Ethereum Debate Marred By Second Digital Currency Heist

Thursday's news of a $50 million heist of digital currency at Ethereum. was followed today by reports of a second heist from the DAO, according to the Bitcoin News Service -- this one for just 22 Ether. "It appears this is just someone who wanted to test the exploit and see if they could use it to their advantage... " Slashdot reader Patrick O'Neill writes: The currency's community is currently debating a course forward for a currency who is built on the idea that it is governed by software and not human beings. One option is to fork the code, another is to do absolutely nothing at all."
Vitalik Buterin, the co-founder of Ethereum, posted Sunday that "Over the last day with the community's help we have crowdsourced a list of all of the major bugs with smart contracts on Ethereum so far, including both the DAO as well as various smaller 100-10000 ETH thefts and losses in games and token contracts." The list begins by including "The DAO (obviously)," but is followed by a warning that "progress in smart contract safety is necessarily going to be layered, incremental, and necessarily dependent on defense-in-depth. There will be further bugs, and we will learn further lessons; there will not be a single magic technology that solves everything."

The Daily Dot wrote Friday that "Because of the way the code in question is written, Etherum's developers and community have 27 days to decide what to do before the hackers are able to move the money and cash out... What's happening now amounts to a political campaign. But the debate is far from over. The clock is ticking now, the world is watching, and the next step of the cryptocurrency experiment is unfolding under a spotlight burning hotter every day."

Sue obviously

[0dugo0]

Why is this called a heist? Do we also call it a heist if a patent lawyer walks away with a pile of millions? Maybe it is just a bunch of Ether Trolls that will sue the developers into oblivion for breach of contract if they try forking the code.

Re:Sue obviously

[jbssm]

Why would they sue? The DAO wording very clearly states that for all possible purposes including legal ones the code is the contract. Whoever did this, did exactly what the contract stated.

Besides why would people what a smart contract based blockchain currency if the contracts wouldn't be solved by those smart contracts but by a traditional court? Doesn't that defeat the all purpose of the currency? I bet these people are not feeling so "libertarian" right now.

Re:Sue obviously

[ADRA]

Like all great libertarian losers, blame someone else (And make sure history doesn't recall that they were Libertarian to begin with).

Re:Sue obviously

[im_thatoneguy]

Except that even in law there is often a good bit of leeway assigned to intent when interpreting law. And since a code fork *can* reverse a contract, clearly "The Code" can be manipulated both for and against unintended outcomes.

It's hypocritical to say that the code acted as intended, and then also criticize changing the code as unethical. The fork also worked as intended.

Re:Sue obviously

[0dugo0]

Whoever did this being the one filing suit in case the code gets forked. Read!

Re:Sue obviously

[r0kk3rz]

Besides why would people what a smart contract based blockchain currency if the contracts wouldn't be solved by those smart contracts but by a traditional court? Doesn't that defeat the all purpose of the currency? I bet these people are not feeling so "libertarian" right now.

The point is that you no longer require a human 'trusted executor' of a contract, you can use the network for that. This means you don't have to worry about potentially having to sue the executor when they steal your money, because the executor is a computer and is literally bound by the code it runs.

There is nothing that Ethereum and Smart Contracts that do that you cannot accomplish with a human bound by a legal contract, but you can do it on a much greater scale.

Personally I think some kind of court system or arbitration is going to be required, just because you write something in a contract doesn't make it legal. Just because a contract will be executed perfectly doesn't make it fair.

"Fixing" the problem undermines the entire idea

"Ethereum is a decentralized platform that runs smart contracts: applications that run exactly as programmed without any possibility of downtime, censorship, fraud or third party interference."

This is the very first sentence on the ethereum.org homepage. Doing anything to try to reverse these "heists" is basically these people deciding that they didn't like the contract they wrote (because it didn't benefit them as much as they thought it would) and want to invalidate it. It totally goes against all the principles they claim to stand for, but I suppose that's nothing new.

Re:"Fixing" the problem undermines the entire idea

[_Sharp'r_]

The problem is that in their hubris, they forgot to allow for coding errors in "exactly as programmed". So yeah, it's working exactly as programmed, just not as intended by the programmer. :)

Also, this isn't a heist, because nothing was stolen. It's more of a counterfeiting operation, if I understand the commentary correctly. Someone took advantage of a recursive bug and an anti-pattern of calling recursive code before updating values and essentially created more 33% more Ether than previously existed out of thin air. Or at least will, as it actually won't complete for almost another month (so they got at least some time limits right to prevent exposure).

It's obviously not what was intended by the programmers, so there is an argument for "fixing" the code bug before the defect can be actually taken advantage of, but I can see the argument for letting it stand as a cost to the people who bet on their coding ability as a natural consequence for being wrong.

Without a fix for at least the going forward code (the issue still exists until voted to be changed), it's hard to see how the system will be viable for actual use anymore, so I suspect the miners will decide to run a fixed version of the code.

Re:"Fixing" the problem undermines the entire idea

The problem is that in their hubris

And that the people who "lost" the most are those that are at the core of the project. They do not want to lose their money, and want the project to bail them out. It was if the 1% wanted a bailout all over again (just a different 1% this time).

If the bailout does happen, this risks the entire project. If the bailout does not happen, this risks the entire project. Heads you lose, tails you lose.

