Menu
A blockchain 'smart contract' could cost investors millions

A blockchain 'smart contract' could cost investors millions

By not studying the code implementing a smart contract, investors have exposed themselves to a multimillion-dollar loss

Investors in a "smart contract" built on the Ethereum blockchain platform may have lost cryptocurrency worth millions of dollars because they missed a loophole in the contract's fine print.

The contract was written in Ethereum's Solidity programming language, and the fine print was the code that set out the rules for investing in, operating, and withdrawing from a crowd-sourced venture capital fund called The DAO (The Distributed Autonomous Organization.) .

Ethereum, like other blockchains, is a distributed public ledger, or record of transactions. Where the bitcoin ledger records bitcoin transactions, the Ethereum blockchain records transfers of a cryptocurrency called Ether. But there's more: Ethereum is also a platform for running smart contracts. Its creator, the Ethereum Foundation, describes smart contracts as "applications that run exactly as programmed without any possibility of downtime, censorship, fraud or third party interference."

In some respects, that's turning out to be true: The contract for The DAO did run exactly as programmed -- although not, perhaps, exactly as intended.

One canny investor appears to have spotted that the contract did not always run exactly as other investors expected. On Friday, that investor used a loophole to divert The DAO's store of Ether to another account, a "child" of The DAO. Under the terms of the contract, it can't be withdrawn from the child account until after a waiting period of 27 days. But after that, in theory, there is no stopping it: On Ethereum, code is law.

The loophole, known as the "recursive call vulnerability" or the "race to empty," had been spotted in a number of Ethereum smart contracts and publicized more than a week earlier. Slock.it, the developer of the framework used to build The DAO, said on June 12 it had patched its code and urged The DAO to adopt the new version -- but also said that other factors prevented the loophole from being exploited in The DAO.

"This is not an issue that is putting any DAO funds at risk today," Slock.it founder Stephen Tual wrote on the company blog.

As it turned out, those other factors did not protect The DAO.

Exploiting the loophole involved recursively calling the code that allows an investor to cash out of the contract. The code would first make the payout but would debit it from the investor's available funds in a later operation. So if the code were called again before the debit operation took place, the same sum could be paid out over and over. It's a bit like asking a bank teller for all the money in an account, taking the cash -- and then asking again for all the money in the account, before the teller gets a chance to update the balance.

Whether that counts as fraud depends on whether, as an investor, you expected your investment to be handled in the spirit of some kind of social contract or according to the letter of the smart contract.

If not fraud, then how about a hack, as some have called it?

"I'm not even sure that this qualifies as a hack," Cornell University Associate Professor Emin Gün Sirer wrote in a blog post analyzing The DAO's troubles. "To label something as a hack or a bug or unwanted behavior, we need to have a specification of the wanted behavior. We had no such specification for The DAO. There is no independent specification for what The DAO is supposed to implement."

All that is bad enough for The DAO's investors, whose funds are on the way out the door, but it presents an existential problem for Ethereum.

More than one-tenth of all the 81.2 million Ether in existence was invested in that one fund. The resulting crisis in confidence has caused the value of Ether as a whole to collapse, from $20.51 per Ether on Thursday to $11.81 Monday, wiping $700 million off the book value of the Ethereum economy.

To restore confidence and provide an opportunity for The DAO investors to recover their money, the Ethereum Foundation has proposed changing the underlying rules, introducing the equivalent of a constitutional amendment to freeze the account to which The DAO's funds were diverted.

"This will provide plenty of time for discussion of potential further steps, including to give token holders the ability to recover their ether," Ethereum co-founder Vitalik Buterin wrote on the foundation's blog.

The foundation can't impose its solution: It requires those operating the computers that run the distributed system -- the equivalent of bitcoin's miners -- to decide whether to adopt the changed code: If a majority of them do, then the proposal will take effect.

In one sense, Ethereum's founders are damned if they do, and damned if they don't. They can pander to The DAO's investors' interests, interfering in the contract and thus undermining Ethereum's bedrock principle that smart contracts will run exactly as programmed, without third-party interference. Or they can do nothing, standing and watching as The DAO's collapse brings confidence in the rest of the platform crashing down around it.

For The DAO investors in particular, it's the ultimate test of whether they truly want to be part of a decentralized economy, with no central authority to judge and to impose redress.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags Blockchain

Featured

Slideshows

Reseller News launches inaugural Hall of Fame lunch

Reseller News launches inaugural Hall of Fame lunch

Reseller News welcomed 2015 and 2016 inductees - Darryl Swann, Dave Rosenberg, Gary Bigwood, Keith Watson, Mike Hill and Scott Green - to the inaugural Reseller News Hall of Fame lunch, held at the French Cafe in Auckland. The inductees discussed how the channel can collectively work together to benefit New Zealand, the Kiwi skills shortage and the future of the industry. Photos by Maria Stefina.

Reseller News launches inaugural Hall of Fame lunch
Educating from the epicentre - Why distributors are the pulse checkers of the channel

Educating from the epicentre - Why distributors are the pulse checkers of the channel

​As the channel changes and industry voices deepen, the need for clarity and insight heightens. Market misconceptions talk of an “under pressure” distribution space, with competitors in that fateful “race for relevance” across New Zealand. Amidst the cliched assumptions however, distribution is once again showing its strength, as a force to be listened to, rather than questioned. Traditionally, the role was born out of a need for vendors and resellers to find one another, acting as a bridge between the testing lab and the marketplace. Yet despite new technologies and business approaches shaking the channel to its very core, distributors remain tied to the epicentre - providing the voice of reason amidst a seismic industry shift. In looking across both sides of the vendor and partner fences, the middle concept of the three-tier chain remains centrally placed to understand the metrics of two differing worlds, as the continual pulse checkers of the local channel. This exclusive Reseller News Roundtable, in association with Dicker Data and rhipe, examined the pivotal role of distribution in understanding the health of the channel, educating from the epicentre as the market transforms at a rapid rate.

Educating from the epicentre - Why distributors are the pulse checkers of the channel
Kiwi channel reunites as After Hours kicks off 2017

Kiwi channel reunites as After Hours kicks off 2017

After Hours made a welcome return to the channel social calendar last night, with a bumper crowd of distributors, vendors and resellers descending on The Jefferson in Auckland to kickstart 2017. Photos by Maria Stefina.

Kiwi channel reunites as After Hours kicks off 2017
Show Comments