First of all, I'm not even sure that this qualifies as a hack. To label something as a hack or a bug or unwanted behavior, we need to have a specification of the wanted behavior.
We had no such specification for The DAO. There is no independent specification for what The DAO is supposed to implement. Heck, there are hardly any comments in The DAO code that document what the developers may have been thinking at the time they wrote the code.
The "code was its own documentation," as people say. It was its own fine print. The hacker read the fine print better than most, better than the developers themselves.
Had the attacker lost money by mistake, I am sure the devs would have had no difficulty appropriating his funds and saying "this is what happens in the brave new world of programmatic money flows." When he instead emptied out coins from The DAO, the only consistent response is to call it a job well done."
Note that this is just a repost, by Mirca Popescu - very controversial bitcoiner.
He famously wrote "The woman's job is to find a great man (not good, by the way), suck his cock, wash his socks and write his eulogy." and other articles, glorifying rape and tying it back to Bitcoin.
edit: oh here it is
> The available stategies open before you are quite the same as the raped woman has historically encountered : either learn to love your rapist and make him an excellent wife - or else die, beaten black and blue.
> You are the raped woman. Get used to it, because this Bitcock ain't gonna suck itself.
What a lovely libertarian
edit2: but he finances OpenBSD. So he can't be all bad.
I disagree the view that somebody that advocates wife beating and rape should be considered a not-all-bad part of the community because "he finances OpenBSD".
As unlikely as it may be (I believe real lawyers will quickly come along and tell us how unlikely), we may actually be seeing $ATTACKER legally assert his claim to the money, and the whole thing "come through", so to speak.
Edit: The author seems like a very, very disturbing individual. Does anyone on HN have a bit of a back story on this person?
What happens when a judge interprets the spirit of the T&C and not the letter? Is that something that a judge has the right to do?
I understand that this would most likely kill "smart contracts" (since they can just be overridden by existing legal systems...), but wouldn't it be a possible path to reclaiming the assets?
> this would most likely kill "smart contracts" (since they can just be overridden by existing legal systems...)
I wasn't sure how this was supposed to work. If the success of smart contracts requires them to be independent from the law... that just isn't going to happen. But in theory, they still might make sense as a low-cost, automated way of doing business, for the majority of cases where transactions go more or less as planned?
(I am an ethereum-skeptic trying to keep an open mind, btw)
Indeed - what happens when the contract itself states explicitly that there is NO intent above and beyond the code?
Contract law exists above and beyond what the DAO t&c states - and it varies from country to country.
In Australia for instance - the high court apparently keeps changing its mind about whether or not ambiguity in a contract is needed before context and intent can be considered. Earlier on they strictly claimed that ambiguity must be present, later decisions seemed to imply that there didn't need to be any ambiguity in the text of a contract for the court to consider the context surrounding the creation of the contract.
So who knows - under Australian law what the outcome would be - the DAO folk could try to argue that even though the t&c effectively waives any possibility of ambiguity, still their intent, and the context of what they were trying to achieve with the DAO should be taken into consideration. But this won't be of use if the high court remains strict about requiring ambiguity.
I think they have to hard fork. Because if they don't - they may find themselves fighting lawsuits in multiple jurisdictions - with the aggrieved parties claiming their own personal contractual intent was violated. If they do - it's only one law suit they will have to fight at most.
I feel like I'm on the only one that is out of the loop on this DAO hack:
Could someone provide some context? Who is the author? Is he the attacker? What does the Keccack hash prove? Does Ethereum even use Keccak? Or is this just some troll posting?
I don't understand the gnashing of teeth around solving this with a soft fork then hard fork. Is that not just as built into the overall system as any flaw is built into a smart contract?
The code decides. But the community decides on the code.
Imagine a hypothetical anonymous coin that completely won over the narcotics trade. It achieved all its goals such that no government could trace it or freeze assets. But one day a supplier accrued a huge mass of coins by selling rat poison. Why shouldn't even fervent believers in the system ignore protests of "tyranny! the Fed!" if the overall narcocoin community forked his coins to worthlessness?
This is not an argument that will win in court, the actions are not equitable. And, it is probably still criminal even if you win your civil suit. It's all just posturing in my opinion, someone made their money shorting ether and is just messing around right now.
Let's say you are playing a game and at one point you win several million virtual coins out of that game.
The creators of the game claim that you have used a cheat and you respectfully give them back a reference that states : "cheats are allowed, because the game is bug free anyway".
The virtual coins you won at that game have actually zero value in the real world, only in some virtual communities where people seems to trade them.
If let's say the jurisdiction of that case is in Switzerland ( where the company game-creator is based ) and a judge should make a decision ...
You are telling me, that under any circumstances, being absolutely sure the judge will say that this is a crime and that this was a "cheat" so you should return back all the virtual coins? Not so sure.
There was a similar case a few years ago, where a guy made off with hundreds of thousands of dollars by exploiting a bug in a video poker machine. The casinos sued him, claiming the money was fraudulently obtained. His lawyer claimed he had won by entering a combination of buttons that he was legally entitled to enter and so there was no fraud. The court agreed and the guy won his court case.
Here, whether a court decides that his ether coins were fraudulently obtained is going to depend on how the court interprets the contract in question. These ethereum contracts are supposed to be fully integrated (meaning all of the contract terms are contained therein and no outside terms can be introduced). Since the attacker's actions were explicitly authorized by the contract (since the contract is the code), then it's entirely possible a court will find that it wasn't fraud. The really key question is whether the contract is integrated, which is basically the central contract law concept behind ether in the first place.
