Ethereum’s fork in the road

Tom Teman
6 min readJun 18, 2016

--

You heard of bitcoin, right? I’m gonna assume you did, and that you are familiar with the concept of the ‘blockchain’. Basically, it’s a single global ledger maintained by “miners” and populated with all bitcoin transactions.

Besides being able to move money from place to place, bitcoin gave rise to a plethora of ideas of how to utilize the blockchain to store additional metadata. One such concept was colored coins, “The Open Source Protocol for Creating Digital Assets On The Bitcoin Blockchain”. It allows people to transfer ownership over assets using the blockchain (you own coin X? That means you own property X).

Lots of other such blockchain-utilizing projects came to life, but they all felt lacking, mainly since the blockchain wasn’t designed for such use and there were performance issues.

Smart Contracts

The potential of the blockchain was gaining more and more traction, and at some point the Ethereum project was born.

Instead of a global ledger, we are now looking at a global singleton. It runs on its own blockchain, since the bitcoin blockchain isn’t suited for the functionality we need when talking about smart contracts.

Ethereum runs code in a decentralized manner.

The coin used by the Ethereum network is called Ether (ETH for short), and you can think of ETH as the “gas” which fuels the network. Miners, which actually run the global singleton instance (just like BTC miners that verify transactions) are paid in ETH from the contracts uploaded to the Ethereum network.

Anyone can create a contract and upload it to the Ethereum network, they just need to make sure it has ETH flowing into it somehow (either pre-uploaded, or expects those who use the contract to supply it), otherwise the miners won’t keep computing it.

TheDAO

One of the first major decentralized applications (Dapps) to use the Ethereum network was Augur. It presents itself as a prediction tool, but in reality it’s a gambling app which allows anyone to set up a gamble (e.g: “Will Hillary Clinton win the nomination?” “Will it rain on November 3rd, 2016 in Madrid?” “Will aliens contact us by the end of 2020?”), and other people to take part in the action. It does have that cool wisdom of the crowd thing going for it, but let’s face it — at the end of the day it’s a gambling app.

Augur was working great and everyone was having a blast. A few other interesting Dapps came to light, and then TheDAO was born. It had a very ambitious goal — create a decentralized hedge fund.

Everyone invests by buying DAO tokens using their ETH, the DAO smart contract is uploaded to the Ethereum network (just like any other Ethereum contract), and from that moment on, anyone can vote on where the DAO hedge fund will invest its money, where the number of DAO tokens that you possess translate to your relative voting power. Everything still runs using ETH for gas.

It was the largest crowdfunded project in history. $150 million USD worth of ETH was invested by people around the world.

Be careful what you wish for

And then, on June 17th, 2016, “tragedy” struck.

A hacker found a vulnerability in TheDAO contract, and was able to siphon approx $40 million USD worth of ETH before the company behind TheDAO pretty much pulled the plug on it (they asked people to DDoS the system while they scrambled to find a solution).

Thanks to the protections built into TheDAO, those funds must sit in a wallet for 27 days before the hacker can take them out.

Keep in mind there wasn’t a bug in the Ethereum protocol. Ethereum worked as designed. The bug was in TheDAO smart contract. It was simply not airtight enough.

And now the Ethereum community is having lively debates — should they try to fork in some manner and make sure the money never reaches the thief? Or should they let it play out as it did, and consider it a learning experience?

People are using phrases like “intent of the law”, etc., but even TheDAO terms and conditions state:

The terms of The DAO Creation are set forth in the smart contract code existing on the Ethereum blockchain at 0xbb9bc244d798123fde783fcc1c72d3bb8c189413. Nothing in this explanation of terms or in any other document or communication may modify or add any additional obligations or guarantees beyond those set forth in The DAO’s code.

After all, if someone “steps in”, using phrases like “too big to fail”, well, that sounds too familiar to the financial system we already have in place today, so what’s the point?

Stepping in means that a fork (a change of the Ethereum code) will be “suggested” to all ETH miners out there, and if at least 51% of them accept it, then it will take place. Theoretically, anyone can suggest such a fork, but when it comes from the Ethereum foundation itself, it tends to have much more sway. Not to mention that it is safe to assume most miners are invested in TheDAO themselves, so rejecting the fork will mean their ideological beliefs are so strong, they are willing to lose money over it. Fat chance in my opinion.

In any case, ETH obviously took a huge hit to its value, and dropped from an all time high of $21 USD, to about $10 USD (at the time of this post).

So what happens next?

In my opinion, this whole thing was inevitable.

It’s a shame that it happened on the largest Dapp out there, meaning that the thief will have such a large amount of ETH in his possession if “we let it slide”, which is bad for the ETH ecosystem. Also, due to the project’s size, the media attention is pretty big. On the other hand, it was probably also inevitable to happen on the biggest Dapp, since the large sums involved provide the biggest motivation.

I want to be mad at the hacker, but I can’t. I believe that in the bottom line, what he did is better for Ethereum. I said it was inevitable, but that is only true if Ethereum got big enough, so it’ll actually be valuable enough to hack. The fact that it happened means that Ethereum did pass that point, which is kind of a silver lining.

Did we really expect no one to ever write a contract with vulnerabilities in it? Ever?

In addition, the hacker didn’t do anything wrong. The code of TheDAO contract allowed his actions, making them “legal” by definition. To quote Futurama:

And isn’t that what smart contracts and decentralized apps are all about?

Shouldn’t code be king?

I’m not sure if the Ethereum community will fork or not. Perhaps even a hard fork is in place, making the Ethereum protocol more rigid, to prevent such recursive method calling vulnerabilities in the future. But I think that down the line, Ethereum will come out stronger. I mean, even Bitcoin had its “growing pains”:

On 6 August 2010, a major vulnerability in the bitcoin protocol was spotted. Transactions weren’t properly verified before they were included in the transaction log or “block chain” which let users bypass bitcoin’s economic restrictions and create an indefinite number of bitcoins.[16][17] On 15 August, the vulnerability was exploited; over 184 billion bitcoins were generated in a transaction, and sent to two addresses on the network. Within hours, the transaction was spotted and erased from the transaction log after the bug was fixed and the network forked to an updated version of the bitcoin protocol

Job description: financial security hacker

Assuming Ethereum will stick around, we will see FinTech security grow. Today’s hackers can make money using their skills, but usually it is in a roundabout way:

  1. Find 0–day exploit
  2. Sell to highest bidder, or use vulnerability to get money, but it takes a couple of additional steps
  3. Profit!

When you hack a smart contract, the money is simply there.

I estimate that in the future financial institutes will employ security experts to review smart contracts — both those they create and the ones they enter into.

In the meantime, if you sign an Ethereum contract (like TheDAO), I suggest you pay close attention to the code.

It’s the “fine print” of the 21st century.

--

--

Tom Teman
Tom Teman

Written by Tom Teman

#BUIDLing @ Ethereum Foundation, Account Abstraction (ERC 4337). Previously CEO and founder of Portis (acquired by ShapeShift)

No responses yet