A blockchain 'smart contract' could cost investors millions

By not studying the code implementing a smart contract, investors have exposed themselves to a multimillion-dollar loss

Investors in a "smart contract" built on the Ethereum blockchain platform may have lost cryptocurrency worth millions of dollars because they missed a loophole in the contract's fine print.

The contract was written in Ethereum's Solidity programming language, and the fine print was the code that set out the rules for investing in, operating, and withdrawing from a crowd-sourced venture capital fund called The DAO (The Distributed Autonomous Organization.) .

Ethereum, like other blockchains, is a distributed public ledger, or record of transactions. Where the bitcoin ledger records bitcoin transactions, the Ethereum blockchain records transfers of a cryptocurrency called Ether. But there's more: Ethereum is also a platform for running smart contracts. Its creator, the Ethereum Foundation, describes smart contracts as "applications that run exactly as programmed without any possibility of downtime, censorship, fraud or third party interference."

In some respects, that's turning out to be true: The contract for The DAO did run exactly as programmed -- although not, perhaps, exactly as intended.

One canny investor appears to have spotted that the contract did not always run exactly as other investors expected. On Friday, that investor used a loophole to divert The DAO's store of Ether to another account, a "child" of The DAO. Under the terms of the contract, it can't be withdrawn from the child account until after a waiting period of 27 days. But after that, in theory, there is no stopping it: On Ethereum, code is law.

The loophole, known as the "recursive call vulnerability" or the "race to empty," had been spotted in a number of Ethereum smart contracts and publicized more than a week earlier. Slock.it, the developer of the framework used to build The DAO, said on June 12 it had patched its code and urged The DAO to adopt the new version -- but also said that other factors prevented the loophole from being exploited in The DAO.

"This is not an issue that is putting any DAO funds at risk today," Slock.it founder Stephen Tual wrote on the company blog.

As it turned out, those other factors did not protect The DAO.

Exploiting the loophole involved recursively calling the code that allows an investor to cash out of the contract. The code would first make the payout but would debit it from the investor's available funds in a later operation. So if the code were called again before the debit operation took place, the same sum could be paid out over and over. It's a bit like asking a bank teller for all the money in an account, taking the cash -- and then asking again for all the money in the account, before the teller gets a chance to update the balance.

Whether that counts as fraud depends on whether, as an investor, you expected your investment to be handled in the spirit of some kind of social contract or according to the letter of the smart contract.

If not fraud, then how about a hack, as some have called it?

"I'm not even sure that this qualifies as a hack," Cornell University Associate Professor Emin Gün Sirer wrote in a blog post analyzing The DAO's troubles. "To label something as a hack or a bug or unwanted behavior, we need to have a specification of the wanted behavior. We had no such specification for The DAO. There is no independent specification for what The DAO is supposed to implement."

All that is bad enough for The DAO's investors, whose funds are on the way out the door, but it presents an existential problem for Ethereum.

More than one-tenth of all the 81.2 million Ether in existence was invested in that one fund. The resulting crisis in confidence has caused the value of Ether as a whole to collapse, from $20.51 per Ether on Thursday to $11.81 Monday, wiping $700 million off the book value of the Ethereum economy.

To restore confidence and provide an opportunity for The DAO investors to recover their money, the Ethereum Foundation has proposed changing the underlying rules, introducing the equivalent of a constitutional amendment to freeze the account to which The DAO's funds were diverted.

"This will provide plenty of time for discussion of potential further steps, including to give token holders the ability to recover their ether," Ethereum co-founder Vitalik Buterin wrote on the foundation's blog.

The foundation can't impose its solution: It requires those operating the computers that run the distributed system -- the equivalent of bitcoin's miners -- to decide whether to adopt the changed code: If a majority of them do, then the proposal will take effect.

In one sense, Ethereum's founders are damned if they do, and damned if they don't. They can pander to The DAO's investors' interests, interfering in the contract and thus undermining Ethereum's bedrock principle that smart contracts will run exactly as programmed, without third-party interference. Or they can do nothing, standing and watching as The DAO's collapse brings confidence in the rest of the platform crashing down around it.

For The DAO investors in particular, it's the ultimate test of whether they truly want to be part of a decentralized economy, with no central authority to judge and to impose redress.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags Blockchain

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Peter Sayer

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?