ether cryptocurrency (valued at c $12 each) could be transferred internally through a repeating loop into what is known as a “Child DAO” in preparation for splitting, i.e. exiting from the DAO.
Because of the decentralized nature of the DAO itself, the smart contract code of the DAO itself could not be altered. There is some irony in the fact that one of the Blockchain’s greatest strength has also turned out to be, in this case at least, its greatest weakness. This smart contract bug meant that the attacker could siphon funds to the “Child DAO” in line with the terms of the smart contract built into the DAO itself. With all this being said, there has been a saving grace for this difficult situation, which has also turned into ticking time bomb.
Because there is a 27 day lead time before splitting can occur, the attacker cannot withdraw their funds in their “Child DAO” until the lag period has expired – i.e. in 27 days. So, unlike a traditional “hack” when funds are used straight away, the attacker has to wait 27 days to access their funds. For those in the community involved in putting together the DAO this buys time to find a solution… of sorts.
Over the past few days there has frenetic activity in the cryptographic community to try to resolve this problem; after all there is a lot at stake. Besides the $42m USD that is temporarily locked, there is reputational risk all round; not just for the DAO, but for the individual heavyweights from the cryptographic community involved in putting the DAO together. Equally, the reputation of the nascent concept of smart contracts as a whole is at stake, which represents some of the core, significant power and intelligence of the Blockchain itself. Whilst the Ethereum platform itself was not affected, the attack ultimately has the potential to tarnish the Ethereum platform , whose primary sales mantra has been based around the concept of smart contracts. These reputational challenges have been reflected by the dramatic price drops in the prices of the DAO and Ethereum tokens available on the public cryptographic exchanges since the attack.
So, 27 days to solve the problem… What could be easier – just stop the funds in the child DAO being drawn after 27 days and the attacker gets nothing.
At first sight, this appears to be the right, and simplest solution. Without seeking to get too deeply into the technical aspects of the proposed solutions, called forks, the drivers behind the solution are to get agreement from within the Ethereum mining community (for more on how Blockchain mining works check out our introductory videos on the Blockchain) not to process the “Child DAO” Ethereum when the deadline for withdrawal expires. The funds in the “Child DAO” would have uniquely identifiable addresses, which can be pinpointed, located and, in theory at least, not processed by the mining community that drives the Ethereum Platform. On the face of it, it seems logical and ethical if the funds could be considered as stolen …but the story takes on an interesting twist…
Over the weekend following the suggested fork solutions, the “alleged” attacker disclosed themselves. They sent a formal legally worded message addressed to the “DAO and the Ethereum community”. In it, they suggested that they have legitimately acquired the tokens in their “Child DAO”. Indeed the attacker goes on to say that they
“…would like to thank the DAO for this reward“.
They go on to say that they are disappointed at the use of the word “theft”, with the attacker broadly suggesting that they legitimately obtained the funds and that any attempt to block their withdrawal of the funds would amount to
“seizure of my legitimate and rightful ether, claimed legally through the terms of a smart contract.”
They go on to imply they will take legal action against all those accomplices that seek to seize the attacker’s “legitimate ether”. Indeed, they follow this up with the threat that
“Those accomplices will be receiving Cease and Desist notices in the mail shortly.”
The idea of the attacker appearing in court dressed in their Sunday-best regalia to justify their legal rights to the funds obtained will undoubtedly bring about a few wry smiles all round, but the story then takes on a further and even more bizarre, twist…
Someone alleging themselves to be an “intermediary” of the “attacker” responded to a general call-out request for interview and further information and was interviewed by Cryptocoins news. Throughout the interview, the intermediary was very guarded with their words, but suggested that in order to stop the planned fork from taking place, “the team” would make available 1m of the 3.5m Ethereum in the child DAO to the Ethereum miners – valued around $12m USD – with these funds, of course, ironically dispensed automatically by smart contract. This would, in theory at least, give the miners a financial incentive not to process the fork that would stop the funds being released – with the alleged Intermediary’s implication being that everyone has their price.
The stakes were now raised, with all these together presenting deep challenges to the cryptographic community; challenges that go far wider and far deeper…
In theory, the attacker’s team is claiming their legal right to the Ethereum in the “child DAO” under the terms of the smart contract – code that because of its open source nature was reviewed by the crowd and by a whole raft of the world’s best cryptographic experts. So by forking and thereby removing their access to the funds, it implies that a Decentralized Organization (i.e. with no central governing body), actually has centralization, i.e. control. It would also show a it ISpossible to change the immutable results from the Blockchain if there was a desire or a need to do so. This has serious implications for the future and credibility of the Blockchain itself .
Whilst there are precedents of Bitcoin historically forking in 2010 to resolve an overflow incident that resulted in 184bn bitcoins being inadvertently created (which the developers resolved in 5 hours), this is the first time since the Blockchain has been in the mainstream consciousness that such a serious issue of confidence has been faced, which has implications.
First, this sets a precedent. What happens if rather than it being the $150m DAO, it was a smaller future DAO, say $100,000 in value. Would the community get involved in a similar proposed way of forking to overturn allegations of similar inappropriate activity?
Second, this could have wider implications for regulators. Could regulators force future decentralized organizations to change their results – to roll back the information, data, even payments – try refusing a government body that has a whiff of terrorism involved – who would want to be the one undertaking reviews of the latest and greatest penitentiaries’ latest cuisine ?
