The technical loopholes of the world's largest crowdfunding project and the future of legal professionals

About the author : Cai Xin, prosecutor (assistant), graduated from a law school, taught herself programming, won the Baidu Programming Marathon Award for two consecutive years, and is currently learning blockchain technology. Legal professionals who are interested in this emerging technology are welcome to add WeChat Lawup2 to discuss the rule of law.

Author: Cai Xin

On Friday, June 17, when I was about to get off work in the afternoon, the blockchain WeChat group suddenly exploded. So I stopped copying the Party Constitution for a while and carefully looked at the hot discussions in the WeChat group: It turned out that Vitalik Buterin, the founder of Ethereum, spoke in the Slock.it community, saying that DAO had a loophole and was attacked, and a large amount of ether on it was likely to be stolen. After going to the technical community to learn more, the problem was that the code loophole of the smart contract redeemed from DAO caused hackers to steal ether from DAO that did not belong to them. Such news not only caused a sharp drop in the DAO coin itself, but also affected Ethereum, which fell by nearly 20% in one hour. There were also various rumors that followed, such as the Ethereum network had stopped producing blocks, etc. (There are really many people who are afraid that the world will not be in chaos!)

Of course, the price of the currency is one thing, and on the other hand, enthusiastic people and technical experts in the community are also trying to solve this problem as soon as possible. Since the blockchain and the smart contracts on it cannot be interfered with or stopped by anyone once they start, unlike traditional centralized applications that can fix vulnerabilities by submitting a patch, DAO, as a decentralized application (dapp), can only watch it continue to run even if a vulnerability is found, until the gas is exhausted, the program can be stopped, and then the code can be modified, deployed again, and restarted before the repair is successful.

Was there really no way out before this? Just watching the thief commit crimes and stealing a large amount of wealth by taking advantage of the loopholes in the established rules, and everyone, everyone, was powerless? No, man will conquer nature. Community members reached a consensus and decided to fork Ethereum, using the freeze period after the ether was redeemed from the DAO to delay the thief's withdrawal, and then update the Ethereum protocol to invalidate all DAO-related transactions during this period to preserve the value of the assets on the DAO. This move temporarily controlled the situation and saved the DAO, the largest crowdfunding project in the world so far, and temporarily avoided failure. But there is still a lot to do in the future. Blockchain technology still faces many deep-seated problems in the future. In particular, such a rescue approach is not a good way to respect the spirit of decentralization, but a compromise of technology to value and wealth. All circles are talking about this topic. This incident, which happened in less than two hours, also triggered my deep reflection as a legal person.

I started to get in touch with Bitcoin in early 2013. Yes, the cryptocurrency that was born in early 2009 is the first application of the "blockchain" technology that is now becoming ubiquitous. Of course, people only noticed the economic value of Bitcoin at first, and then gradually discovered that its core technology, blockchain, can carry and transmit credit value. So some people began to develop proof-of-existence applications based on the Bitcoin blockchain (notarization, land and property registration, identity verification, etc.). Others went a step further and revived Nick Szabo's concept of "smart contracts", trying to create "code contracts" based on blockchain that can be trusted by strangers, cannot be tampered with or manipulated by humans, and can be automatically executed by network protocols.

At the end of 2013, Vitalik Buterin, then an 18-year-old prodigy, proposed the idea of ​​Ethereum (the reason why he is called a prodigy is that, as a Russian-Canadian, he learned Chinese in 3 months, and now all his speeches in China are in fluent Chinese, much better than Facebook's Zuckerberg). He believed that Bitcoin and those "competitive coins (altcoins)" that forked from Bitcoin code and then modified some parameters and added some new attributes were like physical calculators for various purposes. It was unnecessary and inconsistent to build one for each scenario. Why not build a platform and let everyone write smart contracts for different application scenarios on this platform with unified code? The idea of ​​Ethereum is like an app store on the blockchain. The "calculator" is just an app, and to issue a digital currency like Bitcoin on the Ethereum network, at least three lines of code can be done. Technology is no longer a threshold, but trust is the real threshold.

