Investors in a “smart contract” built on the Ethereum blockchain platform may have lost cryptocurrency worth millions of dollars because they missed a loophole in the contract’s fine print.
The contract was written in Ethereum’s Solidity programming language, and the fine print was the code that set out the rules for investing in, operating, and withdrawing from a crowd-sourced venture capital fund called The DAO (The Distributed Autonomous Organization.) .
Ethereum, like other blockchains, is a distributed public ledger, or record of transactions. Where the bitcoin ledger records bitcoin transactions, the Ethereum blockchain records transfers of a cryptocurrency called Ether. But there’s more: Ethereum is also a platform for running smart contracts. Its creator, the Ethereum Foundation, describes smart contracts as “applications that run exactly as programmed without any possibility of downtime, censorship, fraud or third party interference.”
In some respects, that’s turning out to be true: The contract for The DAO did run exactly as programmed — although not, perhaps, exactly as intended.
One canny investor appears to have spotted that the contract did not always run exactly as other investors expected. On Friday, that investor used a loophole to divert The DAO’s store of Ether to another account, a “child” of The DAO. Under the terms of the contract, it can’t be withdrawn from the child account until after a waiting period of 27 days. But after that, in theory, there is no stopping it: On Ethereum, code is law.
The loophole, known as the “recursive call vulnerability” or the “race to empty,” had been spotted in a number of Ethereum smart contracts and publicized more than a week earlier. Slock.it, the developer of the framework used to build The DAO, said on June 12 it had patched its code and urged The DAO to adopt the new version — but also said that other factors prevented the loophole from being exploited in The DAO.
“This is not an issue that is putting any DAO funds at risk today,” Slock.it founder Stephen Tual wrote on the company blog.
As it turned out, those other factors did not protect The DAO.
Exploiting the loophole involved recursively calling the code that allows an investor to cash out of the contract. The code would first make the payout but would debit it from the investor’s available funds in a later operation. So if the code were called again before the debit operation took place, the same sum could be paid out over and over. It’s a bit like asking a bank teller for all the money in an account, taking the cash — and then asking again for all the money in the account, before the teller gets a chance to update the balance.
Whether that counts as fraud depends on whether, as an investor, you expected your investment to be handled in the spirit of some kind of social contract or according to the letter of the smart contract.
If not fraud, then how about a hack, as some have called it?
“I’m not even sure that this qualifies as a hack,” Cornell University Associate Professor Emin Gün Sirer wrote in a blog post analyzing The DAO’s troubles. “To label something as a hack or a bug or unwanted behavior, we need to have a specification of the wanted behavior. We had no such specification for The DAO. There is no independent specification for what The DAO is supposed to implement.”
All that is bad enough for The DAO’s investors, whose funds are on the way out the door, but it presents an existential problem for Ethereum.
More than one-tenth of all the 81.2 million Ether in existence was invested in that one fund. The resulting crisis in confidence has caused the value of Ether as a whole to collapse, from $20.51 per Ether on Thursday to $11.81 Monday, wiping $700 million off the book value of the Ethereum economy.
To restore confidence and provide an opportunity for The DAO investors to recover their money, the Ethereum Foundation has proposed changing the underlying rules, introducing the equivalent of a constitutional amendment to freeze the account to which The DAO’s funds were diverted.
“This will provide plenty of time for discussion of potential further steps, including to give token holders the ability to recover their ether,” Ethereum co-founder Vitalik Buterin wrote on the foundation’s blog.
The foundation can’t impose its solution: It requires those operating the computers that run the distributed system — the equivalent of bitcoin’s miners — to decide whether to adopt the changed code: If a majority of them do, then the proposal will take effect.
In one sense, Ethereum’s founders are damned if they do, and damned if they don’t. They can pander to The DAO’s investors’ interests, interfering in the contract and thus undermining Ethereum’s bedrock principle that smart contracts will run exactly as programmed, without third-party interference. Or they can do nothing, standing and watching as The DAO’s collapse brings confidence in the rest of the platform crashing down around it.
For The DAO investors in particular, it’s the ultimate test of whether they truly want to be part of a decentralized economy, with no central authority to judge and to impose redress.