TheDAO — a $150m lesson in decentralized governance

I love the idea of Decentralized Autonomous Organizations and when 3 weeks ago theDAO appeared on my radar, I was extremely excited. A decentralized hedge fund that can fund anything & anywhere and is open to anyone? Beautiful!

I pitched to my co-founders that we should partner with theDAO to bring real world payments to theDAO and the wider Ethereum eco-system. DAO.PAY got early positive feedback on Reddit and on the slack channel, but we never got around to posting an official proposal. Our due-diligence had uncovered major security flaws and the voting mechanism was getting criticized for disincentivizing NO voters and requiring a too high participation threshold.

2 weeks ago, we contacted Christoph and Lefteris from Slockit (the smart contract developer behind theDAO) to warn them. We sent detailed attack scenarios on how an attacker can vote risk-free, how an attacker can blackmail withdrawals forever with zero risk and other less severe attack scenarios. The bugs were confirmed, but Slockit down-played the severity of the attack vectors. We figured they’d get second opinions, but instead Slockit went out to try to get $1.5m from theDAO to fix the security problems they them-self had created…

Fast forward to today: TheDAO is live and anyone can make proposals. The first split proposals(proposals to withdraw funds) are being sent in and we are still waiting for Slockit to put out a warning that THERE IS NO SAFE WAY TO WITHDRAW!

I’m a white hat hacker by heart and hate to see people run into misery. If you are an investor in theDAO, please refrain from trying to withdraw your funds until the security flaws are fixed. I would also highly encourage you to start asking the ugly questions about the Slockit security audit which had discovered nothing and hire a team with the security expertise to safe-guard $150m.