Saturday, June 18, 2016

Ethereum/TheDAO hack simplified

The news in the Bitcoin world is the Ethereum/DAO hack. I thought I'd write up a simplified explanation.

What is Bitcoin?

I'm sure you know, or have an idea what Bitcoin is, but I'll explain it again in terms that are important here.

Bitcoin is just a public ledger (the "blockchain"), of all transaction there ever was. This ledger is huge (80-gigabytes) and growing, but Moore's Law says computers grow even faster, so that shouldn't be a problem.

Each entry in the ledger says to move the coins received in these previous entries, and give them to this recipient. In other words:
move these coins I received there, to this guy here
In the future when that guy spends the coin in a new transaction, he'll refer back to this transaction here. That's why it's called a "chain" -- every transaction refers to a previous one, back to the original creation of the coins.

Actually, these transactions aren't fixed as simply moving money around. Instead, a script is used, written in  a bitcoin-specific programming language that can do things like add, multiply, and compare numbers. However, it's not a full programming language. It can't call functions or execute loops. It's complex enough to do allow some creativity, such as allowing transactions to be escrowed by a third party, but it can't do much more than that.

What are alt-coins?

After Bitcoin took off, other people started to create their own variations.

Most of these variations have offered no meaningful improvement over Bitcoin. They instead are just popular among speculators who pump and dump, hoping to buy in at a low price and sell to some fool at a higher price.

There are only two alt-coins that have actually made an improvement: ZeroCoin and Ethereum. ZeroCoin works by making transactions anonymous. Ethereum is the alt-coin that is being discussed here.

What is Ethereum?

Ethereum is a variation of Bitcoin that uses a full programming language instead of a simple scripting language. The reason for this is that Ethereum supports smart contracts.

Let's say that we want to organize a small conference. We need 100 people to sign up and pay/deposit money, so we can rent a hotel and such. But if not enough people sign up by a certain date, then the deposits need to be refunded. With Ethereum, we can write in a JavaScript-like language to code up this contract. It'll guarantee that everyone will get a ticket to the conference, or everyone will get their money refunded, depending on how many sign up.

That's a simple example. The possibilities are endless, which has got a lot of people really excited. Which, of course, makes the believers insufferable among non-believers in the system.

What is The DAO?

DAO stands for decentralized autonomous organization. It's notionally like the example above for getting funds for a small conference, except that it includes much more. Members buy shares in the DAO, and according to the number of shares they have, can vote on things. The dreamers have the idea they'll replace Democracy and run entire countries this way.

There are many types of DAOs on the Ethereum blockchain, but one in particular is TheDAO, which is some sort of DAO-based mutual-fund/investment-fund. You buy in, vote on which investments the fund should make, then reap the returns. It looks like a big organization, but it actually just runs as bits of code and data within the Etherium blockchain.

This investment scheme has gobbled up 10% of Ethereum coins, or $100 million worth out of Ethereum's $1 billion ecosystem.

When you want to leave the fund, you split from it. This includes your share of unspent Ethereum coins, but also tokens representing returns on investments you were part of, but which haven't yet paid out. That's why you "split" rather than "cash out", you need your own DAO shard to track those investments until they pay out.

How did The DAO get hacked?

When a member exits the investment scheme, they call the function name splitDAO(). There are two issues.

The first is that the member will supply some of their own code with the transaction. Among the things that code will do is tell the DAO code how to transfer Ethereum coin. It's a necessary feature, part of Bitcoin as well.

The second issue is that Ethereum code is recursive. That means when a function is running, it may call itself a second time.

The bug is that when splitDAO() is called, it will then call the recipients code to transfer Ethereum coin, after which the recipients code will call splitDAO() again before finishing. This causes the process to repeat itself, transferring more Ethereum coin, then calling splitDAO() again, which calls the hacker's code, which calls splitDAO(), which calls the hacker's code, and so on. The process will continue endlessly, until it drains all of TheDAO's coin.

When you split like this, they still force you to wait 27 days before you get your Etherium coin. Thus, the hacker doesn't actually have use of it for another month.

How can they recover the stolen money?

They can't -- at least not without destroying the entire principle of cryptocurrencies. It's like trying to cure cancer with a Howitzer.

One solution is to roll-back the blockchain before the theft. Of course, that means screwing over everybody who made a transaction since then. You'd be screwing people out of $1 million in order to compensate the theft of $100 million. This is, of course, the type of corrupt thinking that gets us into banking failures in the real world, as we screw over everyone else in order to protect those banks who are too big to fail.

Another solution is to update the Ethereum code to blacklist this address, or better yet, insert a magic key that will give control over those funds back to TheDAO.

The problem with changing the code is that it forks the blockchain. Transactions are added to the chain by miners -- a decentralized group of people. It can include you, if you want to run mining software on your computer. Those miners who update their code to the change will be working off a different blockchain than those who don't. The blockchain will repair itself if 51% of the miners update to the latest code (a soft-fork), but it'll be hopeless broken if they don't (a hard-fork of two irreconcilable chains).

What does this all mean?

I'm a crypto-anarchist. The entire point of cryptocurrencies to get around corrupt humans. And that's what trying to repair this problem is -- corruption. It's a violation of TheDAO's own contract, which says the code is the contract, not to be superseded by human re-interpretation. It's tacit acknowledgement that TheDAO deserves special treatment that would not be given to smaller makers of contracts that have similar recursion bugs. That the miners vote on it (by choosing which software to run) is besides the point, nobody else with Ethereum's favoritism would be able to get miner consensus. It's a profound betrayal of trust that those maintaining the code would even consider helping TheDAO.

