How do I submit a proposal to the DAO?

Hi everyone, my name is Colm, I am a security expert at Slock.it, working on analyzing and testing smart contracts. My task is to review contracts for the community and maintain the whitelist of DAOs.

Colm Herbert

Since I published the Bytecode Verification post, The DAO has been very successful, so it has become a clear target for attack. We must remain vigilant as fraudulent attacks on our DAO continue to increase. The first line of defense against these attacks is, guess what? Whitelisting.

The DAO will not send ETH to addresses that are not on the DAO whitelist. The task of the Curator is to manage this list. The Curator is not here to measure the financial merits or morality of a proposal, but to ensure that the proposed smart contract can operate as described and whether it is safe to add it to the whitelist.

Many people want to be whitelisted so they can submit their own proposals, but as a community we need to have a pipeline for adding proposals so we can verify the bytecode of these addresses and avoid attacks.

The security of a DAO is crucial to the success or failure of the DAO.

I think regulators should be cautious, at least in the first few months, and should not allow proposals to be whitelisted if they do not meet the following conditions:

1. Simple wallet or account addresses should be prohibited, and addresses should be included in contracts.

2. The proposal contract can only accept payment from the DAO once, and the amount is fixed.

3. The remaining ETH in the proposal contract should be allowed to be recovered by the DAO. In other words, the DAO should be able to fire the contractor and recover the funds transferred out through the smart contract.

How to submit your proposal to the DAO?

Step 1: Write your smart contract <br/>Please refer to this example (github.com/slockit/DAO/blob/master/SampleOffer.sol), which is a proposal that meets the above requirements. The code has been repeatedly tested and is safe. If you define your own parameters, you can use it.

Step 2: Submit a post on DAOhub.org

Once you are sure that your contract fully meets the above requirements, you can submit a post on the DAOhub.org forum (forum.daohub.org/c/theDAO/verification). In your post, please include the configured smart contract address, source code link, compilation structure, data, time, and a Google video group link (preferred) for identity confirmation. There should also be a link to the details of your proposal.

You might be wondering why we are using Google Hangouts. This is important for contractors to confirm the identity of the contractors who are proposing. We don’t want someone pretending to be Andreas Antonopoulos from IBM. To prevent this, all the multi-signature key holders for this contract have to go into Google Hangouts and read their addresses out loud. This is automatically recorded as a youtube video.

Pictures alone are not enough, because there is Photoshop. But it is difficult to fake a video, especially when a person is interacting with other parties in real time. In this interaction, you may be asked to sign an address you control.

Step 3: Community Evaluation <br/>Your posts on the forum will be verified by the community, the bytecode will match the source code, and the contract will be analyzed. In any case, the final decision is made by the regulator.

The community verifies your contract, including the matching of the bytecode, and confirms that it will not attack the DAO. This is a process that everyone can participate in. If you want to experience this fun, please join the DAOhub forum (https://forum.daohub.org/c/theDAO/verification) or join the DAO slack chat room (http://thedao.slock.it:3000/)

Step 4: The regulator receives a report

The community publishes a monthly report on all proposals. This report is published on DAOhub.org on the 7th of each month. This ensures that there is enough time for the community to review your proposal before the deadline. Remember that more complex contracts will take longer.

Of course, we cannot let safety concerns get in the way of innovation. These high-level guidelines will improve over time. Good luck to you and your proposal!

About the author: Colm Herbert is a security engineer at Slack.it. He holds a Bachelor of Engineering from Maynooth University and a Master of Science from University College Dublin. He has worked for Intel Application Security and a payment company. He is a long-term member of the DAO and has been involved in the development of the DAO 1.0 framework since January.