Constitutional Code & Blockchain Neutrality: Lessons in governance from The DAO attack
A year ago, the concept of decentralized autonomous organizations was a niche topic floating around blockchain communities — a thought experiment for decentralization enthusiasts.
The idea was to define the goals and processes of an organization or corporation in code, and to set it running on a blockchain-backed decentralized computing platform like Ethereum. It would be controlled by the code, not by humans, and it could never be turned off. The idea was made real with the birth of The DAO.
That The DAO would be attacked was not surprising. It had many flaws both in its code and in its model of human behavior, and most people expected attacks along the way. The surprise was the scale of the attack, and how soon it came. A single attacker threatened to drain the $150+ million fund completely, within weeks of the initial fundraising.
The attack provoked a number of responses from the community, all of which could be described as panic. A community manager for The DAO encouraged a distributed denial of service attack against the Ethereum network. Token holders in The DAO looked for ways to move their funds, either by selling the tokens or forking. Many sold off their ether as well, correctly predicting a crash in its value.
The most extreme reaction came not from worried investors but from the Ethereum Foundation. It proposed changes to the underlying Ethereum code and the blockchain, the infrastructure on which all Ethereum projects are built, in order to bail out The DAO:
The development community is proposing a soft fork, (with NO ROLLBACK; no transactions or blocks will be “reversed”) which will make any transactions that make any calls/callcodes/delegatecalls that execute code with code hash0x7278d050619a624f84f51987149ddb439cdaadfba5966f7cfaea7ad44340a4ba (ie. the DAO and children) lead to the transaction (not just the call, the transaction) being invalid, starting from block 1760000 (precise block number subject to change up until the point the code is released), preventing the ether from being withdrawn by the attacker past the 27-day window. This will later be followed up by a hard fork which will give token holders the ability to recover their ether.
[Edited to add link to soft fork that was not in original.]
The proposed forks will only go into effect if they are adopted by a majority of Ethereum miners. However, with the weight of The DAO community and the Ethereum Foundation behind the proposals, they seem likely to be adopted.
This seems to be an appropriate response at first glance. The attacker is deprived of ill-gotten gains, token holders are made whole, and the only injury is to those who panicked and sold their The DAO tokens or ether at a loss. There has been mixed reaction to the proposals, but a good number of people have applauded the community for coming together so quickly to fix the problem. Vitalik has argued that the response illustrates the power of decentralization: “[T]he fact that we were reduced to begging exchanges and spamming our own blockchain is a testament to [Ethereum]’s decentralization”.
Take a step back, however, and there are bigger concerns.
The promise of Ethereum is that it could provide a decentralized world computer that no one can turn off. It’s the basis for a new kind of society — transparent, accountable, and based on code. The consensus algorithm, the EVM, and the blockchain should be thought of as constitutional code — the constitution of this new society.
This is not to suggest that humans should be taken out of the loop entirely. We cannot build a perfect system. Humans are so diverse, unpredictable, and just plain weird that there is no way we could hope to code for all of the edge cases. We need to provide a means for humans to step in and stop a system that is operating unjustly.
Jurists have long agreed a constitution should not be a “suicide pact”. It should be able to grow and change with the needs of society. But these changes should be made in a calm and considered manner, not in response to a crisis. The same applies to the constitutional code at the highest level of Ethereum.
Ethereum is still in beta, and its constitution should be considered “provisional” (h/t Casey Kuhlman for this idea). More frequent changes to the rules should be expected here than for a well-established constitution. However, the policy mechanisms are also in beta, and the decisions on governance made today will inform the decisions we make tomorrow.
The question is: At what level will human intervention take place? Do we want it at the infrastructure level, in changes to the constitution? Or do we want it at the level of the contract, where individual systems can choose the degree and nature of human involvement on a one-off basis while the rest of the system remains predictable and stable?
The fix proposed by the Ethereum Foundation is changing the constitution at a moment of crisis. This is a mistake. This kind of change should never be made in response to a crisis. Rushing into the PATRIOT Act after the 9–11 attacks was a mistake. But how much worse would it have been if mass surveillance and torture were written into the constitution at a time of crisis? The proposed forks amount to a panicked change to the constitution.
Furthermore, this is not a decision that should be entrusted to the majority of miners. It sends the message to miners that they should act as judges (h/t Casey again). Although miners have the ability to refuse transactions with a majority, exercising this power should not be encouraged. They should decide how transactions are processed, not what transactions are processed. Just as we demand net neutrality from our ISPs, we should demand blockchain neutrality from our miners.
