Ethereum Debate Marred By Second Digital Currency Heist

Thursday's news of a $50 million heist of digital currency at Ethereum. was followed today by reports of a second heist from the DAO, according to the Bitcoin News Service -- this one for just 22 Ether. "It appears this is just someone who wanted to test the exploit and see if they could use it to their advantage... " Slashdot reader Patrick O'Neill writes: The currency's community is currently debating a course forward for a currency who is built on the idea that it is governed by software and not human beings. One option is to fork the code, another is to do absolutely nothing at all."
Vitalik Buterin, the co-founder of Ethereum, posted Sunday that "Over the last day with the community's help we have crowdsourced a list of all of the major bugs with smart contracts on Ethereum so far, including both the DAO as well as various smaller 100-10000 ETH thefts and losses in games and token contracts." The list begins by including "The DAO (obviously)," but is followed by a warning that "progress in smart contract safety is necessarily going to be layered, incremental, and necessarily dependent on defense-in-depth. There will be further bugs, and we will learn further lessons; there will not be a single magic technology that solves everything."

The Daily Dot wrote Friday that "Because of the way the code in question is written, Etherum's developers and community have 27 days to decide what to do before the hackers are able to move the money and cash out... What's happening now amounts to a political campaign. But the debate is far from over. The clock is ticking now, the world is watching, and the next step of the cryptocurrency experiment is unfolding under a spotlight burning hotter every day."

Not the Ethers!

Oh well, I still have plenty of Potions, Softs, and Phoenix Downs.

Sue obviously

[0dugo0]

Why is this called a heist? Do we also call it a heist if a patent lawyer walks away with a pile of millions? Maybe it is just a bunch of Ether Trolls that will sue the developers into oblivion for breach of contract if they try forking the code.

Re:Sue obviously

[jbssm]

Why would they sue? The DAO wording very clearly states that for all possible purposes including legal ones the code is the contract. Whoever did this, did exactly what the contract stated.

Besides why would people what a smart contract based blockchain currency if the contracts wouldn't be solved by those smart contracts but by a traditional court? Doesn't that defeat the all purpose of the currency? I bet these people are not feeling so "libertarian" right now.

Re:Sue obviously

[ADRA]

Like all great libertarian losers, blame someone else (And make sure history doesn't recall that they were Libertarian to begin with).

Re:Sue obviously

[im_thatoneguy]

Except that even in law there is often a good bit of leeway assigned to intent when interpreting law. And since a code fork *can* reverse a contract, clearly "The Code" can be manipulated both for and against unintended outcomes.

It's hypocritical to say that the code acted as intended, and then also criticize changing the code as unethical. The fork also worked as intended.

Re:Sue obviously

[0dugo0]

Whoever did this being the one filing suit in case the code gets forked. Read!

Re:Sue obviously

[r0kk3rz]

Besides why would people what a smart contract based blockchain currency if the contracts wouldn't be solved by those smart contracts but by a traditional court? Doesn't that defeat the all purpose of the currency? I bet these people are not feeling so "libertarian" right now.

The point is that you no longer require a human 'trusted executor' of a contract, you can use the network for that. This means you don't have to worry about potentially having to sue the executor when they steal your money, because the executor is a computer and is literally bound by the code it runs.

There is nothing that Ethereum and Smart Contracts that do that you cannot accomplish with a human bound by a legal contract, but you can do it on a much greater scale.

Personally I think some kind of court system or arbitration is going to be required, just because you write something in a contract doesn't make it legal. Just because a contract will be executed perfectly doesn't make it fair.

Software

The career path of losers. Nothing useful ever needed software. Even this comment is useless because of it.
Digital still sucks, the future is analog.

Re: Software

I, for one, welcome our new analog overlords.

"Fixing" the problem undermines the entire idea

"Ethereum is a decentralized platform that runs smart contracts: applications that run exactly as programmed without any possibility of downtime, censorship, fraud or third party interference."

This is the very first sentence on the ethereum.org homepage. Doing anything to try to reverse these "heists" is basically these people deciding that they didn't like the contract they wrote (because it didn't benefit them as much as they thought it would) and want to invalidate it. It totally goes against all the principles they claim to stand for, but I suppose that's nothing new.

Re:"Fixing" the problem undermines the entire idea

[_Sharp'r_]

The problem is that in their hubris, they forgot to allow for coding errors in "exactly as programmed". So yeah, it's working exactly as programmed, just not as intended by the programmer. :)

Also, this isn't a heist, because nothing was stolen. It's more of a counterfeiting operation, if I understand the commentary correctly. Someone took advantage of a recursive bug and an anti-pattern of calling recursive code before updating values and essentially created more 33% more Ether than previously existed out of thin air. Or at least will, as it actually won't complete for almost another month (so they got at least some time limits right to prevent exposure).

It's obviously not what was intended by the programmers, so there is an argument for "fixing" the code bug before the defect can be actually taken advantage of, but I can see the argument for letting it stand as a cost to the people who bet on their coding ability as a natural consequence for being wrong.

