Ethereum soft fork failure and Bitcoin’s design security

Recently, Ethereum had to implement an emergency soft fork due to defects in The DAO smart contract. However, when the soft fork was about to be completed, it was suddenly discovered that the soft fork itself would lead to more defects, and the plan was forced to be abandoned. Why did this absurd situation occur, and what enlightenment does it have for the development of Bitcoin?

What is a soft fork?
Soft fork refers to changes to the rules of a digital currency system that render some previously valid transactions invalid.

Why does Ethereum need a soft fork?
Due to a design error, the DAO smart contract in Ethereum was stolen by hackers with 50 million USD worth of ether and transferred to another smart contract (called "Child DAO"). The purpose of the soft fork is to prohibit all transactions related to Child DAO. Although the soft fork cannot allow other investors to recover the stolen funds, it also freezes the stolen funds forever, at least preventing the hackers from directly benefiting.

Why did the Ethereum soft fork fail?
The soft fork plan was already underway, and mining pools were upgraded one after another. However, when it was almost completed, Emin Gun Sirer pointed out that the soft fork design was flawed. Once implemented, attackers could paralyze the Ethereum network. http://hackingdistributed.com/2016/06/28/ethereum-soft-fork-dos-vector/1

The main selling point of Ethereum is that it can implement programs that are far more complex than Bitcoin, including programs with loops (so-called Turing completeness). To prevent abuse, users must pay a fee for each step of the program with Ether; when the fee is used up, the program must stop. Unlike Bitcoin, even if the program is ultimately judged to have failed, miners can still receive the fee, so there is no need to worry about someone consuming miners' computing resources with invalid programs.

However, this soft fork prohibits all transactions related to the specified Child DAO. Therefore, an attacker can issue a transaction that requires a lot of calculations, but the last step involves Child DAO. This will cause miners to perform a lot of calculations, but they will not receive any transaction fees in the end. An attacker can issue a large number of such transactions and paralyze the Ethereum network, and it is completely free.

How Ethereum's design flaws led to the failure of the soft fork <br/> Ethereum's design was ambitious, with the goal of realizing a decentralized computer. Therefore, its programming language Solidity is much more complex than Bitcoin's script, hoping to challenge Bitcoin's status. However, this was also the direct cause of the DAO attack and the failure of the soft fork.

First, we cannot perform static program analysis on Ethereum programs. Static program analysis means that we can know what a program will do just by reading it without actually running it. If static program analysis is possible, in the face of the above attacks, miners only need to read the program once, and if they see code related to the specified Child DAO, they will give up running it. However, the design of Ethereum allows attackers to calculate code from code, and miners can only run the program until they encounter banned code, which has wasted a lot of computing power.

In addition, the attack cannot be stopped by blocking nodes that propagate invalid transactions. Since program operations involve a lot of resources, and ordinary nodes that are not miners do not receive any handling fees, ordinary nodes will only check whether the transaction format is correct when propagating transactions, but will not actually run them. If the attack is stopped by blocking nodes, all ordinary nodes will be blocked, which will also have the effect of paralyzing the Ethereum network.

On the same question, how is Bitcoin designed?
Non-Turing complete : First of all, Bitcoin scripts are not Turing complete and have no loops, so the termination of the program can be guaranteed. This is a deliberate design by Satoshi Nakamoto. The DAO vulnerability itself is that the attacker exploited the looping characteristics of the program to repeatedly withdraw funds that did not belong to him.
In fact, Bitcoin almost accidentally became Turing complete in 2011 through BIP12 OP_EVAL, but fortunately it was discovered and abandoned at the last minute.

Static program analysis : Bitcoin scripts must write the code directly, so static program analysis can directly find invalid operations. OP_EVAL allows code to be calculated by code, which is another reason for its abandonment.
In addition to transactions, some limitations of the Bitcoin block itself can also be directly found through static program analysis, including the limit of block size and signature check amount. In addition to the famous 1MB limit, the current block also requires that there should be no more than 20,000 signature checks. This 20,000 limit includes signature checks that are not executed, so there is no need to do actual verification. Just check the block transaction to know whether it exceeds the 20,000 limit.

It is worth noting that the famous BIP109 (Bitcoin Classic hard fork) is not just a simple change from 1MB to 2MB, it also changes the signature check limit to be calculated based on the actual number of executions, thus losing the feature of static program analysis. This was pointed out by Bitcoin Core developer Luke Dashjr in February 2016: https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2016-February/012362.html6 Topics like this that are only of interest to geeks can have far-reaching impacts.

Full nodes check transactions : Although Bitcoin's full nodes cannot receive handling fees, they will only broadcast transactions after they have been checked, so nodes that broadcast invalid transactions will be banned. However, since there is no direct income from running full nodes, too many transactions will reduce the number of full nodes, resulting in insufficient monitoring of the system.

Standard transactions and soft forks : In fact, although Bitcoin transaction functions are not as good as Ethereum, it is still very flexible. However, among these infinite possibilities, only a very small number of transactions are defined as standard transactions. As long as miners and nodes do not modify the source code of Bitcoin Core, they will not spread non-standard transactions or include non-standard transactions in blocks. However, when non-standard transactions are included in blocks, they will still be considered valid.

Many soft forks have been implemented by redefining non-standard transactions to add new features, such as the recently completed relative lock time (CSV) and the upcoming segregated witness. The biggest advantage of this is that old nodes will regard these transactions as non-standard transactions and refuse to propagate them. Even after the soft fork, they will not be banned for propagating invalid transactions. However, when these transactions are included in the block, old nodes will still regard them as valid, thus achieving the purpose of backward compatibility of the soft fork.

Lessons from the Ethereum Incident <br/> Since the very beginning of its design, Ethereum has been criticized for its neglect of security. Features that Bitcoin has always insisted on, such as non-Turing completeness, no program loops, and static program analysis, have been deliberately abandoned in Ethereum, and used as a selling point, regarding Bitcoin as a symbol of conservatism and backwardness.

Ethereum's strategy was indeed successful, and DAO raised a total of $150 million in investment, but this myth turned into a shame within a month. I can assert that this is only the first time Ethereum has suffered the consequences of its own actions, and it will definitely not be the last time. Everything is caused by greed and recklessness. In any case, after this incident, it is hard to believe that anyone would still be willing to invest $150 million in Ethereum's smart contracts.

For Bitcoin, this is also a major warning, reminding us that we must be cautious in every step. After the rise in the past few months, the market value of Bitcoin has exceeded 10 billion US dollars. Whether it is developers or miners, they must take the protection of system security as their greatest responsibility and add new features in a safe manner to ensure the long-term healthy development of the system, rather than sacrificing long-term interests for the sake of overnight wealth.