Possibly, The Most Unprofessional Smart Contract Review Ever
When you intentionally put something in public, be prepared that someone will come to inspect it and speak his mind. This may be compared to posting on social media with users leaving their comments. And you should be ready to receive a negative comment someday. This happens from time to time.
On the other hand, if you are the one who comes and writes a negative review which may be offensive or even harmful to someone’s reputation, make sure that you are experienced enough in this field of knowledge, so that you will not be disgraced with your own actions, and mocked on afterwards.
Our smart contract has been published on Github right after it was redeveloped in compliance with DAICO model. We wouldn’t have done this if we were not confident in it. Since then, it was audited by an independent and well-known company in crypto community, New Alchemy (will be published soon), and was seen by thousands of users, as we believe. And we used to answer all questions if something is not clear. For these purposes we have a vast network of multilingual Telegram channels.
Unfortunately, we do not remember talking to Mr. Hiro Inagaki, Engineer of DRI, who seems to have many questions relating to the published smart contract code, but read his critical review with interest. If you are skilled in Japanese, you may refer to the original text in his personal blog on Medium. We had it translated though, and will address all questions and remarks in English, so that everyone could make own conclusions.
With your permission, we’ll skip the introductory part, where Mr. Inagaki speculates about the DAICO philosophy, arguing that our smart contract has nothing to do with the original concept proposed by Vitalik Buterin, and saying that it’s “an awful realization”.
We’ll address his further remarks (quotes are marked in bold):
The centralized Oracle system (Mr. Inagaki says it is very dangerous element from the start.
It’s not. It was designed to lower the risks of fraud and abuses.
The DAICO concept provides users with the ability to refund the contributed money, based on the voting results. Mr. Inagaki then proceeds, saying that The Abyss adopts the mechanism that just imitates the refund.
OK, let’s see what’s on his mind.
Only the Oracles have the exclusive right to initiate the poll on a refund.
Well, that’s true. Oracles are monitoring the project themselves. If the team is a scam and shows no progress, they launch the refund voting. They also protect the project from the abuse: if everything goes alright, contributors can not claim their money back. What’s wrong with that anyway?
Only the owner of the contract knows the Oracle’s ETH address. The process of making decisions within the Oracles system is opaque.
We advise Mr. Inagaki to take another look at our code. If he does, he will certainly notice that the Oracles’ wallets are all public:
Where’s a guarantee that an Oracle and the owner are not the same person? — Mr. Inagaki asks. — And if an owner turns out to be an Oracle, you’ll never get your money back. What is it? A DAICO? Seriously?
Regarding this point, no actual guarantee can be provided. For this reason, Oracles will be appointed among the industry’s leaders with a solid reputation which they would be reluctant to risk. Oracles will officially announce their appointment on their personal social media accounts (for example) providing their ETH wallets’ addresses to public.
Then, Mr. Inagaki quotes the founder of The Abyss, Konstantin Boyko-Romanovsky saying in his recent interview to CoinDesk: “I am not afraid that my project will be closed because of refund or something else.”, and concludes that
The Abyss team is not going to return the money.
Surely we’re not afraid. Cause we are aimed at bringing The Abyss idea to life, not getting lost with contributors’ money. Besides, our smart contract will not allow to withdraw all the money at a time without the contributors’ voting. On the other hand, if Oracles and token holders decide that something goes wrong with the project, all remaining money will be returned, and we have stipulated it numerous times so far.
730 days after the end of Token Sale Oracles cease to control the project.
Exactly. So what? The development of the platform is not an eternal process and has certain time frames, which are 730 days starting from the end of Token Sale (DAICO). During this period, from the first day to the last, the Oracles will monitor and control the whole process.
The amount of purchased tokens corresponds to the weight of the vote.
Yes. But you can not only purchase your tokens. They can also be obtained from other token holders (from your friends for instance). Tokens can be freely transferred from wallet to wallet, and it is written in the project’s Whitepaper as well.
Tokens used for voting are neither blocked, nor burnt.
Why on Earth we should burn the voters’ tokens? Is it something that we are supposed to do? If the user transfers the tokens he has voted with, his vote will be reassessed. And this is where Mr. Inagaki, again, should take another look at the smart contract code:
The owner of the contract (the company) also participates in the voting process.
Incorrect. The company’s and reserve tokens are not eligible to vote with. Encoded in smart contract.
With the majority of ICOs, the company has a substantial amount of tokens and can influence the voting process.
Not in The Abyss DAICO case! The weight of each vote is actually limited by 0.1% of total token supply (max weight). This point is embedded in the smart contract code. Take a notice:
Measures to protect against fraud are negligible. This can not be called a security system:
To control the movement of votes during the voting process, there is a code that checks the amount of tokens. However, it is necessary for someone to check the address to which this amount of tokens is bound.
This is complete nonsense! During transfer, the addresses and the fact of sender’s participation in the voting process are checked. After this, the weight of the vote is corrected:
The security system will not be able to do this by the end of the voting process, so this system is absolutely useless. I mean that if you transfer tokens to another address during the voting process and pay for the operation with a large amount of GAS, your vote will be recognized as a priority and will be considered.
