IS IT theft if no rules are broken? That is what users of the DAO, a futuristic investment fund, were left pondering after June 17th, when an unknown attacker made off with around 3.6m “ether”, an online currency similar to bitcoin. As cyber-heists go, it was a big one: the ether were worth about $55m at the time of the attack, about a third of the DAO’s assets. But the DAO, which stands for Decentralised Anonymous Organisation, does not have rules as such, or staff to enforce them: instead, it has computer code, which is supposed to embody its purpose and to operate automatically. If the attacker found a flaw in the code, whose fault is that? Indeed, some cyber-libertarians are arguing that whereas the heist was not a crime, altering digital ledgers to retrieve the lost ether would be an affront to the whole project.
Like bitcoin, ether relies on a “blockchain”—a public ledger, distributed among lots of the system’s users, which records all transactions. Bitcoin’s blockchain handles mainly financial transactions, but ether’s can run computer code, including self-executing “smart contracts”, like those underpinning the DAO.
The DAO is controlled by the votes of its members (anyone who has transferred ether to it) and by “the steadfast iron will of immutable code”, with transactions occurring automatically once enough members have voted for them. Those seeking investment set up a similar contract that pays out under fixed conditions. The DAO carries a disclaimer on its website explaining that its description of all this is only a summary of the underlying code, which is the real rulebook.
And that is where the problem lies. The attacker was able to siphon the money by exploiting a glitch in the code that caused it to process the same transaction many times. Writing bug-free code is […]
