The Ethereum project continues to give a public tutorial in how not to do secure network software.
Ethereum is built on concepts pioneered by Bitcoin, adding on an additional layer to implement executable contracts (which are usually mis-termed “smart contracts”). This is pretty much uncharted territory, though fundamental computer science teaches us that a Turing complete programming language is going to be vulnerable to all kinds of mischief.
Ethereum deals with the main forms of mischief by throttling the Turing machine (so it is technically a modified TM), running in a restricted virtual machine and using a tax (“called “steam”) on each operation. The idea of the charging is that trouble makers will be deterred by having a toll booth. “Please insert 25 cents to continue running.”
As a philosophical aside, I note that this approach moves the question of whether Ethereum is vulnerable to the question, “is this (complicated) virtual machine with its coin slot vulnerable?”
Rushing to market, Ethereum went into production with more confidence than hard testing. Then a group decided to go one bridge farther, to create a full blown Decentralized Autonomous Organization on top of Ethereum. Lot’s of people have been talking about DAO’s, imagining that they are solutions to all that ails us. Much of the enthusiasm apparently stems from the “logical” syllogism:
- Organizations (states, companies, banks) cannot be trusted
- Organizations are operated by people
- DAOs operate robotically, i.e., without people
- Therefore, DAOs can be trusted
Another philosophical aside: DAOs operated by executing code. Code is created by people. To be fair, proponents of DAOs are mostly concerned that the powers that be simply don’t follow the rules, whatever they are. Robots at least will blindly follow the rules, whatever they are.
Responding to the DAO disaster, Ethereum developers hacked the code to rewrite history. This did not go as well as intended.
Another philosophical aside: the entire point of cryptocurrency in general and Ethereum in particular is that “insiders” should not be able to rewrite history. The forked Ethereum “solved” the DAO problem at the expense of the integrity of the fundamental concept of cryptocurrency.
Since that time, Ethereum has suffered a stream of attacks, likely motivated by the high handed “fix”, as well as the extremely large number of ways you can mess with the system.
Last month, Ethereum did yet another rewrite, this time to fiddle with the pricing. Essentially, the postage was low enough that it failed to deter “spam”. In the crazy world of cryptocurrency, changing the postage rates requires a massive change to the software, and also requires every post office in the world agree to the new rates.
Anyway, this month it is clear that this fix did not solve all the problems. Further hacks are planned.
At this point, is there any reason to think Ethereum is better for all these changes?
It is pretty clear that Ethereum was never subjected to serious adversarial testing before it was released. Essentially, we are watching the grinding, grueling process that should have happened earlier, using the “live” system that people are putting real money into. Best case, this is not great engineering. (Worst case, this is professional malpractice bordering on negligence.)
I wonder just how solid the new “pricing” model actually is. It is abundantly clear that the new “fixes” have not been extensively tested.
Fundamentally, the notion that charging postage will deter misuse—if only we get the price schedule just right—seems pretty iffy to me. There are so many untested assumptions in that model that I can’t believe it can be proven correct or even reasonably safe.
So many bad ideas, so little time to blog about them….