Obviously you're right, that's tautological! The "attacker" didn't do more than what the system allowed her to do.
People have expectations about what the DAO is and isn't. I'd guess that very few people bothered to read the source code of the contract, let alone look for vulnerabilities. So you have a group of people who have agreed on an informal contract (we pool money, votes are weighted by the sum I've put…) but it turns out that the implementation is not correct w.r.t the informal specification. That's called a software bug and abusing a bug to your own profit makes you an attacker in my book, just as much that using a flash 0-day to drop a rootkit makes you an attacker.
People should have been more careful, but hey, I'm not sure I would have.
The terms of The DAO Creation are set forth in the smart contract code existing on the Ethereum blockchain at 0xbb9bc244d798123fde783fcc1c72d3bb8c189413. Nothing in this explanation of terms or in any other document or communication may modify or add any additional obligations or guarantees beyond those set forth in The DAO’s code.
Doesn't it state that, by definition, that DAO contract is bug-free, so it cannot be exploited? This is exactly what separates DAO case from flash-0-day-rootkit case.
> The terms of The DAO Creation are set forth in the smart contract code existing on the Ethereum blockchain at 0xbb9bc244d798123fde783fcc1c72d3bb8c189413. Nothing in this explanation of terms or in any other document or communication may modify or add any additional obligations or guarantees beyond those set forth in The DAO’s code.
Nice. So if the community ultimately succeeds in preventing the "attacker" from withdrawing his funds, which he acquired in perfect accordance with the DAO code, which is the entirety of the agreement, could he publicly bring suit for violation of contract?
I think he could, but he would be bringing a lawsuit against a decentralized community with no leader. Also, the community still has to accept the fork, if no one does (or very few), he keeps the money. At least that's how it works from my understanding.
It's not a bug by definition of what contracts are. A contract can't have a bug because the implementation IS the specification. That is the whole point of the system. Even the DAO website says so itself. The code itself has the ultimate say:
> Any and all explanatory terms or descriptions are merely offered for educational purposes and do not supercede or modify the express terms of The DAO’s code set forth on the blockchain; to the extent you believe there to be any conflict or discrepancy between the descriptions offered here and the functionality of The DAO’s code at 0xbb9bc244d798123fde783fcc1c72d3bb8c189413, The DAO’s code controls and sets forth all terms of The DAO Creation.
Nobody should have entered this contract if they disagree with the above. Yet now, suddenly most people who are a part of it seem to disagree with it!
What you call an informal contract could also be seen as an incorrect interpretation of a contract.
If you're not willing to call that simply an incorrect interpretation, you end up with two systems - software and people that push the blockchain forward - that interpret contracts differently. You also give precedence to the latter, which will lose the ability to effectively enforce its interpretation the more distributed the system becomes.
Ultimately you have to choose between having one true interpretation of contracts defined by software or being unable to enforce contracts as interpreted by a non-deterministic system.
Choose the latter and not just is there no advantage over real world systems, it's worse at enforcement.
Totally agree. Which interpretation is correct is a decision for the Ethereum community to make (or whoever is in charge, I don't know muck about the governance).
From the article:
> The development community is proposing a soft fork, (with NO ROLLBACK; no transactions or blocks will be “reversed”) […] preventing the ether from being withdrawn by the attacker […]. This will later be followed up by a hard fork which will give token holders the ability to recover their ether.
People have expectations about what the DAO is and isn't. I'd guess that very few people bothered to read the source code of the contract, let alone look for vulnerabilities. So you have a group of people who have agreed on an informal contract (we pool money, votes are weighted by the sum I've put…) but it turns out that the implementation is not correct w.r.t the informal specification. That's called a software bug and abusing a bug to your own profit makes you an attacker in my book, just as much that using a flash 0-day to drop a rootkit makes you an attacker.
People should have been more careful, but hey, I'm not sure I would have.