Obviously, the complexity of Ethereum is a huge security issue that will likely be repeatedly exploited in the future. This "recursion" issue demands that everybody writing contracts needs to write code extraordinarily carefully. In hindsight, it's obvious that recursion shouldn't have been an allowed feature, but it likely can't be fixed now without a hard-fork. Also, in the future, we'll likely see additional problems as dangerous as the recursion issue.

The fascinating thing now is that in the past, people hired lawyers to review complicated contracts. In the future, they'll need to hire hackers. After a contract is signed, I'm now motivated to hire a very good hacker that will keep reading the code until they can find some hack to my advantage.

In any case, the original concept of TheDAO is useless utopian nonsense. The original Bitcoin was created by people who actually understood a lot about currency. TheDAO was created by people who are hopelessly naive about investing, who then put the system in the hands of trained monkeys. This isn't "wisdom of the crowds", as they proposed, but "ignorance of the mob". If the hacker hadn't put a stop to this nonsense, it would have slid into some sort of Ponzi scheme, getting its creators arrested a couple years from now.

Update: The hacker is bribing the miners not to fork [*], by promising to give the miners a third of Etherium. This is possible with the protocol, to create transactions that takes money from the blacklisted address and donate it directly to whoever mines a block, as a sky-high transaction fee. Choosing to fork would mean forgoing these payments. Thus, the hacker has a power to corruptly subvert the system to counterbalance Etherium's power.


Links

Official statement by Ethereum code maintainers declaring their intention to blacklist/soft-fork https://blog.ethereum.org/2016/06/17/critical-update-re-dao-vulnerability/

More detailed walk through of splitDAO() http://hackingdistributed.com/2016/06/18/analysis-of-the-dao-exploit/

Bloomberg "Smart contracts were dumb", a cool look at the issue http://www.bloomberg.com/view/articles/2016-06-17/blockchain-company-s-smart-contracts-were-dumb

8 comments:

josephjpeters said...

This is incorrect:

"One solution is to roll-back the blockchain before the theft. Of course, that means screwing over everybody who made a transaction since then. You'd be screwing people out of $1 million in order to compensate the theft of $100 million."

Ethereum has balances while Bitcoin has Unspent Transaction Outputs. In order to "rollback" the Bitcoin blockchain you have to rollback every transaction. With Ethereum, you can change the balances of certain accounts without touching the balance of others. This can only happen if consensus is met which is through the miners accepting (or rejecting) a hard fork.

Obviously changing the blockchain is against the immutable nature of the technology but it's been done before. In 2010 Bitcoin ran into a bug that caused the number of coins in circulation increase excessively. The team behind Bitcoin performed a hard fork (one that actually reverted a large chunk of the blockchain) to restore it to it's correct state. The same will happen with Ethereum.

Martin said...

And what does it mean for ethereum currency ? Why people should use it when there's bitcoin or zerocoin ?

antifragile said...

"One solution is to roll-back the blockchain before the theft. Of course, that means screwing over everybody who made a transaction since then. You'd be screwing people out of $1 million in order to compensate the theft of $100 million."

- incorrect statement, with ethereum you're not rolling back transactions at all.

Anonymous said...

I imagine the LangSec community would have some harsh words for the Ethereum developers right now. Given the nature of "smart contracts" to immortalize code bugs as contractual obligations, empowering them with Turing-completeness seems like an absolutely terrible idea. Finding bugs in programs of any significant complexity is a matter of when, not if; it's completely unsurprising that TheDAO's code would fall to this.

Daira Hopwood said...

I think you probably mean Zcash rather than Zerocoin. The Zerocoin protocol was refined and made more efficient to become the Zerocash protocol, which is being implemented (with some necessary security fixes) as the Zcash currency.

Declaration of interest: I'm a Zcash developer.

Unknown said...

It's important to remember that currency and capitalism are inventions, i.e. they're just technologies concocted to serve a purpose. Like all inventions, we tweak them when we find ways to make them better.

In the case of Ether, the idea that the community can decide to tweak to undo a large-scale theft is a feature, one that gives the currency a potential for stability and safety we didn't think about before. We could create an institution, if we so desire, that would make a decision about when to use this feature.

It would be nice to get humans out of our transactions so that we can protect the transactions from human corruption, but unfortunately the transactions are being made for the benefit of humans in the first place. If one's "principle" requires that a crime go forward without resistance in order to keep the technology "pure", perhaps the "principle" needs review. After all, "principles", like technologies, are generally meant to benefit humans, aren't they?

Unknown said...

The use of a block chain fork to reverse large scale fraud in a contract is not a fix, it is a SUICIDE ! WHO DECIDE what is remarkable for a reverse ? Who decide what is a fraud ? who decide - for example - if funds in a wikileaks account must be reversed, nulled or seized ? did you have ever a claim with paypal or any credit card operator ? They simply steal your money - do you want a blockchain able to implement a chargeback ? We already have beautiful traditional jurassic bank for that.
Do not confuse "THE DAO" with "ETHEREUM" - the Dao is a service within Ethereum and the solution MUST be found within the DAO with absolutely no changes for ethereum. The blockchain should be preserved in almost all cases apart any intrinsic issue in its mechanism. When more stable and secure contracts will come to the light , there will be many tentatives to reverse transactions by governments, agencies, powerful people and so on. The Ethereum is a transnational dream do not transform it in a nightmare.

Unknown said...

Unique Designing has engaged the services of First Alarm Security & Patrol, Inc & Patrol, Inc on a number of high profile VIP and corporate events. Their reliability, attention to detail and quality of service is second to none.