Third, who would make those decisions, and against what value systems…?
Whilst these are deeper philosophical challenges to the cryptographic world, the alternative of doing nothing has deep implications in the financial world…
If the $42m of Ethereum tokens were to be released in 27 days time, this means the attacker has got away with Ethereum tokens belonging to many of those that supported the original DAO proposition. Those token holders will lose money as it is their tokens that have been transferred to the “Child DAO”.
Whilst it could be argued that it was just “caveat emptor” in terms of making the decision to provide unregulated financial support for the DAO by buying the DAO tokens in the first place, if substantial money has been lost by powerful people with deep pockets, they won’t just sit around saying how great it was to be part of a great new experiment; they will pursue financial retribution. The question is who do they sue?
- The DAO – a Decentralized Autonomous Organization with no formal board of directors…
- The developers of the code?
- The promoters?
- The authors of the original whitepaper?
- The individual token holders? As an anecdote, at a recent networking event a lawyer contact of mine suggested there could be an argument in the absence of any formal board of directors that the individual token holders could be jointly and severally liable for any financial losses… a frightening thought
And then there is the question of jurisdiction. Where do you sue? Where a token holder resides? Where the coders reside? The DAO has a decentralized structure, with no formalised legal entity.
Whilst there are potentially serious legal and implications if monies are lost where does this leave the individuals behind the project?
It is very noteworthy that many in the cryptographic community are beginning to overtly distance themselves from the DAO and indeed Ethereum itself. At the Dutch Blockchain conference only this week, Gavin Wood, the inventor of the Solidity contract language, a core construct of the Ethereum platform and an original curator to the DAO placed the following slide up in one of his presentations:
Image from Youtube video – Dutch Blockchain Conference
It is understandable that those involved in the DAO historically will be under incredible scrutiny, and will want to protect their own interests, reputational and potentially financial. It is no surprise that faced with the undoubted fallout that will follow from the DAO’s potential implosion, the survival instinct will kick in and the community will almost “fades into the ether” of self-interest. I suspect we will see more of these positioning statements over the coming days and weeks.
It could ultimately become a game of crypto-musical chairs; but who will be left holding responsibility for the DAO when the music stops and the class action lawsuits come flooding in, a fact that is surely cannot be lost on the attacker, themselves.
Whilst the alleged attacker is arguing their legal case for their right to retain the monies obtained, it does beggar the question of the attacker’s own ethics if the alleged intermediary is talking about bribing the Ethereum miners, who are ultimately in control of the fork that would stop the attacker receiving their funds. Is it a coincidence that there were multiple financial shorts of the DAO and Ether cryptocurrency tokens on the crytocurrency trading exchanges only moments before the attack was announced?
Image : Tradeblock – data from Poloniex Crytpocurrency Exchange
In their interview, the “attacker intermediary” failed to answer this question of shorting the cryptocurrencies, presumably for fear of incriminating themselves, but for any reasonable person one conclusion could reasonably be drawn. It is almost reminiscent of the 9/11 attacks when airline stocks were shorted just prior to the attack – inside information can generate financial benefit.
The DAO attack is a very complex situation, which is full of intrigue, greed and legal precedent. Only time and the courts will tell if there is any legal justification to the attacker’s alleged ownership of the attacked DAO funds, but undoubtedly the law schools have their curriculum mapped out for the next few years. Global lawyers too are having more caffe-latte, game-changing legal debate than they have probably had in the past twenty years. Notwithstanding it is a very serious issue that requires resolution.
In my view the community has to take a stand and absolutely focus on stopping the funds going to the attacker to ensure that no-one loses their original capital from the DAO. Yes, there will be philosophical questions asked about such action, and yes, it will upset the purists. But if the Blockchain and smart contracts as the great new disruptive technologies that they are, are to get the serious traction they deserve and indeed need, to continue to evolve. They need buy-in from the bigger spenders – the Corporates; but Corporates will never adopt technologies that can be beholden to those that might appear to “game the system” and causes powerful people to lose money.
With around 90% of the Blockchain’s activity currently focused on the most risk averse corporate sector around – financial services – this is made even worse. Financial loss has been removed from the banking dictionary and genetically removed from the banking DNA. The technology that was designed to remove trust is in danger of having its own trust undermined. Yes, it will have a reputational effect within the whole cryptocurrency space and yes, it will change the dynamics of smart contracts in the future and yes, it will probably change the regulatory environment but, with a fork, at least it will survive. The legal and regulatory fallout and the increased associated technological risks associated from significant financial losses associated with a nascent technology such as the DAO and its underlying cryptocurrency association do not bear thinking about.
Close the DAO in a controlled way, ensure no financial losses are seen and move on. Consider it the “fail fast” technical strategy strongly favoured in Silicon Valley, take it on the chin and take on board Frederick Nietzche’s pearls of wisdom;
“What Doesn’t Kill You Makes You Stronger”
Disclaimer: the author holds DAO Tokens and Ether
© Tim Lea, CEO Veredictum.io 22nd June 2016
If you are interested in understanding more about the Blockchain, its power and its challenges, why not check out my new book Down The Rabbit Hole, a book for business & non-technical people, like you, to truly understand the Blockchain & to capitalize on its power. Its available on :