Obvious puns aside, the name Deja Vu Security should be familiar, as it is their experts that completed the Ethereum codebase audit back in July 2015. To say the quality of their work is top notch is an understatement.
Their attention to detail was made apparent when they included in their report (which you can download here ) the presence of a potential Integer Division Error Accumulation in the rewards code (line 601 for those paying attention). This is linked to the fact that Solidity doesn’t support floating point numbers (yet) — it can only deal in Integers. In short, it means that if the reward tokens were to exceed the DAO token by a factor of say 8,421,052 (that’s a number we just picked at random but… it’s a lot), then a potential rounding error of 52,631,578.9474 wei could take place when a DAO Token holder calls withdrawRewardFor() or getMyReward().
TL;DR — If 1 ETH was worth 1 billion dollars …. then the DAO would shortchange its users by 5 cents when they retrieve their rewards. Should that time come (don’t hold your breath though!), we encourage DAOs to redistribute these 5 cents to charity. As you can see, no stone was left unturned during those five whole days of security analysis.
This audit confirms our commitment to building a fully decentralized, 100% free and open source DAO framework for the world to enjoy. Over the last few months we have provided aWhitepaper, its complete source code , and in the coming weeks, we’ll also make available the front-end code required to instantiate a fair, thoroughly tested DAO. Finally, we are planning to release, again under the same free, open source license, user-friendly tools to manage a DAO (participate in votes, split, retrieve rewards, etc) when the ever excellent Ethereum Mist Browser adds support for custom GUIs.
We hope all the work we are doing will go a long way in providing a standard that’s very much needed as the word ‘DAO’ is now thrown around daily to describe things that, well, aren’t DAOs at all . The good news is the Ethereum community is on the case and paying close attention .
So, how would you know if the DAO you’re looking into is using this framework or not? Easy peasy. Go to Etherscan , enter the contract address of the DAO you’re looking into, then paste the source code you were told forms its smart contract (note: it should also match the code we made available , bar a few parameters which you’ll have to check manually). If it’s a match, great, if not — beware. Note that you might have to repeat this step for each contract the DAO is formed of.
If you’d like to learn more about the generic DAO framework, or practice with peers, please join ourSlack in the #art_of_dao channel where Griff Green runs a DAO school daily.