Daily Bulletin

The Conversation

  • Written by Benjamin Dean, Fellow for Cyber-security and Internet Governance, School of International and Public Affairs, Columbia University

Companies around the world are exploring blockchain, the technology underpinning digital currency bitcoin. In this Blockchain unleashed series, we investigate the many possible use cases for the blockchain, from the novel to the transformative.

Ethereum, a network designed to extend blockchain technology to uses beyond crypto-currencies, has been gaining traction around the world.

Billed as “a decentralized platform that runs smart contracts…without any possibility of downtime, censorship, fraud or third party interference,” Ethereum has been enthusiastically embraced by organisations like Microsoft, IBM and Azure.

How then does the equivalent of tens of millions of dollars get stolen in one day, from an individual account?

This is the situation that those affiliated with The DAO (Decentralized Autonomous Organization) awoke to on June 17 as transactions were made from their Ethereum account to an account whose owner is unknown.

It was a timely reminder that sometimes “smart” technology acts stupidly. Bitcoin suffered a near-death experience in 2014 when the equivalent of US$450 million in bitcoins went missing after Mt. Gox declared bankruptcy. Ethereum now faces a similar moment.

Important lessons about the risks, true capabilities and need for better governance of blockchain networks unfortunately have to be learned once again.

How Ethereum and The DAO work

Started in 2014 by teenage programming prodigy Vitalik Buterin, the Ethereum network is unique for its pioneering use of “smart contracts”. Just like regular contracts, terms and conditions are developed and agreed upon by consenting parties. What makes them supposedly “smart” is that, when the conditions of the contract are met, the contracts execute automatically.

The DAO is an online, investor-directed venture capital fund built on the Ethereum blockchain network. The DAO’s goal is to collectively channel investment into new projects, similar to the way that crowdfunding works, but using Ether, the crypto-currency that underpins Ethereum. It uses specialised code (based on Ethereum’s Solidity language) to allow its members to execute automated investment decisions.

The DAO has no single leader, though there is a group of overseers who are elected by holders of special DAO tokens (which people purchase with ether). Voting rights are determined by one’s DAO token holdings.

After raising 10.7 million ether (the equivalent of US$120 million in May 2016) in an initial crowdfunding effort, one of the biggest in history, hopes were high for The DAO.

Then, on June 17, crisis struck. An unknown person or group of people funnelled out about one-third of The DAO’s ether holdings the equivalent of between US$45 million and $77 million (the value depends on whether one uses the pre- or post-incident ether market price).

Within days, the market price of ether crashed around 50%. A good deal of soul searching for both projects has been underway ever since.

Smart thieves or dumb programming?

In the fallout of the incident, much was made about how The DAO was “hacked”. Upon closer examination though, The DAO was not hacked at all. The attacker(s) used two features of The DAO’s specialised code to siphon out ether in amounts small enough to not result in the destruction of their DAO tokens.

Moreover, The DAO’s terms and conditions do not permit theft or fraud. In short, it is perfectly legitimate to do whatever a smart contract’s code permits, even if this is beyond the original intention of those who wrote the code.

Like all technologies, “smart contracts” are dual use and might be used in ways that their creators did not intend. The complexity of the technology only compounds this issue.

When considered in this context, not only is what occurred above board (though not in the spirit of The DAO), funnelling money out of The DAO’s account ironically turns out to be a feature, not a bug.

Important decisions now face the Ethereum community. The fate of the network and the equivalent of hundreds of millions of dollars hang in the balance.

Sensibly, a backstop mechanism was built into the Ethereum network for incidents such as this one. The account holding the (mis)appropriated funds (a so-called Child DAO) has been frozen for 27 days and soon the Ethereum community will hold a referendum of sorts, “voting” on what course of action to pursue. This will determine whether holders of DAO tokens will be able to recoup their lost ether, or see it remained locked in limbo forever.

Lessons for blockchain enthusiasts

This episode introduces nuance to Ethereum’s pitch on enabling applications to run “without any possibility of downtime, censorship, fraud or third party interference”. Similar claims are made by the promoters of crypto-currencies and blockchains more generally.

