It turn’s out I was right about The DAO being Dead on Arrival . Today a bug in the so-called smart contract enabled an attacker to drain The DAO of millions of dollars worth of ETH. The fallout of this attack will be long lasting. In the best of all possible outcomes, the ETH will be returned and the DAO will be shutdown. In the worst case investors in the DAO will lose tens of millions of dollars.
Smart Contracts are Dumb
The problem with Smart Contracts is that they are actually incredibly dumb. They possess no intelligence at all. Unlike normal contracts which can be interpreted by smart people, smart contracts are interpreted by computers. Computers are dumb. They can only do what they are told.
When a lawyer drafts a traditional contract, she attempts to capture the meeting of the minds. This means there is a common understanding on the intent and purpose of the contract.
When people use Smart Contracts the intent is to replace faulty legal contracts, which might not be enforced as intended, with unambiguous code contracts which are guaranteed to be executed as coded.
Meeting of Mind and Machine
The problem with Smart Contracts is that they assume there is an accurate agreement between the people who use the contract and the machine which will execute the contract. In the case of The DAO, the authors and reviewers were unable to detect that the computer had a different understanding than they did.
Even the best coders are often surprised by unintended side effects of the code they write. Any sufficiently complex (aka smart) piece of software is bound to have bugs. This means that putting your money in the hands of a new smart contract can be just as risky as leaving your money any place else.
Implications for Smart Contract Design
If we are going to move into a world of smart contracts , then we need to make sure our smart contracts are smart enough to recognize and accommodate their own fallibility. This means every non-trivial smart contract needs a governance model that allows people to be the final judge and/or enforcers of the contract.
When someone writes a smart contract, they must first document the intent in terms that the human parties to the contract can clearly understand. Any deviation from the stated intent is a bug and the parties involved need the ability to rectify it.
This means every smart contract must be built on top of a sophisticated foundation smart contract that implements a governance model advanced enough to reliably upgrade the contract to express its desired outcome.
Separation Interface from Implementation
Experienced software developers know the importance of separating the interface from the implementation . This allows a program to do the same thing in two different ways. More importantly, it allows complex systems to be built on modular parts. The parts provide an interface that everyone else expects to (and depends on) behave in a particular manner.
Any deviation from the intended behavior is considered a bug in the implementation of the interface, not the interface itself. Having multiple independent implementations of the same interface provides a degree of redundancy that makes it unlikely that both implementations will suffer the same bugs. The more independent implementations that agree, the less likely there is a bug in the result.
User Actions are Abstract Inputs
User actions are signed messages that serve as the inputs to smart contracts. The purpose of a blockchain should be limited to establishing the order of messages. The outcome of a smart contract needs to be an independent interpretation of these messages. If there is a bug in the contract, then the messages should be re-interpreted as the people involved originally intended.
Side Chains are Superior
A side chain is nothing more than a smart contract with a proper governance model. One or more people are selected to evaluate inputs to the contract and generate signed messages that cause the desired effect within other chains .
If The DAO were a Side-chain, then the DAO token holders would elect curators who would interpret the rules of The DAO and then sign messages to initiate payments to the desired contractors . If a bug were found in the implementation of The DAO’s interface , then the curators could update their code.
Assuming the rules of The DAO Sidechain allowed ample time to review the outputs for potential bugs, then everyone could rest assured that no money would escape without adhering to the intent of the DAO.
Reliance on Humans
Many people are loath to rely on humans as the final arbiter of smart contract interpretation. More still are skeptical of systems that depend upon voting.
The reality is that you either rely upon human coders and code reviewers to be infallible in implementing and interpreting the intended interface , or you rely upon a panel of human judges to determine if the code is behaving as intended and to change the code after the fact if an unexpected bug in the implementation is discovered.
While it is possible to trust most people to do the right thing most of the time, it is impossible for the most trustworthy coder to certify that their code will always do the right thing. The logical conclusion is that it is better to trust someone with the power to change the code than it is to trust the code to be perfect.
Smart Contracts with Human Backup
The combination of smart contracts with human governance gives us the strengths of both. The very existence of a smart contact and well documented interface means that human judges have a much more objective job.
Contracts written in legalese are often ambiguous and/or self contradictory. The process of writing a smart contract involves a level of clarity that leaves little room for subjective reinterpretation. Humans merely have to judge whether the output matches the specification and intended meaning of the code. Resolving the dispute means approving a new implementation of an existing interface.
The Future is Standardized Contracts
The risks involved with writing new smart contracts are huge. Only the most heavily used and tested contracts can be trusted for any mission critical business operations. The longer a contract is used, the less likely it is to contain undiscovered bugs.
This means the cost of developing and deploying new smart contracts will be incredibly high. Platforms like Ethereum have attempted to lower the barrier to entry by eliminating many common bugs, but no one has invented a programming language capable of doing what we mean instead of what we say.
Anyone serious about implementing smart contracts on Ethereum will need to design their contracts on top of rock-solid governance systems that give people the power to correct bugs in the code. This in turn means giving people the power to steal the funds held by the contract if they collude to intentionally change the contract.
By the time you make a complex Ethereum contract robust against human programing errors you end up with the trust profile of a Sidechain . Sidechains are more flexible and scalable than having every computation performed by a single blockchain.
Due the the nature of Etheruem and the implementation of The DAO , the intent of the contract is ultimately being left to human judges which will decide if and how to hard fork Ethereum to correct a bug in a specific contract.
The principle is clear, despite all of the hype around “objective” and “decentralized” platforms, Ethereum and other platforms are governed by a small group of people whose job it is to enforce the intent . It is time we stopped pretending these platforms are trust free, and instead recognize that we will always end up trusting someone with the power to fix bugs. The power to fix bugs is the power to destroy.
New smart contracts are like new companies, they cannot be fully trusted. Old smart contracts are like large, well-established companies: people implicitly trust them with their money. It is time we started acting accordingly.