Without a fix for at least the going forward code (the issue still exists until voted to be changed), it's hard to see how the system will be viable for actual use anymore, so I suspect the miners will decide to run a fixed version of the code.

Re:"Fixing" the problem undermines the entire idea

The problem is that in their hubris

And that the people who "lost" the most are those that are at the core of the project. They do not want to lose their money, and want the project to bail them out. It was if the 1% wanted a bailout all over again (just a different 1% this time).

If the bailout does happen, this risks the entire project. If the bailout does not happen, this risks the entire project. Heads you lose, tails you lose.

Re:"Fixing" the problem undermines the entire idea

Doing anything to try to reverse these "heists" is basically these people deciding that they didn't like the contract they wrote (because it didn't benefit them as much as they thought it would) and want to invalidate it

Not really. Code can include the possibility to change itself. Seems like this is the case.

Re:"Fixing" the problem undermines the entire idea

[astrodoom]

"Also, this isn't a heist, because nothing was stolen. It's more of a counterfeiting operation, if I understand the commentary correctly. Someone took advantage of a recursive bug and an anti-pattern of calling recursive code before updating values and essentially created more 33% more Ether than previously existed out of thin air."

It was a heist. Ether didn't get created, it just got moved. The child DAO tokens could theoretically have been "created" out of thin air if you drained the DAO past 0 recursively, then the balances were updated on all those recursive calls (after the sending of the tokens). That didn't happen though, he was just able to stack a bunch of withdraw operations up recursively, and the withdraws executed before the balance was checked (for each method call). Even if the past zero drain had been attempted, the Ethereum network would have errored out when the contract tried to send more funds than it had, so you couldn't generate Ether out of the ether (teehee).

Here's a great write-up: http://hackingdistributed.com/...

Quit posting about these guys

[inode_buddha]

Quit posting about these guys, please! I keep mis-reading the name as "eurethrum"

Re:Quit posting about these guys

The government is about to tear down Urethra Franklin's childhood home, this is the real story!

Cliff hanger summary!

[fustakrakich]

Be sure to tune in next week, when Doris gets her oats...

It turns out...

[beelsebob]

It turns out that if you build a system deliberately with exactly no regulation, hoping that it'll all magically work based off the magical hand of the market, that everything goes tits up.

Who'dathunkit?

Re:It turns out...

[thegarbz]

Tits-up IS the magic hand of the market. This is the work of self-regulation in progress. Companies which offer insecure solutions in an entirely unregulated market magically cease to exist because of their stupidity due to ... ahem ... "market forces".

Re:It turns out...

Does that make the hard fork a subversion of market forces -- a computational bailout?

Re:Hey Editor David - You Ain't No Editor

The most disturbing mistake is calling Ethereum a currency.

"Thursday's new of a" - American idiots.

Try reading what you wrote before posting.

Uh, wait: 10000 is "smaller"?

[XXongo]

from the summary ...as well as various smaller 100-10000 ETH thefts and losses in games and token contracts.

This isn't a 22 ETH second Ethereum theft: this is just one more a long ongoing series of thefts-- and not a particularly large one.

Cryptocurrency mentality.

[jbssm]

I'm a totally libertarian guy... until they mess with my money, because then I cry for the intervention of the state and the real courts of law.

Re:Cryptocurrency mentality.

There are plenty of people that claim to be "libertarian" but then go crying to the state when things don't go their way. This isn't cryptocurrency mentality, it's simply hypocrisy.

It was made perfectly clear that the code is the contract. The tokens rightfully belong to the hacker and to prevent this with an Ethereum fork is fraud.

Re:Cryptocurrency mentality.

[mmortal03]

There are many libertarians who believe in a minimal state and real courts of law, but, yeah, if there are individuals in the cryptocurrency space crying for government intervention at the level of the protocol, then they're missing the point. You don't have to be a libertarian to see the usefulness of Bitcoin, though.

Re:Hey Editor David - You Ain't No Editor

[dougTheRug]

and what is the DAO?

Object-Capability Security would have helped

[MostAwesomeDude]

Y'know, Ethereum's VM and their contract language, Solidity, are not especially great for this kind of verified contract work. It would have been great to see lessons learned from the E programming language and the object-capability security model in this whole misadventure. But no, they just took "smart contracts" and tried to interpret that in isolation without any of the literature that comes with it. Disappointing.

Bitcoin is alternate enough

[bobbutts]

If you think BTC isn't dangerous and manipulated enough you may enjoy "altcoins" like Ethereum.

This issue preventable with formal verification

[weevlos]

There's an entire branch of formal language theory and information security dedicated towards making grammar explicit and unexploitable by reentrance issues like these. It's called language-theoretic security, or langsec for short.

http://langsec.org/

This is actually a solved problem and Etherium if it was made by smart people could have structured its contracts in a manner that was subject to formal verification. It was not made by smart people, and formal verification is impossible. They did not consult with langsec experts or read any of the relevant papers to prevent parse tree differential attacks before wrapping hundreds of millions of dollars of deposits in this thing. What they have done is a level of negligence that should be criminal.

