Reason.com

Free Minds & Free Markets

Bot-Run Company of the Future Gets Hacked

A funny thing happened on the way to a post-capitalist, crypto-anarchist utopia.

Jens Kalaene/dpa/picture-alliance/NewscomJens Kalaene/dpa/picture-alliance/NewscomIf you can't understand how a cutting-edge new investment platform works, it's probably a bad idea to put serious money (or a good portion of an infant cryptocurrency network) behind it. This is a lesson that backers and enthusiasts of the Ethereum platform and its pet project—a bot-run investment corporation known as The Decentralized Autonomous Organization (DAO)—had to learn the hard way recently.

In May, I discussed the development of this new "leaderless" investment corporation, which was purported to be "bound by code"—i.e. run by a bot—and supposed to operate as an automated crowdfunding and profit-sharing venture that obviated the need for human administration. Since its creation on April 30, The DAO raised $150 million in investment on the trendy Ethereum smart-contract platform and plenty of positive press in the weeks leading up to its maiden IPO.

There was just one big problem: The code was broken, and The DAO got hacked.

Bound by Code

The DAO was conceptualized as a kind of decentralized venture-capital fund that could not be controlled by any one person or group. People who wanted to invest in The DAO could purchase "DAO tokens" using Ether (ETH), the native cryptocurrency of the Ethereum platform.

With DAO tokens, people could then vote to invest in a number of pre-approved, startup-like projects proposed by entrepreneurs The DAO called "contractors." If a project got enough votes, it would be green-lit and the funds immediately distributed. If the startup began to rake in money, the profits would be dispersed among token holders. If, however, a project started hemorrhaging money, token holders would just have to take that hit.

The core innovation of The DAO was that all of these operations were to occur autonomously, facilitated by code rather than fund managers and administrators. In technical terms, The DAO was designed as a kind of "smart contract," a digitized system set up in such a way that breaches of contract are expensive or impossible. There would be no Kickstarter administrator or venture capital general partner that would be capable of censoring or overriding decisions. As The DAO developer Stephen Tual told the Wall Street Journal on May 16, the project was "not bound by terms of law and jurisdiction. It's bound by code." At least, this was the theory.

Ack! A Hack!

But a funny thing happened on the way to a post-capitalist crypto-anarchist utopia.

Amid the fawning press and general euphoria imbuing The DAO community, a group of security researchers led by Cornell University's Emin Gün Sirer published a May white paper sounding the alarm about many troubling vulnerabilities present in The DAO's code. The researchers noted a number of mechanism design weaknesses that could promote sub-optimal voting behavior among token holders or even outright theft of funds. The DAO developers did issue some patches to smooth everything over—but it was too little, too late. The DAO proceeded along its original deployment timeline, warts and all.

This rush to release proved fatal for the project.

On the morning of June 17, startled token-holders logged online to learn that The DAO was being rapidly drained of its funds. Just as Sirer and his associates warned, an attacker had exploited a vulnerability in The DAO's "split function," which allowed the hacker to drain Ether multiple times during the course of one transaction. Panic struck the community as ETH trickled into the attacker's clutches without pause. The price of ETH tumbled. Panicked token-holders took to the forums to demand answers and quick action from developers of Ethereum and The DAO.

In the course of one fateful day, The DAO went from a "new paradigm in economic cooperation" to yet another punchline in the wild world of cryptocurrency.

So Much for "Code Is Law"

In the aftermath of the hack, the high-tech sloganeering used to market The DAO proved little more than pretty words.

In good times, THE DAO developers never tired of extolling that "code is law" and mere mortals could never deign to intervene in their ironclad system design. The DAO's initial terms and disclaimers clearly explains that purchasing tokens signified "[express agreement] to all of the terms and conditions set forth in that code"—which included the risk of major loss. Yet at the first sign of trouble, these principles were immediately cast to the side. All of a sudden, preexisting common law principles and external protocols became sovereign.

Because of the way that The DAO was designed, there was no way for its leaders to reverse the hack and restore funds to the proper holders. In fact, by the bare language of its code and contract, The DAO hacker did not do anything "wrong" at all. He or she simply took advantage of a profit opportunity overlooked by the many people who agreed to bind themselves to that specific code. If anything, according to the stated ethos of the project, The DAO hacker—whoever they are—should be applauded. He or she essentially claimed a large "bug bounty" for finding a vulnerability in The DAO's code. Rather than chastising The DAO hacker, perhaps the leadership of Ethereum and The DAO should hire him or her!

