Cornell Professor Calls for 'DAO 2.0' Movement

Emin Gün Sirer already helped identify the bug that led to an expensive exploit of The DAO. Now he's helping ensure future DAOs are safe.

AccessTimeIconJun 22, 2016 at 7:46 p.m. UTC
Updated Mar 2, 2023 at 10:37 p.m. UTC

Presented By Icon

Election 2024 coverage presented by

Stand with crypto

The Cornell computer scientist who helped identify vulnerabilities in The DAO revealed 10 new exploits in its code at an event in New York.

The statements from Emin Gün Sirer, a longstanding critic of the project, come amid broad concern over developments at The DAO, a smart contract-based funding vehicle built with ethereum that has effectively collapsed following an exploit of a vulnerability within its smart contract code.

  • Bitcoin Mining in the U.S. Will Become 'a Lot More Decentralized': Core Scientific CEO
    13:18
    Bitcoin Mining in the U.S. Will Become 'a Lot More Decentralized': Core Scientific CEO
  • Binance to Discontinue Its Nigerian Naira Services After Government Scrutiny
    05:10
    Binance to Discontinue Its Nigerian Naira Services After Government Scrutiny
  • The first video of the year 2024
    04:07
    The first video of the year 2024
  • The last regression video of the year 3.67.0
    40:07
    The last regression video of the year 3.67.0
  • Sirer warned that, while the vulnerability that led to the removal of tens of millions of dollars worth of the cryptocurrency ether is now well-understood, much remains to be fixed before another DAO (decentralized autonomous organization) can be launched.

    The statements were the first to lay a clear path forward for how to build an organization run largely with code, and thus fulfill the original vision of The DAO.

    Sirer, who is the co-director of the Initiative for Cryptocurrencies and Contracts (IC3), an academic research project focused on the technology, used the forum to lay out a detailed account of possible exploits for such projects that go all the way down to the Ethereum coding language itself.

    Sirer went on to argue that the issues highlighted are relevant when looking at the question of creating similar projects in the future.

    He told the crowd:

    "The DAO 2.0 requires much, much more effort. It’s a much deeper field than people might think."

    Vulnerabilities detailed

    In the days leading up to the initial bug detection, Sirer and his colleagues published an overview of what they called a “recursive call” vulnerability that allowed the exploiter to move funds into a so-called “child DAO” that breaks off from the original DAO.

    Addressing a crowd of about 70 bitcoin coders, ethereum developers, computer scientists and financial professionals at last night's event, Sirer went into detail about other possible threats.

    For example, the “stalking” bug – which is currently being used to mount a counter-attack against a white-hat hack designed to move funds into a safe account – is an example of one of the vulnerabilities Sirer identified at last night’s event.

    The 10 vulnerabilities Sirer discussed in detail include a "concurrent proposal trap" whereby an attacker makes an arbitrary proposal such as 'Do you believe in God?' designed to entice a high degree of response, and include long voting period during which the token used to vote becomes trapped. Then, a competing proposal could be made by the attacker after the funds have been locked up.

    Another exploit, called a "majority takeover" attack, disguises a majority vote by a single party that might benefit from a successful proposal by splitting the voting power into smaller votes cast separately, for which he said there is no known defense.

    Some of the exploits discussed last night were published in detail in the earlier paper. A full list, along with an account of how The DAO functions, can be found here.

    "The whole point of smart contracts is to create exciting, weird financial instruments," Sirer told attendees, adding:

    "This is not exciting, it’s just weird."

    Tough love

    In the hours leading up to yesterday’s event, Sirer engaged in an Twitter debate in which he argued that the Ethereum community should ostracize founding members of Slock.it, a Germany-based startup that wrote The DAO code and spearheaded its deployment.

    At the event in New York, Sirer doubled-down on his call, naming founders Stephan Tual and Christoph Jentzsch, in particular.

    But while Sirer had some harsh words for Slock.it, he said the problems extend to ethereum itself. He called The DAO a "ginormous $220m bug bounty", a criticism that extended not only to DAOs, but to ethereum’s smart contracts coding language Solidity, which he said is a work in progress.

    Sirer told attendees:

    "We should redesign Solidity, we should rethink what it means to write secure state machines, how we should specify them and how we should make sure that they do not mess up."

    Image by Michael del Castillo for CoinDesk

    Disclosure

    Please note that our privacy policy, terms of use, cookies, and do not sell my personal information have been updated.

    CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. CoinDesk has adopted a set of principles aimed at ensuring the integrity, editorial independence and freedom from bias of its publications. CoinDesk is part of the Bullish group, which owns and invests in digital asset businesses and digital assets. CoinDesk employees, including journalists, may receive Bullish group equity-based compensation. Bullish was incubated by technology investor Block.one.


    Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.