Incorrect. Our general comment to this — take another look at the code above. Once the token transfer is made, with the sender being a participant of the voting process already, the weight of his vote is reassessed.
The security system will not have time to check all the addresses in a timely manner. If the operation is made before it is checked, then this is a huge drawback that makes such security system useless.
Totally incorrect. All checks are made at the very moment of voting or token transfer. Not after.
There is also a possibility that the owner of the contract will use this drawback in his own interests. He can transfer the part of the fund to himself and pretend that the problem resulted from the external attack. Well, where is DAICO?!
No such possibility. For the reasons given above, this is impossible.
One needs to deploy the contract every time the voting is initiated. The voting contract can be used only once. Besides, the voting can be initiated only when the relevant contract is deployed by the owner (absurd centralization of power).
Incorrect. Here’s an example of how the voting contract is created. It’s a function:
After the funds are raised, we can wait for the voting for years.
What? Polls may result in raising the tap amount or in a one-time amount withdrawal (buffer). The % by which the tap may be raised at a time, is limited to 50% of the initial amount (300 ETH). The tap can be raised only once in 14 days period. This voting is initiated by the developing team.
I did not count anything, but I believe that the GAS price for initiating the voting process will be extremely high.
Maybe. But since the voting is created by the team, it is the team that pays the GAS price. Not the voters.
The tap. They can withdraw an approved tap amount every second. According to Vitalik’s idea, tap can be withdrawn only once a month.
No. The withdrawal of tap is not restricted. Please check Vitalik’s original idea again:
The same voting code is repeated many times, and is hard to read. Seems like the code was copy-pasted.
Not a copy-paste. TapVoting, BufferVoting, RefundVoting are inherited from BaseVoting.
The code’s quality leaves much to be desired.
Mr. Inagaki’s engineering skills and qualification leave much to be desired.
Code vulnerability is high.
Provide the arguments. Can’t see any.
The number of drawbacks in this code can generate an infinite number of ways of attacking it.
What drawbacks? Name any.
In general, it should be said that this contract is a total sh…
Easy. Still no arguments are provided.
The smart contract principle allows you to update or change it only once. It’s very strange, that they’re going to conduct an ICO on March 7th with this contract.
This is actually the principle of the Ethereum contract. Once the contract is deployed, its parameters are set and remain unchanged during the ICO.
Mr. Inagaki’s conclusions are given below. No comments, just read and admire:
I would not recommend participating in this ICO.
The potential of DAICO idea is very high, but the connection of this project to DAICO is speculative, or its creators do not follow the DAICO principles intentionally.
They constantly repeat that with DAICO it is impossible to cheat, they often mention Vitalik, but they themselves are very hard to believe.
I tried typing “The Abyss” on Twitter and looked at the results. They showed links to various kinds of advertising articles, in which the authors call to participate in this ICO. I think they did it for their own benefit, because they are promised bonuses for following their links.
DAICO was conceived as an ICO that is free from fraud. Crypto world is a place where truth and honesty are the priority!
And finally, our brief conclusions:
- We couldn’t get for what reasons this Mr. Inagaki decided to attack us, but then investigated the issue and now can assume. His project was 10 hours late to announce the world’s first implementation of DAICO idea. The competitor’s envy, as we believe. We posted this announcement on January 17, 2018 (06:44 AM):
- No actual drawbacks or vulnerabilities in our smart contract code were found or shown. Most of the author’s conclusions are incorrect.
- The technical level of the review is very low. The author has carried out a shallow study. His technical analysis is very weak.
- The majority of statements are not supported with facts or code examples.
Apart from all mentioned above, there are some facts about The Abyss project everyone should be aware of:
- Our official website and all documents are translated in English and numerous other languages (Japanese is also planned) for user’s comfort.
- Our cybersecurity is ensured by the renowned Group-IB company.
- We are to conduct the legal Token Sale (DAICO) in the U.S. in compliance with U.S. Federal Laws (Regulation D).
- The Abyss GmbH is incorporated in Switzerland.
- The Abyss is the member of Enterprise Ethereum Alliance.
- We have the legal memorandum and opinion concluding that The Abyss doesn’t constitute an unlawful pyramid scheme under the U.S Federal Law.
- We will run an effective KYC / AML procedure powered by famous California-based Netki company.
- The Abyss smart contract has been audited by the leading New Alchemy company (Report will be published soon).
- The Abyss shows the actual number of registrations.
- To eliminate any suspicions of fraud, all contributions are accepted on smart contract only.
- We do not run Pre-Sale and do not offer volume bonuses / discounts.
- Top crypto media are interested in writing editorials about The Abyss.
We strongly recommend Mr. Inagaki to apologize for this failed attack attempt and delete his unprofessional review from his Medium and Twitter accounts. Think, this will help to save his face of a blockchain engineer.
Tech Lead and Blockchain Engineer at The Abyss, The Author of the World’s First DAICO Smart Contract