Daily BulletinDaily Bulletin

The Conversation

  • Written by Benjamin Dean, Fellow for Cyber-security and Internet Governance, School of International and Public Affairs, Columbia University
image

Companies around the world are exploring blockchain, the technology underpinning digital currency bitcoin. In this Blockchain unleashed series, we investigate the many possible use cases for the blockchain, from the novel to the transformative.

Ethereum, a network designed to extend blockchain technology to uses beyond crypto-currencies, has been gaining traction around the world.

Billed as “a decentralized platform that runs smart contracts…without any possibility of downtime, censorship, fraud or third party interference,” Ethereum has been enthusiastically embraced by organisations like Microsoft, IBM and Azure.

How then does the equivalent of tens of millions of dollars get stolen in one day, from an individual account?

This is the situation that those affiliated with The DAO (Decentralized Autonomous Organization) awoke to on June 17 as transactions were made from their Ethereum account to an account whose owner is unknown.

It was a timely reminder that sometimes “smart” technology acts stupidly. Bitcoin suffered a near-death experience in 2014 when the equivalent of US$450 million in bitcoins went missing after Mt. Gox declared bankruptcy. Ethereum now faces a similar moment.

Important lessons about the risks, true capabilities and need for better governance of blockchain networks unfortunately have to be learned once again.

How Ethereum and The DAO work

Started in 2014 by teenage programming prodigy Vitalik Buterin, the Ethereum network is unique for its pioneering use of “smart contracts”. Just like regular contracts, terms and conditions are developed and agreed upon by consenting parties. What makes them supposedly “smart” is that, when the conditions of the contract are met, the contracts execute automatically.

The DAO is an online, investor-directed venture capital fund built on the Ethereum blockchain network. The DAO’s goal is to collectively channel investment into new projects, similar to the way that crowdfunding works, but using Ether, the crypto-currency that underpins Ethereum. It uses specialised code (based on Ethereum’s Solidity language) to allow its members to execute automated investment decisions.

The DAO has no single leader, though there is a group of overseers who are elected by holders of special DAO tokens (which people purchase with ether). Voting rights are determined by one’s DAO token holdings.

After raising 10.7 million ether (the equivalent of US$120 million in May 2016) in an initial crowdfunding effort, one of the biggest in history, hopes were high for The DAO.

Then, on June 17, crisis struck. An unknown person or group of people funnelled out about one-third of The DAO’s ether holdings the equivalent of between US$45 million and $77 million (the value depends on whether one uses the pre- or post-incident ether market price).

Within days, the market price of ether crashed around 50%. A good deal of soul searching for both projects has been underway ever since.

Smart thieves or dumb programming?

In the fallout of the incident, much was made about how The DAO was “hacked”. Upon closer examination though, The DAO was not hacked at all. The attacker(s) used two features of The DAO’s specialised code to siphon out ether in amounts small enough to not result in the destruction of their DAO tokens.

Moreover, The DAO’s terms and conditions do not permit theft or fraud. In short, it is perfectly legitimate to do whatever a smart contract’s code permits, even if this is beyond the original intention of those who wrote the code.

Like all technologies, “smart contracts” are dual use and might be used in ways that their creators did not intend. The complexity of the technology only compounds this issue.

When considered in this context, not only is what occurred above board (though not in the spirit of The DAO), funnelling money out of The DAO’s account ironically turns out to be a feature, not a bug.

Important decisions now face the Ethereum community. The fate of the network and the equivalent of hundreds of millions of dollars hang in the balance.

Sensibly, a backstop mechanism was built into the Ethereum network for incidents such as this one. The account holding the (mis)appropriated funds (a so-called Child DAO) has been frozen for 27 days and soon the Ethereum community will hold a referendum of sorts, “voting” on what course of action to pursue. This will determine whether holders of DAO tokens will be able to recoup their lost ether, or see it remained locked in limbo forever.

Lessons for blockchain enthusiasts

This episode introduces nuance to Ethereum’s pitch on enabling applications to run “without any possibility of downtime, censorship, fraud or third party interference”. Similar claims are made by the promoters of crypto-currencies and blockchains more generally.