Re:"Fixing" the problem undermines the entire idea

[astrodoom]

"Also, this isn't a heist, because nothing was stolen. It's more of a counterfeiting operation, if I understand the commentary correctly. Someone took advantage of a recursive bug and an anti-pattern of calling recursive code before updating values and essentially created more 33% more Ether than previously existed out of thin air."

It was a heist. Ether didn't get created, it just got moved. The child DAO tokens could theoretically have been "created" out of thin air if you drained the DAO past 0 recursively, then the balances were updated on all those recursive calls (after the sending of the tokens). That didn't happen though, he was just able to stack a bunch of withdraw operations up recursively, and the withdraws executed before the balance was checked (for each method call). Even if the past zero drain had been attempted, the Ethereum network would have errored out when the contract tried to send more funds than it had, so you couldn't generate Ether out of the ether (teehee).

Here's a great write-up: http://hackingdistributed.com/...

Quit posting about these guys

[inode_buddha]

Quit posting about these guys, please! I keep mis-reading the name as "eurethrum"

Cliff hanger summary!

[fustakrakich]

Be sure to tune in next week, when Doris gets her oats...

It turns out...

[beelsebob]

It turns out that if you build a system deliberately with exactly no regulation, hoping that it'll all magically work based off the magical hand of the market, that everything goes tits up.

Who'dathunkit?

Re:It turns out...

[thegarbz]

Tits-up IS the magic hand of the market. This is the work of self-regulation in progress. Companies which offer insecure solutions in an entirely unregulated market magically cease to exist because of their stupidity due to ... ahem ... "market forces".

Uh, wait: 10000 is "smaller"?

[XXongo]

from the summary ...as well as various smaller 100-10000 ETH thefts and losses in games and token contracts.

This isn't a 22 ETH second Ethereum theft: this is just one more a long ongoing series of thefts-- and not a particularly large one.

Cryptocurrency mentality.

[jbssm]

I'm a totally libertarian guy... until they mess with my money, because then I cry for the intervention of the state and the real courts of law.

Re:Cryptocurrency mentality.

[mmortal03]

There are many libertarians who believe in a minimal state and real courts of law, but, yeah, if there are individuals in the cryptocurrency space crying for government intervention at the level of the protocol, then they're missing the point. You don't have to be a libertarian to see the usefulness of Bitcoin, though.

Re:Hey Editor David - You Ain't No Editor

[dougTheRug]

and what is the DAO?

Object-Capability Security would have helped

[MostAwesomeDude]

Y'know, Ethereum's VM and their contract language, Solidity, are not especially great for this kind of verified contract work. It would have been great to see lessons learned from the E programming language and the object-capability security model in this whole misadventure. But no, they just took "smart contracts" and tried to interpret that in isolation without any of the literature that comes with it. Disappointing.

A government is NOT magical

Either you can defend some phenomenon as your "property", or you cannot; justification is your ability to convince others to condone (if not aid) your defense.

Under libertarianism, The Law is the collection of all voluntary contracts; you operate outside The Law at your own peril.

There is nothing magical about the security industry ("police"), the contract-enforcement industry ("police"), or the justification industry ("courts"); it is not necessarily the case that a violently imposed monopoly is the optimal form for these industries (after all, there is no World Government).

As with any other industry (or, indeed, complex system), the forms of these industries are best found through the process of evolution by variation and selection, the most profitable implementation of which is a market of voluntary trade. Competition manifests variation, and consumer choice manifests selective forces; in this way, society as a whole engages in the cooperative process of finding the best solutions (without even requiring participants to be aware that they are doing so), and without imposing any particular idea.

This is important because involuntary interaction induces festering indignation.

To place involuntary interaction at the foundation of your society is to place festering indignation at the foundation of your society; festering indignation leads to more involuntary interaction, which leads to more festering indignation, until there could well be a devastating explosion of violent upheaval.

Behold the world and its history.

A government is just another organization in the market; it is an organization that allocates resources through involuntary trade. In any particular domain of interaction (that is, in any particular jurisdiction), the most powerful such organization is often simply named "Government".

Libertarianism is a rejection of involuntary interaction; libertarianism is a rejection of governments. In a libertarian culture, people would be sensitized to involuntary interaction, quickly identify it, and seek ways to replace it with societal structures that do not involve involuntary interaction.

Unfortunately, libertarian culture is young and weak.

In the same way that many communities around the world struggle to implement representative democracy due to their lack of the 1000 years of cultural development that "The West" experienced in this regard, so too is it the case that even the most "modern" and "civilized" communities of the world struggle to comprehend and implement libertarianism due to their lack of cultural development in this regard. As libertarian structures begin to emerge, it will become possible to start jettisoning the ancient ideas of authoritarianism, and then the ability of governments to pool and allocate (including protect) resources won't seem so magical anymore; governments will be viewed as more examples of those strange, unfortunate choices made by past generations who, in the aggregate, just didn't know any better.

Re:A government is NOT magical

[XXongo]

In my experience, if you have two libertarians in a room and start asking them detailed questions, they have at least three contradictory opinions about what libertarianism is and how it operates.

27 days

[manu0601]

Why is there a 27 days limit?

free market

[ressolute]

Don't worry, guys. The free market will sort it out.