If we want to be able to respond to something like The DAO attack with human intervention, the response should come at the level of the contract, not the level of the constitution.
Stephan Tual, one of the creators of The DAO, said before launching The DAO: “Consumer protection on blockchain is insured via smart contracts, not legal system. Code is law.”
Yet there was no consumer protection in The DAO. Its creators built humans in at various places. Token holders vote on proposals instead of relying on AI. Curators must approve proposals before funds can flow to them. However, an “off switch” was not included. This omission was a deliberate choice to avoid the legal complexity (and liability) that comes with creating an investment vehicle. An unstoppable hack is the direct consequence of this decision.
The attack on The DAO should be treated as an expensive lesson in designing smart contracts. If you try to avoid having human judgment in the loop, bad things can happen and you can’t stop them. The rules of the game should not change around you to protect you.
The proposed forks will do just that — it will change the rules to protect token holders and a system design that embraced the risk of running as pure code. It will ask Ethereum miners to agree to make it as if the attack never happened. If they do, there will be a number of negative effects flowing from this decision, none of which are outweighed by the recovery of funds by The DAO investors:
- There will be precedent set for hard forks to resolve disputes. If this fork is allowed, every time someone loses money in a smart contract and thinks the outcome is unfair, they will be asking for a fork. How big is too big to fail? $150 million lost is enough, but is $15 million? $1.5? $150 thousand? Once you give in to the demands of jilted investors, it becomes much harder to refuse the demands of governments trying to crack down on terrorist financing, tax avoidance, or other policy issues.
- Risky behavior will be incentivized. Part of the excitement around The DAO was the very fact that it was not controlled by a human. No one could turn it off! Governments could not stop it! This “feature” became a bug when it was turned against The DAO. Rather than learning that human intervention is desirable for complex contracts like The DAO, developers and investors will learn that the community is perfectly willing to change the rules to save them from themselves. Oversubscribing to a particular investment vehicle will be desirable, because it increases the likelihood of a bailout.
- Trust in the Ethereum ecosystem will be eroded. There are three key concerns here:
a) Platforms for critical systems need certainty. Right now there are very few (if any) critical systems running on Ethereum, but that is soon to change. There are plans to build critical systems on Ethereum for identity, intellectual property, commerce, and even electrical utilities. When these applications are running on Ethereum, responses like a denial of service attack against the network will be even less acceptable than it was here. But more importantly, how can these projects build on the Ethereum platform, knowing that the operation of their contracts could be changed to benefit someone unhappy with their operation?
b) The fork proposal creates a moral hazard. Right now the Ethereum community is small, meaning there is a high risk of bias or perception of bias. There is a clear conflict in people who are invested in The DAO proposing and voting on solutions that allow them to recover their own funds. As Zooko Wilcox put it: “I like and trust Vitalik [but] the rollback plan is endangering Ethereum to rescue [The DAO] investors.”
c) The fork proposal puts miners in a quasi-judicial role. With the fork proposal, miners are being asked to change the network to invalidate a certain set of transactions based on the fairness of those transactions. This is a quasi-judicial role. It is not appropriate for these decisions to be made by anonymous individuals based on proof-0f-work or proof-of-stake.
The correct response here is to reject the forks. It will be an expensive lesson to learn, but it is an important one. Doing so will make Ethereum ecosystem stronger in the long term, and teach that humans should be kept in the loop in complex systems.
What can be done in the future? What is really needed is a formalized system of governance, at both the contract level and the constitutional level (h/t Matan Field for putting this so clearly).
At the contract level, we need ways to respond to major attacks like the one that hit The DAO, but also the small inconsistencies and injustices caused by the application of standard code to non-standard situations. This could range from “oracles” that are actually trusted human arbitrators or mediators chosen in advance by the parties to a contract, to reputation and “proof of value” systems like Backfeed (Matan is one of its founders).
At the constitutional level, it will be more difficult. Both proof-of-work and proof-of-stake create a powerful incentive for voters to protect their own financial interests. We’ve seen how this has played out in the Bitcoin scaling debate. The key will be in making it as difficult as possible for miners or large stakeholders to make snap judgments on changes to the infrastructure, or to act in a judicial role. We should demand blockchain neutrality.
Thanks to the following people for their thoughtful input and critiques: Simon de la Rouviere, Matan Field, Kalin Harvey, Casey Kuhlman
Image: Confederation Bridge by MaxGag (CC BY-ND 2.0). This bridge links Prince Edward Island, the birthplace of Canada’s constitution, to the mainland.
