Blockchain Issues | #2: Human Error Breeds Catastrophe
This is part three of a multiple part series beginning with: “What is Blockchain Technology?” where we explore blockchain and how it can best be leveraged for business today.
I’m going to go out on a limb and say that this is probably the most glossed over issue with blockchain systems in the industry today. While we can all imagine the benefits of automated contracts, distributed value systems, and individual digital ownership of assets, we should all be equally as concerned about them. For example:
- If you make a transaction to the wrong address, that asset transfer is in most cases completely unrecoverable.
- If you deploy a smart contract with an exploit in the programming, the software can’t just be updated to fix it.
- If you don’t maintain secure and accessible environments for your access keys, you can be locked out your accounts forever.
- If the consensus model isn’t secure for your distributed network, an attacker can seize control of the entire blockchain ledger and write transactions as they see fit.
So as you can see, there are some serious implications for human error when using a blockchain system. In fact, the consequences looming over me while engineering blockchain systems feel quite similar to the life and death gravity of decisions made while I was in the Marines.
Unfortunately, I’ve had the displeasure of informing panicked individuals, from executive fund managers to your average consumer, that there isn’t any third party that can come to their rescue after mismanaging their assets. This is last thing anybody wants to hear after losing any sum of money, but it’s the reality we face when using distributed autonomous systems.
Case Study: The DAO Hack
“The DAO” was the name of a specific Distributed Autonomous Organization, which launched on the Ethereum platform April 30th, 2016. They were building a venture capital platform where investment decisions would be made based on community consensus rather than a centralized panel of executives.
The DAO was represented everything innovative and comforting about public crowd sales, and promised to build a decentralized organization that would allow democratic management of both commercial and non-profit enterprises. At the time, The DAO was the largest crowdfunding in history, with over $150 million in capital raised in just 28 days.
The creators of The DAO were not expecting such an overwhelming interest, and were not prepared to handle it. They did not cap their funding round, which is a standard ethic regarding the raising of capital.
Once the crowdsale was over, many issues were addressed regarding potential vulnerabilities and exploits of the smart contracts managing the organization. After all, this was the most complicated attempt at such an organization to date. One such exploit that was discussed, was the “recursive call bug”, which had been found in the software by one of the founders.
Despite the vulnerability, the founders insisted that it was patched before launching and that DAO funds were not at any risk of being exploited.
In June 2016, users exploited the vulnerability which enabled them to steal 3.6 million ether, worth around $80 million at the time, of The DAO’s funds. In July 2016 at Block 1,920,000 on the Ethereum blockchain, the Ethereum development community voted to hard-fork the Ethereum blockchain to restore virtually all funds that were stolen to the original accounts.
This was highly controversial and led to a lasting fork in Ethereum. This is why there is an Ethereum Classic (Original Chain) and an Ethereum (Developer Approved Chain).
The DAO was completely delisted from all exchanges and the project was pronounced dead in the water in just a few months time.
Simplifying What Happened
- A successfully funded startup raised over 100 million dollars and lost it all due to just a few lines of code in their smart contracts.
- The founders ignored the advice and recommendations of legal and technical experts all over the world and decided to push forward on a project prematurely.
- The SEC concluded that DAO tokens sold on the Ethereum blockchain were securities and therefore possible violations of U.S. securities laws.
- Ethereum was forced to bail the DAO and their investors out at their own expense by initiating a hard fork that returned stolen funds back to the original accounts.
The scope of human error extends into the most catastrophic circumstances in blockchain systems. Unlike traditional centralized systems, there are no third parties to rely on for support, and there isn’t a quick way to patch or reverse exploits once they are found. Furthermore, if you are operating on a public network without KYC (Know Your Customer), there may not even be an avenue for legal support.
Blockchain is still new technology, and isn’t a full stack system, so don’t rush into it without expecting copious amounts of trial and error. It’s important to test not just your own blockchain system, but the underlying platforms it’s relying on as well.