Vitalik Buterin

As time goes by, the Ethereum envisioned by Vitalik Buterin has already released several versions and entered a stage of stable and rapid development. People are beginning to gradually realize the power of blockchain. The financial institutions that were the first to strongly oppose Bitcoin have become the leaders in promoting the development of blockchain technology. Internationally, banking and financial institutions such as Barclays and HSBC have initiated the R3 Alliance. Ping An Insurance, as a Chinese company, has also joined the alliance. In China, ChinaLedger and BankLedger have been established successively. The academic institution "Wanxiang Blockchain Laboratory" aimed at researching and promoting blockchain technology has been established and is active. Traditional technology giants such as IBM and Microsoft have invested heavily in the game. This will be another era of technological heroes, just like the brilliant 1980s. People compare blockchain to the Internet 30 years ago. It is still very incomplete, but it makes people have infinite expectations for its future. At the same time, national power should not be underestimated. The Federal Reserve convened 90 central banks around the world to hold a blockchain meeting at its headquarters. The United Kingdom, which is on the verge of leaving the European Union, is considering whether to use Bitcoin to replace the British pound. The Bank of Canada announced the development of blockchain-based legal currency issuance. Sweden and other countries are testing the use of blockchain to register land property rights. Of course, our Chinese central bank governor Zhou Xiaochuan also announced in early January that he would issue our "digital currency"...

Let's talk about Ethereum again. After it released the HomeStead version in 2016, the price of Ethereum, the economic incentive carrier, increased dozens of times in just a few months. At the turn of spring and summer, a project called DAO (Decentralized Autonomous Organization) led by Slock.it, which is actually a piece of code on the Ethereum blockchain, was crowdfunded and raised about $300 million worth of Ethereum in one month. People in the traditional economic world expressed disbelief, but then everyone began to feel embarrassed to greet people without mentioning blockchain on any occasion.

I believe that most people participate in crowdfunding with the dream of wealth, and there must be some people who are firm believers in "code is law" and want to be the first to try technological democracy. The white paper of the DAO project shows its very rich connotations. Raising money is only its first step. Its essence is to create a management organization on the blockchain that cannot be interfered with by humans and directly realizes democracy through technology. Ethereum accounts that participate in crowdfunding and obtain DAO coins will have voting rights, which is similar to shareholders of traditional companies. Through transparent codes and voting without external interference, they can exercise their rights and make decisions on the operation of the organization. DAO launched the voting function in early June. Obviously, DAO is not a regular company. Its initiation, operation, and dispute resolution are all in a time and space that cannot be expressed by traditional laws. Regarding this point, Sun Ming, a lawyer at Shanghai Shize Law Firm (nicknamed "High-quality Blue Collar"), wrote a special article to analyze it. My understanding is not as profound as his, so I will not repeat it here.

Just a few days ago, an article titled "An Appeal for Temporarily Suspending DAO" was circulated in the community. The article mainly pointed out some possible loopholes in the rules of DAO from the perspective of system design. Of course, perhaps because the technology is too obscure and the system design is always exploring things that have not yet happened, which is a bit far from everyone's intuitive feelings, it did not alert the majority of people who are only pursuing wealth. Until this Friday afternoon, the technical loophole for redeeming Ethereum on DAO was seized by people with ulterior motives, causing the price of the currency to plummet. People realized that DAO still has a long and bumpy road to go before it can achieve perfect technological democracy.