Smart contracts may run exactly as programmed but this does not mean that they will run as the creators intended. The DAO incident demonstrates how the complexity of these contracts is outstripping the comprehension of the people who wish to write them. This in turn introduces bugs and vulnerabilities, some of which are known, but others will only become known when something goes wrong.

While the Ethereum network’s users might be decentralised, certain features of the network are not. For instance, the decision as to what changes will be made to the code as a part of the upcoming referendum is determined by a small group of Ethereum developers. The check on this concentration of control is that 51% of nodes in the network must agree to the changes.

However, a 51% threshold is not ideal given the network’s tendencies towards centralisation. The difference between the Ethereum blockchain network vs a referendum is that the former is not “one person, one vote” it is “one node, one vote”.

For Ethereum, there is no telling how many people control how many nodes. This is because the account holders are pseudonymous. What is known is that the distribution of ether holdings is heavily skewed across accounts. At present, of a total of 440,741 accounts, the top five Ethereum accounts alone possess 25% of the total outstanding ether. Moreover, the distribution of mining is also not uniform. Three mining pools currently occupy more than 50% of Ethereum’s mining capacity. Amassing 51% of the required resources for control becomes relatively easier under such a configuration. For Bitcoin, where votes are determined by the distribution of mining, and mining is similarly distributed, the ability to game the network is even greater.

Smart contracts require smarter governance

If blockchains are to be sustainable in the long run, serious consideration of appropriate governance mechanisms is needed.

A skewed distribution of mining power and crypto-currency holdings is combined with pseudonymity of account holders and a strong incentive to game the system. This has all the makings for deceptive, unaccountable, fraudulent, and self interested decision making.

Until hard questions around governance of blockchains are asked, and solutions implemented, we should brace ourselves for more incidents like that which has befallen The DAO. At stake is not just the fate of projects like Ethereum but the future potential of blockchain technology more generally.

Authors: Benjamin Dean, Fellow for Cyber-security and Internet Governance, School of International and Public Affairs, Columbia University

Read more http://theconversation.com/without-smarter-governance-blockchains-will-fall-victim-to-more-attacks-61353

My Fair Lady: Greatest Musical of the 20th Century

arrow_forward

How to Turn 1Z0-931 Exam Preparation into Successful Career

arrow_forward

The Ultimate Guide for Tarps

arrow_forward

The Conversation
INTERWEBS DIGITAL AGENCY

Politics

Prime Minister Interview with Ben Fordham, 2GB

FORDHAM: Thank you very much for talking to us. I know it's a difficult day for all of those Qantas workers. Look, they want to know in the short term, are you going to extend JobKeeper?   PRI...

Scott Morrison - avatar Scott Morrison

Prime Minister Scott Morrison interview with Neil Mitchell

NEIL MITCHELL: Prime minister, good morning.    PRIME MINISTER: Good morning, how are you?   MICHELL: I’m okay, a bit to get to I apologise, we haven't spoken for a while and I want to get t...

Scott Morrison - avatar Scott Morrison

Prime Minister Interview with Ben Fordham

PRIME MINISTER: I've always found that this issue on funerals has been the hardest decision that was taken and the most heartbreaking and of all the letters and, you know, there's been over 100...

Scott Morrison - avatar Scott Morrison

Business News

SEO In A Time of COVID-19: A Life-Saver

The coronavirus pandemic has brought about a lot of uncertainty for everyone across the world. It has had one of the most devastating impacts on the day-to-day lives of many including business o...

a Guest Writer - avatar a Guest Writer

5 Ways Risk Management Software Can Help Your Business

No business is averse to risks. Nobody can predict the future or even plan what direction a business is going to take with 100% accuracy. For this reason, to avoid issues or minimise risks, some for...

News Company - avatar News Company

5 Ways To Deal With Unemployment and Get Back Into the Workforce

Being unemployed has a number of challenges and they’re not all financial. It can affect you psychologically and sometimes it can be difficult to dig your way out of a rut when you don’t have a job ...

News Company - avatar News Company



News Company Media Core

Content & Technology Connecting Global Audiences

More Information - Less Opinion