A group of computer scientists released a paper on Friday describing a number of security vulnerabilities
From left, Simon and Christoph Jentzsch of the Decentralized Autonomous Organization.
Christoph Jentzsch wrote the basic code for the organization.
“Of course this venture is fraught with risks,” he said in an email earlier this month.
But he also predicted, “This technology represents the future of the Internet.”
A group of computer scientists released a paper on Friday describing a number of security vulnerabilities in a novel cryptocurrency crowdfunding project that has raised more than $100 million.
The authors of the paper argue that the money that has been put into the project, known as the Decentralized Autonomous Organization, could be frozen or stolen by attackers as a result of flaws in the way that the venture, known as the D.A.O., was set up. The money is all in a digital currency called Ether, which is a newer alternative to Bitcoin and exists entirely online.
The threats emerged on the eve of the organization’s move from fund-raising to operational mode, in which it will evaluate proposals to fund experimental digital projects.
The D.A.O. is a sort of venture capital fund that will pick investments based on direct voting from investors. The entire operation is computerized, with no humans in charge.
The authors of the new paper are calling for the D.A.O.’s investors to hold off on considering any potential investments until the vulnerabilities are fixed.
“The current implementation can enable attacks with severe consequences,” according to the paper, written by the computer scientists Dino Mark, Vlad Zamfir and Emin Gün Sirer.
Mr. Gün Sirer, an associate professor of computer science at Cornell University, has particular authority in the area because he previously was an author of a paper pointing out a serious vulnerability in the structure of Bitcoin, the most popular virtual currency.
Mr. Gün Sirer said in an email on Friday that his team had decided to release the paper on the D.A.O. this week so that investors “will not be subject to attacks when the fund-raising deadline is over.”
Mr. Gün Sirer said he sent the paper to the programmers who wrote the code underlying the D.A.O., and to some of the so-called curators on the project, who will help guide decisions in the venture. Christoph Jentzsch, who wrote the basic code, could not be reached for comment via email on Friday.
Mr. Zamfir, one of Mr. Gün Sirer’s co-authors, is one of the 10 curators. Another curator, Alex Van de Sande, a programmer in Brazil, said on Friday that the authors “really raise some interesting attack vectors.” He said he did not see the attacks as an imminent threat, but he was hoping that investors would vote to make the structure of the D.A.O. more secure, potentially by dividing it into several smaller funds.
The D.A.O. is built on Ethereum, a newer cryptocurrency network that was created to overcome some shortcomings in Bitcoin. The Ethereum system enables so-called smart contracts in which legal agreements can be written into computer code. It is those smart contracts that serve as the basis for decision making and investments within the Decentralized Autonomous Organization. The D.A.O. is motivated in large part by a broader desire to find more decentralized ways to make decisions and financial transactions, with fewer middlemen involved.
After the organization began raising funds from investors in April, the surprising level of interest led investors to buy Ether – the virtual currency in the Ethereum network – to invest in the D.A.O. That drove up the price of Ether, which in turn drove up the value of Ether invested in the organization. As of last weekend, the aggregate value of Ether that had been sent to the venture by investors around the world was more than $150 million.
More recently, several experts in the area have voiced concerns about the D.A.O., which has helped push down the price of Ether. On Friday, the value of the Ether in the D.A.O. was $131 million, even as the number of Ether invested had increased.
The new paper points to several ways that bad actors could exploit the voting process that investors in the D.A.O. will use to choose investments.
“At a fundamental level, these attacks all stem from unintended consequences of the mechanisms built into the D.A.O.” the paper says. “These problems can give rise to complex strategic behaviors, all resulting in a corruption of the intended, honest debate and voting process to select the most deserving proposals.”
By NATHANIEL POPPERMAY 27, 2016
http://www.nytimes.com/2016/05/28/business/dealbook/paper-points-up-flaws-in-venture-fund-based-on-virtual-money.html?_r=0