Ethereum Might Betray the Blockchain to Recover From a $56M Hack
By Motherboard
Bitcoin rival Ethereum, which has been called the ‘World Computer’ because of its dual function as a currency and a coding platform, is thought by many to be the next evolution in digital financial systems. The system has grown quickly, and gained millions of dollars in support from its users. But on Friday, the system faced its first major challenge in the form of an attack that siphoned away more than $56 million USD of users’ money (as of this writing) from one of its biggest projects to date, after hackers managed to exploit a loophole in its code.
The value of the Ethereum currency, called ether (ETH), has since fallen about 25 per cent.
Now, Ethereum is at a crossroads, since the only way to return the funds might be to violate the core principles of not just Ethereum, but all blockchains.
On Friday at 03:34:48 UTC, a user (or multiple users) began exploiting a broken function in the Democratic Autonomous Organization (or DAO)’s withdrawal code. A DAO is a bit like a crowdsourced investment fund that is governed by code. Users can invest money into the fund, which is then tracked by the internal ledger, the Ethereum blockchain. In return, investors in the DAO get tokens that give them voting rights on what the organization does with its money. When investments turn a profit, users can decide on whether to distribute the money as a reward in the form of ether, or put the money back into the central fund.
The user leveraged a bug that allows them to withdraw multiple instances of ether from a single amount of DAO token—a bug which was said to be fixed on Monday.
You have to give credit to the transparency of the blockchain network. Other users participating in the DAO noticed the withdrawals early into the attack, but they had no way to stop it. Ether was withdrawn in 258 ETH chunks and eventually totalled 3,641,694 ETH, currently worth $56 million, before there were measures put in place to halt the thief.
Trading is now closed at the major ether exchanges, and due to the mechanics of the DAO, stolen funds are trapped in another, smaller DAO controlled by the attacker (what’s known as a ‘child DAO’) for 27 days. Now, the community and creators have some time to catch their breaths, and determine the reaction of the entire Ethereum system.
These events have put the fundamental promises of the blockchain system into question. The thief would be stopped by what is known as a “soft fork”, a software patch that would block the withdrawal of the funds from the child DAO. Vitalik Buterin, Ethereum’s creator—who’s also sometimes the focus of a cult of personality—had to step in and design the change.
What are the next steps?
There are mounting calls for a “hard fork” in the Ethereum code, especially from the creators of this DAO, Slock.it. This fork would roll back changes to the ledger and return the money from the thief. Other solutions would have them keep the money.
Stephan Tual, Founder and COO of Slock.it, went to Twitter to make the case for the rewind of the system to restore the money.
1/3 TL;DR #theDAO attack: a hardfork will retrieve all stolen funds from the attacker.
— Stephan Tual (@stephantual) June 17, 2016
But that goes against the principle of immutability, one of the features and benefits of the blockchain system. Proponents of the blockchain’s use in the form of smart contracts point to the fact that you can’t change a contract after it’s been decided upon by the network—this is what gives the blockchain the radical transparency that’s lauded by advocates.
Once something happens, it’s on record forever.
https://twitter.com/Couchmaster3000/status/743814687293333504?ref_src=twsrc%5Etfw
It’s worth noting that some critics have already come out as saying that the entiresmart contract system—the code that governs the DAO—was foolish and doomed to fail. Dogecoin creator Jackson Palmer noted on Twitter that the DAO’s collapse was “inevitable,” and linked to an article on social sharing site Steemit that described smart contracts as “incredibly dumb.”
“Unlike normal contracts which can be interpreted by smart people,” the post states, “smart contracts are interpreted by computers. Computers are dumb. They can only do what they are told.”
The design of the DAO uses a quorum voting structure where 20 percent of stakeholders need to agree on any decisions that change the network. If the ledger can be modified in this circumstance, what’s stopping future decisions from being recalled?
And so the debate begins.
First appeared at Motherboard Vice