Simple Contracts are Better Contracts: What We Can Learn from the Meltdown of The DAO
$50 million were “stolen” from a project called “The DAO” and now the Ethereum community is deciding how to move forward and recover from the disaster. But each crisis presents a learning opportunity, so let’s take a deeper dive into the matter and see how we can do better.
First, though, here’s a primer on The DAO for those new to the subject.
The DAO is a digital pool of funds that is governed by code. Anyone can contribute funds to the pool to purchase voting power in it, and a quorum of shares is required to release funds to support select projects, just like with Kickstarter. This “group fund” was implemented on a digital currency platform called Ethereum and recently raised $150 million from hundreds to thousands of backers.
Crisis with The DAO
Last week, cryptocurrency security researchers identified vulnerabilities in both the code that governs The DAO and in the Ethereum code that The DAO operates on. This week, it was discovered that an attacker was exploiting the bugs in The DAO and managed to withdraw over $50 million worth of Ether from the fund.
Bailing out The DAO
In order to avert the disaster of a $50M loss, the Ethereum core developers have presented a proposal whereby the withdrawal would be reversed and the code of the contract would be replaced with a simple contract that would allow the original funders to recover their funds.
Issues with the Bailout
This may sound like a great outcome for the coin holders, but it presents several problems.
Here’s a gem from the comments of Hacker News by commenter “infodroid”:
Unlike traditional contracts, the idea was that smart contracts were going to eliminate the need for enforcement or dispute resolution. So that law is enshrined in code.
But this incident has set a precedent, at least within Ethereum, that the project leadership will intervene to enforce the spirit of a smart contract.
Giving Up On Code as Law
There are two problems here. First, when Ethereum allows forks to happen and override smart contract code, it’s giving up on “code as law” and allowing the spirit of code to trump it when the execution deviates from the spirit.
Casting Doubt on Decentralization
Second, this casts doubt on the true decentralization of the system and invites regulators and oppressive regimes to step up in the future and apply pressure to reverse history and/or change the rules of the system.
This is summed up by the idea that smart contracts are either “code as law” or else they are mere social contracts.
The Ethereum community found itself in a position where it had to step in and reverse the damage, thereby essentially making a small number of players the enforcers of the truth of all contracts.
Smart Contract Security
Smart Contracts are problematic in that they have a large attack surface and require extensive analysis. In theory, a smart contract could be considered secure after it has been battle tested and been modified and redesigned after an array of failures. But even then there may be critical bugs lying in wait.
Consider this comment on Hacker News by imglorp:
Lest you think, “we’ll just be careful, review and QA it”, consider the bug in the “Programming Pearls” binary search. Bentley was clearly an expert who had proven the algorithm correct and the algorithm had 20 years of careful study by thousands of professionals. Yet it had a simple overflow.
How do _you_ know your contract is secure?
It’s safe to say that creating bug free code is extremely hard and approaches a level of impossibility as the complexity of the code increases.
Further, it’s important to note that once a smart contract is implemented, it takes on a life of its own and the code cannot be changed unless it is created with a “master” or set of masters who can change the code.
That means you have to be 99.99% confident that your smart contract code is bug-free, or you have to give it a master and forego the property of the code being the final authority on the behavior.
A Secure Alternative to Smart Contracts
I personally don’t feel I’ll be 99.99% confident that a smart contract I write will be bug free. And if you’re mortal, I don’t feel confident placing this trust in you either.
That leads us to the conclusion that the spirit of smart contracts must be able to overrule the code. Contract spirit is the equivalent of a defined set of parties making judgement calls.
From this, we should adopt the following principles when writing blockchain contracts:
- Make the contract code as simple as possible. Complexity is the enemy of security.
- Allow the contract code to be upgraded by a majority of the parties involved. Static code is the enemy of security.
The simplest way to follow these principles is to have as little logic in our blockchain contracts as possible and do more complex operations off of the blockchain.
Considering the principles above, here’s an alternative model that will allow us to enjoy the power of smart contracts:
- Encode minimal logic on the blockchain. Only define the parties involved in the agreement and allow them to jointly hold assets and authorize transfers based on judgment.
- Create a code agreement that all parties run off of the chain. Create a communication channel where the parties can sign messages to vote and upgrade and distribute the code agreement as needed.
- Have the parties run code off of the chain. Parties may submit transfer requests and pass them around to the other parties. If a majority of parties run the code and get output that expresses approval of the transaction, then they jointly sign off on the transaction and it goes through.
This is a model that we at Blockstack refer to as Simple Contracts.
Simple Contracts implement social agreements in the simplest way possible — a quorum of keys is required to authorize actions.
Because these contracts are simpler than smart contracts, they have a smaller attack surface and can be considered much more secure.
Because these contracts have additional code that runs off the blockchain, simple contracts are just as powerful as smart contracts.
Because the bulk of the logic runs off of the chain, it can be expressed in any language and is not constrained by the capabilities of the chain scripting language.
Because very little logic is on the chain, the amount of space the contract takes up is small, so this model scales much better than the Smart Contract model.
Because a majority of the parties involved can upgrade the code running off of the chain, the system can respond well to and recover from security vulnerabilities discovered.
Smart Contracts are extremely powerful and they open up a world of possibilities, but they also present dangers and the security implications involved must be taken extremely seriously.
The security challenges presented by Smart Contracts are exactly why an alternative method should be considered — something we like to call Simple Contracts.
At Blockstack we believe in running as little as possible code on the blockchain, as we believe decentralized applications are more secure and scalable as a result.
Comments? Tweet me at @ryaneshea .