Everyone’s imagination was grabbed by Slocks, the Universal Sharing Network, the Ethereum computer. A new decentralized and autonomous future was promised with smart contracts, DAOs and a sharing economy. People flocked in tens of thousands, raising more than $250 million at its peak to only see it crash and burn.
“There are so many attack vectors some of them cancel each other out” said Emin Gün Sirer weeks prior to the spectacular theft of more than $50 million with the rest up for grabs. In contrast, Stephen Tual, one of the founders of the DAO, stated just days before the hack that the recursive bug “is NOT an issue that is putting any DAO funds at risk.” Praising the team as “blessed” with the “Father of Solidity” acting as an advisor, Tual stated in a post titled “No DAO funds at risk”:
“We promptly circumvented this so-called “recursive call vulnerability” or “race to empty”.”
One month prior to the crowd sale, Tual posted the results of a DAO audit by “Deja Vu Security” which he praised by stating that “to say the quality of their work is top notch is an understatement.” He concluded:
Join CCN for $9.99 per month and get an ad-free version of CCN including discounts for future events and services. Support our journalists today. Click here to sign up.
“[N]o stone was left unturned during those five whole days of security analysis.”
We now know that many bugs were hiding under many unturned stones. There were warning signs which, with the benefit of hindsight, should have been highlighted more strongly. Particularly the Slock.it proposal, which had as good as no content, with the text presented in a large font size and lacking any numbers.
Their painting of Zamfir or Sirer as out to get the DAO, or Tual’s and his team’s dismissal of their warning as “a curator going around saying the DAO is broken,” instead of seeking their counsel and taking urgent measures under their direction and in collaboration, should have sent alarm bells.
They fully dismissed the concerns, responding to our question of what was going on with a meme which read “curators” while ignoring further questions:
That said, the curators are not without blame. Gavin Wood, resigning as a curator on May the 13th, half-way through the crowdsale with tens of millions raised, stated that “[t]he “curators” are not founders and being a “curator” should not be taken as an endorsement of the DAO.”
Suggesting that at least some may have seen the stellar line up as a comforting sight and may have assumed that the curators had carried out full analysis. Wood admits as much, stating that “the use of the term “curator” is rather misleading” after arguing that his understanding of the role of the curator was limited to only “identity verification primarily because it is autonomous: it needs nothing more!”
We now know that it needed a lot more and that at least one of the curator had probably not even looked at the code. Responding to Tual criticizing his call for a moratorium, Vlad Zamfir stated:
“After the DAO’s crowd funding event became unexpectedly large and I could no longer ignore it, I started doing due diligence.”
Undoubtedly such due diligence would have assisted prior to the crowdsale, instead of being published a day before it ended. The same, however, can be said of the 20k users who entrusted more than 12 million Ether to a brand new and highly experimental concept in a 30 days frenzy without carrying due diligence. The same can be said of all Ethereans and the wider digital currency ecosystem who said nothing until the sale was over.
In a way, this was a collective failure and we are all to blame. Some more than others, but, with hindsight, few escape the pointed finger. Although some will accuse the slock.it team of undue motives, it may well be the case that a dream got out of hand and everyone was caught off-guard like a rabbit in the headlights with their primary mistake being a failure to put a cap which turned the project from a slockit DAO to a conceptually completely new and previously unanalyzed semi-decentralized venture capital fund with a bug bounty in the hundreds of millions waiting to be claimed by anyone in the entire world.
That everyone wanted a part of slockit or the ethereum computer is hardly a mortal sin. That everyone was busy with other projects instead of carrying out audits of the DAO is hardly blameworthy.
But it is a wake-up call and perhaps it is time that we in the entire digital currency community finally learn the lesson and say: Never Again. That we will not tolerate amateurism with our money. That we expect the highest scrutiny with security audits from acknowledged experts in the digital currency field. That we expect professionalism at all levels, including accountability to the media instead of ignoring tough questions.
We should take time to reflect on the hard learned lessons and channel any anger that there may be towards building structures for a better future where such things can be avoided by rewarding a professional approach while strongly criticizing any sign of amateurism with our hard earned money.
The usual way that is done is by the digital currency industry forming a self-regulating body, thus avoiding primary regulations from legislators which, depending on how the situation will be resolved, may now be looking to see whether they should intervene. Such a body would only be advisory, laying down guidelines and scrutinizing projects that request its endorsement, setting audit and disclosure standards. As it would be voluntary, there aren’t many downsides and although it certainly won’t prevent all failures, it may prevent at least some or the more spectacular crash and burns.
This isn’t 2010 or 2013 anymore. We are on the world stage now with billions on the line. It is time for the entire system to grow up and mature from its toddler years and turn this potential tragedy into an opportunity to build a much stronger ecosystem.
A few M per year for basic research on blockchains seems like a small price now, doesn't it?
— Emin Gün Sirer (@el33th4xor) June 17, 2016
Images from Shutterstock and DAO.