Thoughts on the DAO Security Proposal

I have concerns over Slock.it’s $1.5m (125k Ether) security proposal for the DAO. There is a danger of poor expenditure reminding me of the Bitcoin Foundation and the original Ethereum.

The principle may make sense. The DAO is handling a great deal of funds and contract changes need to be well tested and examined before deployment. Whilst the DAO is open source and will always have many informed eyes on it, I have no issue with there being someone assigned with a fundamental protective role over the smart contracts. Wladimir does this in a sense with bitcoin, unpaid I should add, but I’m not against someone being hired to do similar.

However, I think that’s as far as I’d want to go and this is why.

The DAO is a public, open source project. The very public nature of The DAO means that it has a lot of intention from developers and will have plenty of input into proposed contract changes. Similarly, there will be plenty of critiques, both security and governance wise.

My main gripe is the amount of money. May I suggest that it’s on the high side. Not only that, but it’s a 2 year contract in a currency which, if The DAO works, has a fair chance of rising very substantially. I would much rather this was charged in dollars equivalents. Even 1 year gives it being a fair chance of worth more, so any proposal should explain when ether will be converted and lengthening the proposal accordingly (or rather return ether) where the dollar equivalent is higher than originally planned. Similarly if the ether rate collapses, the recipients can’t do their job properly.

Otherwise this is a gamble on exchange rates which favours the recipient much more than The DAO. This is fundamentally wrong. Recipients cannot be gambling The DAO’s money on the exchange rate.

Let’s look at what the proposal will cover:

DAO Framework 1.1: My only issue here is setting the limited 10 week timescale. If we’re talking a security upgrade, we can target a period but release should only be with ack’s from sufficient parties before The DAO votes. Security is not features and time constraints work differently in that context. I also fail to see how this is >$120k of work when The DAO was a free, open source endeavour. 1.1 is not a major upgrade, it’s a set of fixes that, it could be argued, are only needed because the first release was rushed against the advice of some developers in the ethereum space.

Monitoring Unit: The blog post mentions 2–3 expert security analysts including Christoph Jentzsch monitoring and pre-empting attacks. I have a real problem with this. The DAO is a set of public smart contracts which will be tested and critiqued all down the line. If an economic attack starts happening, 1) it will be seen anyway and 2) what can they do about it that others couldn’t? If (when) a social attack starts happening, same thing. The suggestion is for over $720k for a task I don’t see is needed, at least from what was described in the blog post.

Security is important of course, but I work with security people every day so my question is very simple — what are they actually doing in this case? I can see no justification for at least 90% of this charge (in fact 100% but just in case I missed something). Additionally, Christoph is a full time member and CTO of slock.it. He’s done great work on The DAO and I hope he continues to do so. If he pitched for a small stipend to help justify some spare time, whilst running Slock, I’d not be against it. It just isn’t realistic for him to be doing otherwise, let alone be included in the amount suggested here.

I’m already seeing people say — ‘security, yes, we need security!’ Well, that’s what smart contracts, open source and the clerks (to an extent) are for. When someone says security, they need to explain precisely what they mean. This is not a website or a corporate network, and it is all done in public and where changes take time and must be voted in by the public.

Attack Analysis: Again, I think the community can do all this. We’ve already seen it. Bitcoin, for all its recent sins, has the same thing, as do other cryptocurrencies. If we want to pay for a formal analysis and suggestions, we can pay postgrads at the likes of Imperial or MIT a small sum to do formal research. If the pitch is to have e.g. Christoph arrange this, I’m good with that, but there’s not a lot of cost involved.

Monthly Report: This is all already public, I fail to see the need for this as it’s been described. It may make people feel good but not a lot more. Still, if a team were being paid on a monthly basis then some kind of monthly update makes sense but their work should all be public anyway.

Bug Bounties: As long as bounties are kept small and in keeping with bounties from other organisations, I have no problem with someone (or a small group) being responsible for organising and paying them. A little incentive is no bad thing in this respect. 30,000 Ether is a great deal for a bug bounty and should last a very long time. My concern is bounties will be set too high or for things that will be spotted anyway. That’s a management issue, however. Any bounty remaining if a contract expires should be returned to The DAO.

First point of contact for security disclosures: I’d argue that the nature of the project makes this difficult, since even to upgrade the contracts requires voting. However, I can understand having a point of contact if someone didn’t want to start out in the public domain. Still, this is not a private company and code changes can’t just be rolled out — unless that’s part of the proposal. The idea of having a support contact, as it were, isn’t the worst thing ever but I’m not sure it’s actually going to make much difference. People will still post on Reddit, they will still complain, and they may even complain harder since someone is being paid ‘to help them’.

Two Year Period: 2 years is too long regardless of my exchange rate issues.

External Code Audits: Code audits are valuable and if a number of ethereum experts can be commissioned to review the code then I’m good with that. However, this should all be done with ethereum experts (not generic security companies), in public, for public amounts that are at reasonable day rates for a reasonable time period. Having someone manage the process makes sense but every single part of this, including all auditor discussion, should be in public. 25000 Ether should last a long time in my opinion as the amount of software being examined is actually very small (currently anyway) and should go through a public audit process first.

There is no point paying people to do work that’ll be done anyway, which is my problem with much of this proposal. What I think would be useful is to have a small group paid a small stipend to help manage much of the above, and manage ether to go towards bounties and audits. They can also act as the central point of contact for any security related issues.

I would argue this should involve Christoph if he wishes but it must not be a slock.it proposal. Slock.it needs to be independent of this and are a startup who must focus on one thing, not many.

The DAO need independence of slock.it and must choose an independent group to manage the above as a part-time endeavour. Should that prove insufficient, only then should The DAO be looking at paying higher fees for full time employment.

We’re all coming from the decentralised and open source world of cryptocurrency where security has always been critical. I fail to see why The DAO requires such an expensive proposal. However, I do think there are some good salient points made which The DAO should consider, if in a very different form.

I’m sure the proposal was made in good faith but my gut is telling me that the approach isn’t right.

Edit: I’d like to propose The DAO commission a security working group instead of a high priced security team. It can manage bounties, external research, and code audits post public discussion. If additional funds are needed, it can request them.