DAO.Security, a Proposal to guarantee the integrity of The DAO
--
—
UPDATE 28/05/16:
Please see this updated Proposal description at https://blog.slock.it/both-our-proposals-are-now-out-voting-starts-saturday-morning-ba322d6d3aea#.x5zq2t9h6
Dear DAO,
The last few weeks have been exhilarating! We are genuinely thrilled with the thriving interest and participation in the project. It has now garnered mainstream press coverage, significantly boosting Ethereum’s profile in the process.
This is all new territory, and as we and many others have pointed out, it certainly does not come without risk. Daniel M. Ryan accurately calls The DAO an ‘experiment in responsibility’, and we agree. And with over 14% of all ether now held in The DAO’s smart contract, we feel we share part of that responsibility and believe it is crucial to give The DAO the security framework it deserves.
For this reason, alongside our Proposal for the development of the Universal Sharing Network and Ethereum Computer, we will also make a Proposal for the formation of a “DAO Security” group.
The Proposal will consist of the following services to The DAO:
The development of the DAO Framework 1.1, a ‘stopgap’ iteration to be released within 10 weeks of signing the Proposal and addressing specific social attack vectors uncovered by the intrepid members of our community. The list of these changes are described in the github issue repository for the DAO Framework.
The establishment of a monitoring unit consisting of 2–3 expert security analysts resources including DAO Framework Author Christoph Jentzsch to continuously monitor, pre-empt and avert any potential attack vectors The DAO may face, including social, technical and economic attacks.
Analysing major Proposals for attacks. This will include highlighting 51% attacks, mis-matched bytecode, and social engineering/collusion attacks.
The issuance of a monthly report to The DAO Token Holders detailing thwarted attacks, updates on The DAO security and modifications made to the framework, if any.
The establishment and management of a Bug Bounty program with considerable ETH prizes — we’re excited to deploy a program that will disburse meaningful rewards and lead to thousands of pair of eyes scrutinizing The DAO’s smart contracts.
Acting as a much needed first point of contact for security disclosures: in the last 4 weeks we have noticed a number of reddit posts detailing alarmist ‘security attacks’ that upon inspection were proven innocuous. Having an official first point of contact for the channeling of security concerns will help maintain a calm, level headed way of addressing such matters, while ensuring a swift, professional reaction.
We would hope that this Proposal will be renewed (and therefore renegotiated) every two years.
A summary of costs can be found below:
Update of The DAO Framework to Version 1.1, including addressing the current issue list as it stands on Wed 25/05/16, and including advanced testing and code review — 10,000 ETH
Deployment of 2–3 of our best security experts, including DAO Framework Author Christoph Jentzsch at any given time, for the next 2 years, with an ‘on call’ schedule 24/7 — 60,000 ETH
External audits to review the code — 25,000 ETH
Assigned to the bug bounty program — 30,000 ETH
Total- 125,000 ETH
The payment schedule will follow the same structure as the USN/EC Proposal, meaning a 20% deposit followed by monthly payments for the duration of the project, with the Slock.it taking onboard the volatility of Ether.
Of course, it’s important to note nothing obligates The DAO Token Holder to approve this Proposal, which is completely independent of our main USN/EC Proposal. It is our intention to submit both Proposals within the coming days.
About the Author
Stephan Tual is the Founder and COO of Slock.it.
Previously CCO for the Ethereum project, Stephan has three startups under his belt and brings 20 years of enterprise IT experience to the Slock.it project. Before discovering the Blockchain, Stephan held CTO positions at leading data analytics companies in London with clients including VISA Europe and BP.
His current focus is on the intersection of blockchain technology and embedded hardware, where autonomous agents can transact as part of an optimal “Economy of Things”.
Twitter: @stephantual
Contact: stephan@slock.it
If you enjoyed reading this, please log in and click “Recommend” below.
This will help to share the story with others.
