Cornell professor calls for 'DAO 2.0' action

Rage Review : Cornell University computer scientists helped identify vulnerabilities in The DAO, and colleagues disclosed ten newly discovered code vulnerabilities at a subsequent New York event. There are still many problems to be solved before launching another DAO (decentralized autonomous organization). Emin Gün Sirer, a critic of The DAO project, believes that The DAO is a "huge bug bounty of $220 million", and Ethereum smart contract code language Solidity is a product still under research. More efforts are needed to release The DAO 2.0 version, first of all, to discover possible vulnerabilities in the code and prevent recurrence.

Translation: Nicole

Cornell University computer scientists who helped identify vulnerabilities in The DAO disclosed ten newly discovered code flaws at an event in New York.

The statement comes from Emin Gün Sirer, a critic of the project, and comes amid concerns about The DAO, a smart contract-based funding vehicle built on the Ethereum platform that collapsed after a vulnerability was discovered in its smart contract code.

Sirer warned that while the vulnerability that led to the theft of tens of millions of dollars worth of ether is now well understood, there are still many issues that need to be resolved before another DAO (decentralized autonomous organization) is launched.

The announcement laid out for the first time a clear path for how to build an organization run by code, thereby realizing the original vision of The DAO.

Sirer, co-director of the Initiative for Digital Currency and Contracts (IC3: an academic research project focusing on blockchain technology), used the forum to detail the possible vulnerabilities in the Ethereum code language.

Sirer went on to argue that the issues that arose could be used as a reference when creating similar projects in the future.

Emin Gun Sirer

He told the audience:

“The DAO 2.0 requires a lot more work. This is a much deeper area than people think.”

Vulnerability Details

Before the first vulnerability was discovered, Sirer and his colleagues published a paper outlining a so-called "recursive call" vulnerability that allowed hackers to transfer funds from The DAO into a "child DAO (spun off from the original DAO)."

At last night’s event, which brought together 70 bitcoin coders, ethereum developers, computer scientists and finance experts, Sirer detailed other possible threats.

For example, the "tracking" vulnerability - currently being used to counter hacker attacks and transfer funds to a secure account - was one of the examples of vulnerabilities Sirer cited at last night's event.

The ten vulnerabilities Sirer discussed in detail include: a "simultaneous proposal trap" where a hacker posts a random proposal like 'Do you believe in God?' to trick people into responding; and a voting period using tokens that also becomes a trap. Then, after the funds are locked, the attacker can put forward a competing proposal.

Another vulnerability is called a “control majority vote” attack, where one party pretends to be the party with the most votes to reap the benefits of a successful proposal — by dispersing voting power into separate votes, and he believes there is no defense against such an attack.

The vulnerabilities discussed last night were also detailed in an earlier post, and the full list of vulnerabilities and how The DAO worked can be found here.

Sirer told attendees:

“The whole point of smart contracts is to create an exciting, weird financial device. It’s not exciting, it’s just weird.”

Tough Love

Hours before yesterday’s event, Sirer took part in a Twitter debate in which he suggested that the ethereum community should ostracize the founding members of Slock.it, the German startup that wrote the code for The DAO and led its deployment.

At the New York event, Sirer made a two-pronged appeal, singling out founders Stephan Tual and Christoph Jentzsch.

But Sirer was harshly critical of Slock.it, saying the problem extends to Ethereum itself. He called The DAO a "giant $220 million bug bounty," a criticism aimed not only at The DAOs but also at Ethereum's smart contract code language, Solidity, which he said is still a work in progress.

Sirer told attendees:

“We should redesign Solidity, we should rethink what this means for writing secure state machines, how we should categorize them in detail, and how we make sure they can’t be confused.”