D’oh!

One of the recent triumphs of the cryptocurrency crowd was the arrival of the DAO, or Decentralized Autonomous Organization, headed by Vitalik Buterin, a well-known programmer in the cryptocurrency world. The DAO was rooted in Ethereum, a newer cryptocurrency that has generated a significant amount of buzz for representing the “next generation,” aiming to supplant bitcoin as the most useful and used cryptocurrency. The recent DAO attack throws those lofty aims into questions, with lead developer Vitalik Buterin facing difficult questions about the project.

The attack was simple. A withdrawal mechanism allowed the attacker to make repeated unverified withdrawals after making a single, verified withdrawal. This vulnerability existed because the withdrawal mechanism didn’t separate transactions or validate each additional transaction, a seemingly obvious error. You can find a more technically complete explanation of the attack vector here, and information on when the vulnerability was found here.

Not only do these events demonstrate the extreme caution that believers should approach cryptocurrency projects with, but puts a lie to the claim that the DAO is truly autonomous. Under the leadership of Vitalik Buterin, several roll-back options are being explored. If a blockchain or smart contract can be “rolled back,” what is the point of using either? The major attraction of these ledgers is that they’re immutable, unalterable; a guarantee. It appears that the ledgers can be altered if that is the will of Mr. Buterin and a few miners. Decentralized? Hardly. As a consumer, why risk payments over a network that can’t guarantee the only advantage it claimed to possess over current payment systems?

Users of the DAO are out around $70 million, a massive amount for a small community. One silver lining is that most of the dollar value was unrealized gains rather than true investment. The recent price increase of Ethereum means investors are losing money they thought they had, rather than money they knew they invested. It is very likely that the attackers won’t be able to cash out for anywhere near the reported value of their ill-gotten proceeds. Cryptocurrency markets are still relatively illiquid, with even the venerated bitcoin having trouble maintaining a robust order book outside of a few questionable Chinese exchanges. The potential for price slippage is unavoidable if the hacker tries to sell a significant portion of the loot, and navigating from Ethereum to the attackers preferred currency may be even more difficult.

However this saga ends, the damage is done to the DAO. User trust is surely gone from a project that believers were applying nearly religious appellations to. Sadly, this is yet another example of a small and passionate community experiencing a now meme-ified “Sorry for your loss” event. Disappointed anarcho-capitalists and libertarians will have to look for the next Big Thing in decentralization to give them the autonomy and freedom they claim to desire. Pragmatic users may decide to look elsewhere; the FDIC still insures bank accounts, right?

Logo via the DAO Wiki