I am a lawyer. Although I have more than ten years of self-taught programming experience, I am still learning about blockchain technology on a large scale, so I dare not make any rash remarks on technical and detailed issues. I just want to use the lessons of this DAO to remind the majority of lawyers to pay attention to the new things of the times. In my long article "The Legal World Being Changed by Bitcoin" published in the journal "Prosecution Technology and Informatization" in 2014, I pointed out several aspects related to blockchain that lawyers should pay attention to. Now two years have passed, and this list of blockchain-related issues that lawyers need to pay attention to is summarized as follows:

1. The majority of legal professionals should understand the basics of cryptocurrencies, otherwise you will not know what the parties are talking about in future cases. A legal professional who does not understand the basics may ask low-level questions such as "Isn't the blockchain immutable? How can the exchange run away?" and may make low-level mistakes such as sealing and seizing the private key of the client's wallet but still transferring the property to the client. Those scenes are as ridiculous as an unmarried judge hearing a marriage and family case.

2. Judicial appraisal institutions should study blockchain technology and establish blockchain evidence standards. In common popular science materials, it is pointed out that blockchain is an unchangeable "distributed ledger for the entire network". However, if you understand the principle of blockchain, you will not generalize it. The security of blockchain is actually a kind of "probabilistic security" based on cryptographic algorithms. Asymmetric cryptographic algorithms are not that private keys cannot be derived from public keys, but that it is not worth doing so in a limited time and with limited cost. "51% attack" is also an expression of probability, not an absolute boundary between security and insecurity. Due to space limitations, I will not expand on this here. I just want to say that the "Proof of Existence" on the blockchain Although "Solid Existence" can form its own system and even claim to subvert the traditional notarization industry, at least for now, if someone puts some information with evidentiary value in the blockchain (such as the hash value of the signed contract text), when encountering disputes, this information cannot automatically help people solve the problem, but can only be presented to the court as a kind of evidence for the judge to make a judgment. At this time, whether the information in the blockchain is true or not, is it possible that the parties have used some technical loopholes to forge a fake blockchain information, or the security of the blockchain itself is questionable? These require the appraisal agency to have a set of well-considered identification standards. Only in this way can the information on the blockchain truly become objective evidence, and not become a "weapon" to mislead the judge.

3. The lawyer community should devote some of their energy to "smart contracts". Today's law firms provide legal provisions in black and white, while in the future, law firms will also provide services on technical codes, which are the expressions of "smart contracts". A and B do not know each other and are thousands of miles apart, but they establish a sales contract through the Ethereum blockchain, just like Taobao now, where the buyer pays, the money is frozen, the seller ships, the goods arrive and the seller receives the money. The difference is that now Taobao, the entity company, acts as a credit intermediary as a third party, while in smart contracts on the blockchain, the blockchain network will act as a credit intermediary, and there will be no real third-party intervention, so here, there will be no need for (fragile) trust and authority. So, what should lawyers do at this time? Lawyers need to review the code of the smart contract written in the Ethereum programming language Solidity to see whether it complies with national laws, whether it is fair to both buyers and sellers, whether the relief channels are complete, etc. People often say that legal language is another language system. This trend will become more and more obvious in the future. With the maturity of blockchain technology, more and more companies will apply blockchain technology in an all-round way in order to reduce costs, improve efficiency and enhance security in their operations. In this way, the review of smart contracts will become a new industry.

As Lightning lamented in a WeChat group after the massive theft of DAO coins on Friday:

"Many of these DAO investors are blind, just like signing contracts without thinking when starting a business, and then being dumbfounded when the company's financial problems arise. Moreover, the DAO contract is even more cruel. Once deployed, it will run automatically all the time. Even if a loophole is found, it cannot be stopped. There is no room for maneuver. In the past, people suffered because they could not understand paper contracts, and now they suffer because they cannot understand digital contracts. Therefore, I predict that professional smart contract writers will definitely appear in the future. This is a new industry and a new opportunity."

Yes, I think there will be not only professional smart contract writers, but also professional smart contract reviewers ("smart contracts" and "digital contracts" refer to the same thing here), and these people will be none other than the lawyers of the new era. This indicates that the law firms of the future will be more like Internet companies... Don't you believe it? Anyway, I, who understand information technology better than most legal professionals, do believe it!