Humans are the biggest problem with this $150 million virtual-company experiment

By Ian Karr for QZ.com

Of course, the biggest problem behind a revolutionary new investment fund dictated by computer code could well be human nature.

According to a research report from cryptocurrency entrepreneur Dino Mark, ethereum researcher Vlad Zamfir, and Cornell University professor Emin Gün Sirer published May 27, the Distributed Autonomous Organization (DAO), a new crowdfunding project that’s raised more than $150 million, may create loopholes for scammers that could lead to major security concerns down the road.

The DAO is a computer program built by Simon and Christoph Jentzsch that doubles as an investment fund. It lets users invest their money into the investment vehicle, which will pick companies to invest in by gathering votes from investors who hold DAO tokens. Built on the ethereum blockchain—a platform for secure transactions—it has quickly become the biggest crowdfunding project in history and led to a short price surge for ethereum’s virtual currency, ether. As Quartz’s Joon Ian Wong wrote: “think of it as venture-capital firm Andreessen Horowitz, but with Marc Andreessen and Ben Horowitz replaced by the wisdom of the crowd.”

The idea behind the DAO, in part, is to limit the amount of human intervention in the investment process using smart contracts, computer code that execute agreements automatically and which is built into ethereum. But, as the report notes, humans are still integral to the DAO. Investors need to vote “yes” or “no” for projects up for funding, their votes weighted by how much they’ve invested in the DAO. If a majority of votes are “yes,” then the project will get funding from the DAO. If a project fails to collect “yes” votes representing a majority, the project isn’t funded and tokens are returned.

But, the way the program is designed now essentially deters individuals from voting against a proposal.
Here’s why: after someone votes for a proposal, the DAO doesn’t allow them to leave the DAO or sell their tokens until after the vote is finished, according to the paper. For “yes” votes, this isn’t a big deal—they’ve already committed to risking their DAO tokens, and they just get them back if the project isn’t funded.

But if you don’t think a proposal is worthwhile, you have a tough problem: do you vote “no” and risk the project passing and your having to fund it as a member of the DAO? Or do you abstain from voting and cash out your tokens rather than fund a project you don’t agree with? The researchers suggest that investors might only vote “no” at the point when it’s clear that the project won’t get funded.

This structural bias against “no” votes also increases the risk that a scammer hijacks a vote. The researchers explain a possible scenario where some DAO holders mobilize to exploit others via a proposal to pay themselves from DAO funds:

A sufficiently large voting bloc can take advantage of this reticence by voting “yes” at the last possible moment to fund the proposal. Such attacks are very difficult to detect and defend against because they leave little to no time for the DAO token holders to withdraw their funds. Among the current DAO investors, there is already a whale who invested 888,888 ether. This investor currently commands 7.7% of all outstanding votes in the DAO. For a proposal that requires only a 20% quorum, this investor already has 77% of the required “yes” votes to pass the proposal, and just needs to conspire with 2.3% of the token holders, in return for paying the conspirators out from the stolen funds.

The paper outlines other ways that DAO investors could be vulnerable to security attacks and ransomware. The researchers suggest a moratorium on launching the DAO until these holes are patched up, but it’s unclear whether that will happen.