The DAO, a distributed autonomous organization that raised over $150 million in ether was hacked yesterday, and hackers began draining funds. The attack exploited a bug that allowed them to embed withdraw orders within withdraw orders. In total, they have drained close to 3.6 million ether (close to ⅓ of all ether controlled by The DAO and almost 5% of all ether available.
The ether went into this account, where it sits now. Due to how The DAO works, the funds in this new account can’t be used for 28 days, but at time of writing, it isn’t clear that the attack has actually stopped.
People started noticing this around 7am GMT time, and the slock.it team responded. They sent an alert to their slack channel, which made its way through reddit and twitter, and proposed several strategies to delay or counter-attack the hacker. One was to spam the network to slow down transactions to buy developers time for another solution. Another was to explore means to splitting The DAO with existing split proposals. They are also advising current token holders to split from The DAO to protect their funds or, if funds are already locked in another proposal, to vote yes for split proposals. Read more about how The DAO works here.
The vulnerability had been identified earlier this week by someone outside the core Ethereum development community and The DAO users verified that the DAO is vulnerable. The bug lies with how developers are using Solidity, Ethereum’s programming language, to write smart contracts. The interested reader can find the original explanation of the bug here.
A hard fork is being proposed–the Ethereum network is essentially split into two competing blockchains and participants (miners, nodes, wallets, etc.) choose which to support. The version that gets the most support ‘wins’ and becomes the version of history. This fork would freeze the stolen ether and prevent more ether from being drained.
Unsurprisingly, this has kicked off a furious debate about the governance of Ethereum.
One user points out that this is essentially a ‘bail out’ of The DAO in response to a theft and is an exercise of monetary policy that many didn’t think had a place in a decentralized cryptocurrency. He writes, “And this line of logic leads to federal banking systems and fractional reserves…Myself, and many others, consider intrinsic worth of cryptocurrency that the rules-of-play are baked into the logic of the software. If someone gets hurt because they didn’t use it properly, then that’s tough luck.”
“Myself, and many others, consider intrinsic worth of cryptocurrency that the rules-of-play are baked into the logic of the software.” – R Hartness
He continues that this isn’t a bug in the codebase itself but in how people were implementing it. Metaphorically, it isn’t that dollars were spontaneously dissolving but that a bank left its vault open and people still put their money in it.
Others point out that the core development team can’t impose a hard fork: “Vitalik is not chairman of the Fed. AFAIK, he has no intrinsic power to enforce a fork or rollback.” Ultimately, the network will fork only if enough people decide, not whether the dev team decrees it. They also point out that a theft of this magnitude would deal a huge blow to the cryptocurrency community and Ethereum itself.
“Vitalik is not chairman of the Fed. AFAIK, he has no intrinsic power to enforce a fork or rollback.” – brbsix
Nonetheless, core developers occupy a strange position in cryptocurrencies. They aren’t elected and can’t impose changes, but their opinion carries immense weight. Some people think the core development team should stay out of it and not endorse any particular proposal.
Bitcoin has gone through versions of this before, though forks that would recover stolen money are unprecendented. As we’ve written before, governance in cryptocurrencies is very messy. However, the broader philosophical issue hearkens back to the block-size debate, which involved different visions of what cryptocurrency should be. If it should be a payment network that is cheaper and more reliable than Paypal, it seems that a hard-fork ‘bail-out’ has plenty of precedence in mainstream payment providers. A guarantee of funds is a basic tenant of modern banking. But if cryptocurrency should be a decentralized money system that isn’t centrally controlled, hard-fork bail-outs to protect people against theft are much less clear.
Regardless, this will impact cryptocurrency markets. Many currencies are currently taking a dive, including both Ethereum and Bitcoin. The recent flood of money into cryptocurrency markets may have involved ‘lay’ investors, who don’t fully understand how The DAO works or codebases are governed. It is unclear whether a hard fork will inspire confidence in cryptocurrency security or raise more doubt about how they respond to the unexpected.