Smart contracts may run exactly as programmed but this does not mean that they will run as the creators intended. The DAO incident demonstrates how the complexity of these contracts is outstripping the comprehension of the people who wish to write them. This in turn introduces bugs and vulnerabilities, some of which are known, but others will only become known when something goes wrong.

While the Ethereum network’s users might be decentralised, certain features of the network are not. For instance, the decision as to what changes will be made to the code as a part of the upcoming referendum is determined by a small group of Ethereum developers. The check on this concentration of control is that 51% of nodes in the network must agree to the changes.

However, a 51% threshold is not ideal given the network’s tendencies towards centralisation. The difference between the Ethereum blockchain network vs a referendum is that the former is not “one person, one vote” it is “one node, one vote”.

For Ethereum, there is no telling how many people control how many nodes. This is because the account holders are pseudonymous. What is known is that the distribution of ether holdings is heavily skewed across accounts. At present, of a total of 440,741 accounts, the top five Ethereum accounts alone possess 25% of the total outstanding ether. Moreover, the distribution of mining is also not uniform. Three mining pools currently occupy more than 50% of Ethereum’s mining capacity. Amassing 51% of the required resources for control becomes relatively easier under such a configuration. For Bitcoin, where votes are determined by the distribution of mining, and mining is similarly distributed, the ability to game the network is even greater.

Smart contracts require smarter governance

If blockchains are to be sustainable in the long run, serious consideration of appropriate governance mechanisms is needed.

A skewed distribution of mining power and crypto-currency holdings is combined with pseudonymity of account holders and a strong incentive to game the system. This has all the makings for deceptive, unaccountable, fraudulent, and self interested decision making.

Until hard questions around governance of blockchains are asked, and solutions implemented, we should brace ourselves for more incidents like that which has befallen The DAO. At stake is not just the fate of projects like Ethereum but the future potential of blockchain technology more generally.

Authors: Benjamin Dean, Fellow for Cyber-security and Internet Governance, School of International and Public Affairs, Columbia University

Read more http://theconversation.com/without-smarter-governance-blockchains-will-fall-victim-to-more-attacks-61353

Writers Wanted

Review: Robert Dessaix on growing older well — a genial journey through a rich inner world


Why the 2000 Sydney Paralympics were such a success — and forever changed the games


The Conversation


Prime Minister Interview with Kieran Gilbert, Sky News

KIERAN GILBERT: Kieran Gilbert here with you and the Prime Minister joins me. Prime Minister, thanks so much for your time.  PRIME MINISTER: G'day Kieran.  GILBERT: An assumption a vaccine is ...

Daily Bulletin - avatar Daily Bulletin

Did BLM Really Change the US Police Work?

The Black Lives Matter (BLM) movement has proven that the power of the state rests in the hands of the people it governs. Following the death of 46-year-old black American George Floyd in a case of ...

a Guest Writer - avatar a Guest Writer

Scott Morrison: the right man at the right time

Australia is not at war with another nation or ideology in August 2020 but the nation is in conflict. There are serious threats from China and there are many challenges flowing from the pandemic tha...

Greg Rogers - avatar Greg Rogers

Business News

Top 3 Accident Law Firms of Riverside County, CA

Do you live in Riverside County and faced an accident and now looking for a trusted Law firm to present your case? If yes, then you have come to the right place. The purpose of the article is to...

News Co - avatar News Co

3 Ways to Keep Your Business Safe with Roller Shutters

If you operate your business in a neighbourhood or city that is not known for being a safe environment, it is not surprising if you often worry about the safety of your business establishments o...

News Co - avatar News Co

Expert Tips on How to Create a Digital Product to Sell on Your Blog

As the managing director of a growing talent agency, I use the company blog to not only promote my business but as a way to establish ourselves as an authority in our industry. You see, blogs a...

Adam Jacobs - avatar Adam Jacobs

News Co Media Group

Content & Technology Connecting Global Audiences

More Information - Less Opinion