The DAO breach and the surrounding dispute about restoring funds through a hard fork have dominated cryptocurrency discourse in recent weeks. Only Bitcoin's halving event came close to matching the at
The DAO breach and the surrounding dispute about restoring funds through a hard fork have dominated cryptocurrency discourse in recent weeks. Only Bitcoin's halving event came close to matching the attention. As Ethereum developers grapple with the fallout, two security researchers warn that today's incident may not be the last.
Christopher Allen co-authored the TLS security standard and serves as principal architect at Blockstream. He argues that the platform requires fundamental shifts to prevent similar breaches. When asked whether additional disasters would strike Ethereum, Allen responded, "I think they will if we don't move to more conservative approaches when significant money is involved. Both Ethereum and Hyperledger rely on code execution of relatively arbitrary code on multiple computers."
Emin Gün Sirer, a Cornell computer science professor who studies distributed systems, expects the platform to face additional major failures. "Writing good contracts has always been difficult," he stated. "Smart contracts are orders of magnitude more difficult to write, and there will probably be some spectacular failures ahead. The DAO was a wakeup call for improving the science of smart contracts, so we can avoid some of them."
Despite their concerns about future breaches, both researchers recognize Ethereum's role as a testing ground for distributed smart contracts. Allen values the platform's utility for experimentation: "I like that Ethereum with Solidity allows us to rapidly pilot various ideas and learn about problems not even discovered yet," said Allen. "But I am a long way from trusting it with a significant amount of money. For that community, a new, more limited language on top the Ethereum Virtual Machine (EVM) may be a better choice."
He added that specific projects could offer more constrained alternatives. "Our (the #RebootingWebOfTrust) smart signatures project may be among those more specific, narrower, yet constrained solutions. At some point I could envision higher level tools passing smart signature proofs around as part of more complex smart contracts." Allen suggests that straightforward DAO structures for common applications could gain stronger security assurances. The harder challenges involve privacy, game theory, economics—issues that go beyond the code itself.
"Only then can we put multiple millions into a smart contract DAO," Allen said. He offers additional context: "To do what The DAO wanted to do (invest in projects and get a positive return on investment with minimal human intervention) — we don't even know how to reliably do so in the venture capital and investment world, so that may be an example of the kind of real problems to overcome."
Sirer argues that such disasters accompany the development of any new technology. "Had we backed down after Tacoma Narrows, we would not be able to span many of the bigger valleys with suspension bridges today," he stated. "We need to explore the boundaries, and expect occasional failures."
But these incidents only matter if the community extracts lessons from them. Sirer emphasizes the distinction: "The determining factor in the success of a technology is: Did the community take away a scientific lesson from a disaster? Were they able to enact meaningful changes that made that kind of disaster unlikely to happen."
Sirer points to Bitcoin as a cautionary example. The Mt. Gox collapse offered lessons the community never fully embraced. "People still trust their money to exchanges, and we still continue to have thefts from opaque exchanges entrusted with far too much cash," he explained. "So, we can see that this pain point has not improved, and indeed, represents some kind of obstacle for more widespread adoption of the currency."
Exchange thefts have continued, but none have reached Mt. Gox's scale. The DAO could serve as Ethereum's defining moment. Smart contract attacks may recur, but they might not match the more than $125 million lost in this incident.
"I trust that the Ethereum community will not only take measures to fix The DAO hack (e.g. through a hard fork), but will also act to fund activities that will make similar failures less likely," Sirer concluded.