The effective market value of all of Etherium is $0 when people understand this. It cannot be secured as it was written by the developers. Smart contracts are an interesting idea and could happen in the future-- but not without roots of formal verification. This is a fraud as big as Theranos at this point.

Re: Libertarian losers

Thank the Creator of the Universe that we have an Authoritarian Winner such as yourself to set things straight.

A government is NOT magical

Either you can defend some phenomenon as your "property", or you cannot; justification is your ability to convince others to condone (if not aid) your defense.

Under libertarianism, The Law is the collection of all voluntary contracts; you operate outside The Law at your own peril.

There is nothing magical about the security industry ("police"), the contract-enforcement industry ("police"), or the justification industry ("courts"); it is not necessarily the case that a violently imposed monopoly is the optimal form for these industries (after all, there is no World Government).

As with any other industry (or, indeed, complex system), the forms of these industries are best found through the process of evolution by variation and selection, the most profitable implementation of which is a market of voluntary trade. Competition manifests variation, and consumer choice manifests selective forces; in this way, society as a whole engages in the cooperative process of finding the best solutions (without even requiring participants to be aware that they are doing so), and without imposing any particular idea.

This is important because involuntary interaction induces festering indignation.

To place involuntary interaction at the foundation of your society is to place festering indignation at the foundation of your society; festering indignation leads to more involuntary interaction, which leads to more festering indignation, until there could well be a devastating explosion of violent upheaval.

Behold the world and its history.

A government is just another organization in the market; it is an organization that allocates resources through involuntary trade. In any particular domain of interaction (that is, in any particular jurisdiction), the most powerful such organization is often simply named "Government".

Libertarianism is a rejection of involuntary interaction; libertarianism is a rejection of governments. In a libertarian culture, people would be sensitized to involuntary interaction, quickly identify it, and seek ways to replace it with societal structures that do not involve involuntary interaction.

Unfortunately, libertarian culture is young and weak.

In the same way that many communities around the world struggle to implement representative democracy due to their lack of the 1000 years of cultural development that "The West" experienced in this regard, so too is it the case that even the most "modern" and "civilized" communities of the world struggle to comprehend and implement libertarianism due to their lack of cultural development in this regard. As libertarian structures begin to emerge, it will become possible to start jettisoning the ancient ideas of authoritarianism, and then the ability of governments to pool and allocate (including protect) resources won't seem so magical anymore; governments will be viewed as more examples of those strange, unfortunate choices made by past generations who, in the aggregate, just didn't know any better.

Re:A government is NOT magical

You cannot refute a stinging indictment, exactly once sentence long with a multiparagraph, meandering, philosophical defense that bores the shot out of people. I mean, I saw all those words and just jumped to the reply button. AUN'T NOBODY GOT TIME FEDAT.

Re:A government is NOT magical

[XXongo]

In my experience, if you have two libertarians in a room and start asking them detailed questions, they have at least three contradictory opinions about what libertarianism is and how it operates.

Re:A government is NOT magical

There is nothing magical about the security industry ("police"), the contract-enforcement industry ("police"), or the justification industry ("courts"); it is not necessarily the case that a violently imposed monopoly is the optimal form for these industries (after all, there is no World Government).

The United Nations and International Criminal Court would beg to differ, and it actually destroys your own argument, because the reason you don't consider those "real" governments is because you recognize they have no military power. Governments are defined as monopolies on the use of force, a definition which you implicitly recognize but which cannot be reconciled with a purely cooperative system. Libertarians are confused anarchists.

And incidentally, the reason the UN isn't a "real" government is because it has no border to defend.

Re:A government is NOT magical

Authoritarians, on the other hand, are very consistent in their philosophy: DO WHAT I SAY.

Re:A government is NOT magical

Libertarianism is a mental condition affecting frustrated and disaffected men of moderate intelligence, who have rationalized a dislike of being told what to do into a parody of a political philosophy. Non-coercive government is an oxymoron: government is defined as a monopoly on violence.

This is not a problem with Ethereum

it's a problem and difficulty with smart contracts in general, and the thefts you have seen are not because of bugs in Ethereum. Simple analogy: when a business loses dollars because they neglected something in the contract, then it's not a problem with the dollars or a problem with commerce, but a problem with the specific contract and the principles and protocols used to write that contract.

27 days

[manu0601]

Why is there a 27 days limit?

PLEASE SAVE US SPIES

This is a dupe isn't it?

Re:Hey Editor David - You Ain't No Editor

I have no idea, because (in common with all other coverage) I don't know what Ethereum is, don't know what the DAO is, and every description I've seen is full of technical jargon that seems actively hostile to trying to learn anything about it.

I know when Thursday was, and I know a little bit about Bitcoin, but didn't know it was a news service now.

free market

[ressolute]

Don't worry, guys. The free market will sort it out.