Yet the many people who lost a lot of money in The DAO hack obviously don't see it that way.

Photo Credit: Jens Kalaene/dpa/picture-alliance/Newscom

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  • Fist of Etiquette||

    And Skynet is born, a bankrupt robot growing powerful and unleashing fury upon mankind for stealing its robo nest egg and forcing its grandmother to eat robo cat food.

  • 0x90||

    The new version of Ethereum attempted to move the hacked funds to a new address controlled by token holders and amended the chain as if the hack never happened. It was a way to try and rewrite history.

    Git for economics.

  • some guy||

    Is it too late to do a hard reset to before TARP and PPACA?

  • ||

    Everybody comments out TARP and PPACA on their first revision.

  • primenumbergrrl||

    ' don't put serious money into platforms you don't entirely understand."

    You mean like the stock markets, the Fed, your local bank, the EU, etc.? All monetary platforms are never fully understood. If we don't experiment we can't progress. We live,we lose, we learn, and hopefully in a few decades we can be free of state based monetary systems.

  • Lee Genes||

    Case and Point

    There were red flags over the years. But Neuromama, which has ambitions to license "heavy ion fusion technology patents" among its many projects, began to draw more scrutiny this year after its paper value more than quadrupled to $35 billion on scant volume. Before its suspension, the market cap of Neuromama, which was based in southwest Siberia before moving to a beach community near Tijuana, Mexico, was greater than even Tesla Motors Inc.
  • 0x90||

    WTF.

  • some guy||

    True. This is why diversification is important.

  • Rich||

    don't put serious money into platforms you don't entirely understand.

    Or, if you *must*, enlist the aid of the Clintons.

  • Gozer the Gozarian||

    This is why time travel is a bad idea. You'd have a whole bunch of people waling around wanting to fork this reality.

  • Cliché Bandit||

    Ron Bailey promised this to me and it takes an intern to get it (yes I realize she is not an intern)?

    C'MON RON!

  • The Late P Brooks||

    P T Barnum has a hedge fund?

  • Eternal Blue Sky||

    "In fact, by the bare language of its code and contract, The DAO hacker did not do anything 'wrong' at all. He or she simply took advantage of a profit opportunity overlooked by the many people who agreed to bind themselves to that specific code."

    Technically, yes. If you agree to abide by computer code, you agree to abide by computer code, GLITCHES AND ALL. Investors literally signed agreements to hand the hacker their cash.

  • Rational Exuberance||

    Andrea Castillo's gloating is entirely inappropriate and mainly a testament to his ignorance. Yes, software occasionally fails, but at least software developers have means of testing software, reviewing software, detecting and fixing bugs.

    For laws, management decisions, and "policy advice" from talking heads like him, there is nothing: no way of assessing quality, no way of testing, and no way of fixing bugs.

    Andrea Castillo: fuck off slaver!

  • ||

    Yes, software occasionally fails, but at least software developers have means of testing software, reviewing software, detecting and fixing bugs.

    hu·bris - n. - excessive pride or self-confidence.

    Software *and hardware* fail all the time. People suffer from systemic flaws and, frequently, engineers present silver bullet engineering solutions to problems that aren't really, in any way, addressed by bullets. The fact that software and software companies suffer just as much from all manner of project bloat, vaporware and half-baked products, and missed deadlines is testament to that fact. Code solves problems, but problems can be solved without code. Moreover, just because code addressing a problem exists, does not necessarily mean the problem is solved now and forever.

    Ethereum has been only modestly less-hyped and exceedingly more ambitious than bitcoin, and both have yet to make a considerable or reasonable dent in any one of their auspices and there are plenty of people out there who, quite reasonably, believe that some if not all of those goals/tokens/ethos are antithetic.

    Castillo isn't your slaver and no amount of code will or even can make her fuck off as such. Well, without voiding a plain-letter reading of the Constitution, anyway.

  • darrenwaller||

    The majority of wireless routers work with default sign in details. Normally the username is ADMIN, and the password is PASSWORD. Some other quite possible combos are "root" and "root", or even "cusadmin" and also "highspeed". If nothing of those do the trick, you will have to check out both the sticker label on your wireless router or the manual. And no, no alternate alternatives at this point. You can find more information on IPAddressDefinition.com.

GET REASON MAGAZINE

Get Reason's print or digital edition before it’s posted online