Ethereum Debate Marred By Second Digital Currency Heist

Thursday's news of a $50 million heist of digital currency at Ethereum. was followed today by reports of a second heist from the DAO, according to the Bitcoin News Service -- this one for just 22 Ether. "It appears this is just someone who wanted to test the exploit and see if they could use it to their advantage... " Slashdot reader Patrick O'Neill writes: The currency's community is currently debating a course forward for a currency who is built on the idea that it is governed by software and not human beings. One option is to fork the code, another is to do absolutely nothing at all."
Vitalik Buterin, the co-founder of Ethereum, posted Sunday that "Over the last day with the community's help we have crowdsourced a list of all of the major bugs with smart contracts on Ethereum so far, including both the DAO as well as various smaller 100-10000 ETH thefts and losses in games and token contracts." The list begins by including "The DAO (obviously)," but is followed by a warning that "progress in smart contract safety is necessarily going to be layered, incremental, and necessarily dependent on defense-in-depth. There will be further bugs, and we will learn further lessons; there will not be a single magic technology that solves everything."

The Daily Dot wrote Friday that "Because of the way the code in question is written, Etherum's developers and community have 27 days to decide what to do before the hackers are able to move the money and cash out... What's happening now amounts to a political campaign. But the debate is far from over. The clock is ticking now, the world is watching, and the next step of the cryptocurrency experiment is unfolding under a spotlight burning hotter every day."

Sue obviously

[0dugo0]

Why is this called a heist? Do we also call it a heist if a patent lawyer walks away with a pile of millions? Maybe it is just a bunch of Ether Trolls that will sue the developers into oblivion for breach of contract if they try forking the code.

Re:Sue obviously

[jbssm]

Why would they sue? The DAO wording very clearly states that for all possible purposes including legal ones the code is the contract. Whoever did this, did exactly what the contract stated.

Besides why would people what a smart contract based blockchain currency if the contracts wouldn't be solved by those smart contracts but by a traditional court? Doesn't that defeat the all purpose of the currency? I bet these people are not feeling so "libertarian" right now.

Re:Sue obviously

[ADRA]

Like all great libertarian losers, blame someone else (And make sure history doesn't recall that they were Libertarian to begin with).

"Fixing" the problem undermines the entire idea

"Ethereum is a decentralized platform that runs smart contracts: applications that run exactly as programmed without any possibility of downtime, censorship, fraud or third party interference."

This is the very first sentence on the ethereum.org homepage. Doing anything to try to reverse these "heists" is basically these people deciding that they didn't like the contract they wrote (because it didn't benefit them as much as they thought it would) and want to invalidate it. It totally goes against all the principles they claim to stand for, but I suppose that's nothing new.

Re:"Fixing" the problem undermines the entire idea

[_Sharp'r_]

The problem is that in their hubris, they forgot to allow for coding errors in "exactly as programmed". So yeah, it's working exactly as programmed, just not as intended by the programmer. :)

Also, this isn't a heist, because nothing was stolen. It's more of a counterfeiting operation, if I understand the commentary correctly. Someone took advantage of a recursive bug and an anti-pattern of calling recursive code before updating values and essentially created more 33% more Ether than previously existed out of thin air. Or at least will, as it actually won't complete for almost another month (so they got at least some time limits right to prevent exposure).

It's obviously not what was intended by the programmers, so there is an argument for "fixing" the code bug before the defect can be actually taken advantage of, but I can see the argument for letting it stand as a cost to the people who bet on their coding ability as a natural consequence for being wrong.

Without a fix for at least the going forward code (the issue still exists until voted to be changed), it's hard to see how the system will be viable for actual use anymore, so I suspect the miners will decide to run a fixed version of the code.

Re:"Fixing" the problem undermines the entire idea

The problem is that in their hubris

And that the people who "lost" the most are those that are at the core of the project. They do not want to lose their money, and want the project to bail them out. It was if the 1% wanted a bailout all over again (just a different 1% this time).

If the bailout does happen, this risks the entire project. If the bailout does not happen, this risks the entire project. Heads you lose, tails you lose.

Cryptocurrency mentality.

[jbssm]

I'm a totally libertarian guy... until they mess with my money, because then I cry for the intervention of the state and the real courts of law.

Re:It turns out...

[thegarbz]

Tits-up IS the magic hand of the market. This is the work of self-regulation in progress. Companies which offer insecure solutions in an entirely unregulated market magically cease to exist because of their stupidity due to ... ahem ... "market forces".

Object-Capability Security would have helped

[MostAwesomeDude]

Y'know, Ethereum's VM and their contract language, Solidity, are not especially great for this kind of verified contract work. It would have been great to see lessons learned from the E programming language and the object-capability security model in this whole misadventure. But no, they just took "smart contracts" and tried to interpret that in isolation without any of the literature that comes with it. Disappointing.