Decentralized organizations (
DAO :
Decentralized autonomous organization ) are one of the main innovations that have become possible thanks to the Ethereum blockchain, which allows to keep the so-called "
contracts ". Each contract has its own address (similar to the addresses of Bitcoin wallets), and in fact it is a program with a set of rules that is executed in the event of a transaction with it. The main feature of DAO as an organization is the absence of intermediaries in the person - the rules of decision making, and, accordingly, orders of the organization’s funds are made when executing the code used to create this contract. That is what played a key role in the attack on the largest decineralized organization - "
The DAO " on June 17, 2016 (for more information about the organization, you can read
in a recent article on Geektimes).
The attacker exploited the recursive call vulnerability, a warning about which appeared at least
from June 12 , but The DAO’s co-founder Stephan Tual claimed in his blog that the presence of this bug will not affect the organization’s funds (in total - 11.08 million ETH, or about 13.64% of total market volume) and all necessary precautions were taken, which did not prevent 5 days to successfully bring an attacker more than 32% of the funds of the organization
to his wallet . In more detail about the technical features of the attack can be found
here , but in general - the presence of vulnerability was made possible by the confluence of several factors and problems in the development of the contract.
The attack was followed by the reaction of Ethereum founder
Vitalik Buterin , who asked the stock exchange to suspend withdrawal transactions from ETH to bitcoins and dollars until the reasons for the outflow of funds were determined. It is curious that the suspension proposal concerned all transactions despite the presence of an error in only one, if not the smallest, contract on the network. This behavior of the main developers of the blockchain sharply divided the moods in
the Ethereum community on Reddit.com into diametrically opposed ones: some users were pleased with the quick reaction to the problem, while others pointed to preferences for owners of large accounts (contracts) compared to ordinary users - because suspension of trading, all users would lose the ability to record transactions, regardless of their relationship with the organization that was attacked.
')
Further developments are possible in three directions:
- Soft-fork : limit transactions from the attacker's wallet, but do not return money to The DAO
- " Hard-fork ": cancel the transfer of funds to the attacker's accounts and return the money to the owners of the The DAO tokens
- Inaction : leave all the funds in the account of the attacker and give him the opportunity to dispose of them as he pleases
The moral dilemma is that the very fact of the transfer of funds to the fraudster within the framework of the programmed by The DAO contract, according to the
rules of the same organization, legitimizes them:
The terms of the DAO Creation are at the 0xbb9bc244d798123fde783fcc1c72d3bb8c189413. The DAO’s code. There are no comments and no comments, please be advised. The DAO's code at 0xbb9bc244d798123fde783fcc1c72d3bb8c189413 can be consistent with the DAO Creation.
Translation :
The rules for creating the organization The DAO are set up within the program code of the “smart contract” in the Ethereum blockchain at 0xbb9bc244d798123fde783fcc1c72d3bb8c189413. Nothing within this explanation of the rules of a contract or any other document or message can change or add additional obligations or warranties in addition to the established program code The DAO. Any explanation of the rules or other descriptions are given only for educational purposes and do not replace or modify the rules set in the code of The DAO located within the blockchain. In the event of a conflict of interest or any misunderstanding of the rules indicated on this page and the code at the contract address 0xbb9bc244d798123fde783fcc1c72d3bb8c189413, the program code must bear a decisive importance in determining the rules for creating The DAO
Thus, in a free interpretation of the rules, self-proclaimed by the creators of the system, any operations permitted by the program code itself should be recognized as legal (with which traditional lawyers may not agree, but this is a separate conversation). Attempting to restrict access to the funds received within the framework of soft- and hard-forks proposed by the organization is a direct
contradiction of the ideology of organizations governed exclusively by machine code.
It is curious that on the main page of the Ethereum organization the main properties of applications built on the basis of this blockchain are indicated:
It is a decentralized platform that runs smoothly.
Translation :
Ethereum is a distributed platform for launching smart contracts: applications that work exactly as they were programmed , without downtime, censorship, fraud and third-party interference
The creators of the blockchain also refer to strict adherence to code instructions and non-interference of third parties in the work of the code, however, the proposed changes suggest the opposite - if they are accepted, the question of the impartiality of the system is called into question. Also, opponents of cancellation of operations indicate that despite the presence of vulnerabilities in many previous contracts, operations were not previously canceled, and the management of the blockchain for the first time deals with fixing problems at the level of an individual contract, and not the blockchain as a whole, which acted strictly according to its instructions and norms. The impartiality of the creators of the system is being questioned, because despite the fact that there is a choice for miners - whether to go along the path of the proposed soft-fork or not, launching the platform update with changes - goes by default, while to reject changes - you need to
use additional flag --no-dao-soft-fork .
Naturally, the lack of action from the main programmers of the blockchain can also cause a negative market reaction, because investors may be afraid of losing so much money (at the time of the attack, the attacker’s account contained a broadcast in the amount of $ 50 million) by more than 18 thousand “contributors”, which may cause a drop in interest in the currency as a whole.
Thus, any scenario can lead to negative consequences, rollback of operations and restriction of funds movement - contradict the very concept of decentralized systems and DAO, lack of actions - can adversely affect the image of Ethereum in the eyes of world financiers. In any case, the decision on the further fate of the stolen funds will be made by the community, because at least 51% of all miners of the system must install it to make changes in the blockchain code, and the question of the future platform still remains open.
Bonus : an
unconfirmed letter from the attacker , demanding to leave his funds alone.