However, I suspect a court would not be friendly toward the idea of eliminating dispute resolution. Especially an American court. It militates against many of the core common law and constitutional principles of American jurisprudence.
I expect that a court will rule that the contract is void because of unilateral mistake. When one party misunderstands the terms of a contract, and the other party is aware of this and exploits it, the court will generally grant rescission (cancelling the contract and putting the parties back in the position they were before the contract, e.g. by transferring the ether coins back to their former owners) or reformation (rewriting the contract terms to reflect what the mistaken party thought they were).
One can argue that the point of ether is to eliminate mistake and similar doctrines that account for human fallibility, but the court will probably say that you can't contract away a doctrine about contract formation itself. Anyway, it would be a super interesting law suit, and definitely would challenge many of ether's most important legal implications.
We don't know what a judge will say, of course, or in what jurisdiction.
But, look up equitable fraud if you'd like to understand the law a bit.
Two parties can't usually contract around the rights of a third. In this case, many are harmed. Judges apply the law with the aims of justice in mind.
And, that's just civil -- e.g. Does the thief owe money back plus harm damages? The criminal tests here seem really easy to meet to my mind. This is the sort of case every aggressive prosecutor who wants to make a name would love: Assholes vs Grandmas, and assholes who have publicly stated they did it already.
I would think theDAO itself will be sued in short order, regardless of outcome. If the thief really wants to make money, maybe they should escrow the funds and sue theDAO for damages.
This actually has happened at both online and real casinos. In general, if the player intended to exploit an issue they knew about they have to return the money, if they randomly benefited they do not.
Not again .. Y combinator was super helpful when I got goxxed and now it's back to the same epic fail thread. Let's see what happens after brexit election.
IANAL but I expect that anyone admitting to this will find themselves in jail very quickly, at least in the US. The legal system isn't fond of $50 million cons based on one paragraph of legalese.
An important question for the future is to what extent the legal system will let people opt out of using it to adjudicate particular disputes. Historically that's been difficult or impossible outside of limited contexts, like mandatory arbitration, although courts have also been fairly OK with venue restrictions.
But a related question here (which there was already a 600-post HN thread discussing) is whether people who intend to opt out of court adjudication of disputes are willing to stand by that intent when something bad happens to them.
Is it a con, though? I don't know much about DAO but everything I've read recently suggests that this situation, at the very least, is a lot more nuanced.
It is clearly theft and whatever legal mumbo jumbo he provides doesn't change that. I'd personally say the claims that this is somehow legal is the con, but I agree it's not entirely clear.
It's hard to justify a statement like "it's clearly theft" given the amount of time and money and legal resource that was used in the Google/Oracle case about the use of an API.
If a valid contract was entered and accepted, where is the clear theft?
Supposedly DAO has the ability to cancel the transaction anyway. Failing to cancel will be additional de facto evidence of the validity of the contract.
At least in my country contract law is regulated by regular laws, especially contracts between consumers and corporations. There are definitely limits to what rights you can sign away and some of these are based on more general, open-for-interpretation definitions, using terms like "reasonable", "expectable" and the concept of "bonus pater familias" ("good family man", apparently referred to as the Man on the Clapham Omnibus in the UK), i.e., what would a regular, reasonable, moderately educated person expect. I don't know about America, but I would assume there are somewhat similar protections, at least for consumers.
Honestly, I'm almost in favour of letting the attacker keep the money to hold some of these foxhole converts to their own ideology. But I am quite sure that at least here, a contract which purports to be about proportionate sharing of a mutual pool of money but happens to contain a loophole that allows one person to run away with the pool would be void, and exploiting the flaw regarded in the same way as exploiting any other code flaw to obtain unauthorized access to a computer system - hacking.
Of course, my country's legal system has a often proven itself incapable of understanding how computers work, so who knows what they'd conclude, but I can't imagine that it is as clear cut as some suggest.
You're begging the question here. He's trying to use spurious legal claims to prevent cancelling the transaction. His success at that can't make his legal claims valid.
I have read the article, and the terms are very clear (assuming the article is accurate): the code specified the actual intent and all other claims are void.
Sounds to me like he loves the idea of Ethereum, which is shoddily written contracts that automatically enforce themselves and are capable of paying out large amounts of virtual currency to clever people.
He just hates the community saying "We were just kidding about the self-enforcing part".
(Disclaimer: I do not actually approve of Ethereum, nor the author's views, but they have momentarily conspired to make interesting and entertaining things happen.)
http://hackingdistributed.com/2016/06/17/thoughts-on-the-dao...
"What's a Hack When You Don't Have a Spec?
First of all, I'm not even sure that this qualifies as a hack. To label something as a hack or a bug or unwanted behavior, we need to have a specification of the wanted behavior.
We had no such specification for The DAO. There is no independent specification for what The DAO is supposed to implement. Heck, there are hardly any comments in The DAO code that document what the developers may have been thinking at the time they wrote the code.
The "code was its own documentation," as people say. It was its own fine print. The hacker read the fine print better than most, better than the developers themselves.
Had the attacker lost money by mistake, I am sure the devs would have had no difficulty appropriating his funds and saying "this is what happens in the brave new world of programmatic money flows." When he instead emptied out coins from The DAO, the only consistent response is to call it a job well done."