Dino Mark, Vlad Zamfir, and Emin Gün Sirer asked DAO Token holders to abstain from voting on any proposals until several security flaws in The DAO contract code are solved. The trio released a paper detailing all the attack vectors, along with an extensive blog post.
A Group of Researchers Calls For a Temporary Moratorium On DAO Proposals
The DAO crowdsale officially ended yesterday, with more than 12 Million ETH locked in the contract, so it’s only natural for the public to be concerned about the safety of their funds. The researchers Dino Mark, Vlad Zamfir, and Emin Gün Sirer released a paper detailing all the attack vectors they were able to find.
An attack vector is a path or means by which a hacker (or cracker) can gain access to a computer or network servers, in this case, it refers to the route a malicious entity could pursue in attacking the DAO smart contract or the DAO token holders themselves. In a blog post, the trio of researchers stated:
We have identified seven causes for concern that can cause DAO participants to engage in strategic behaviors. Some of these behaviors can cause honest DAO investors to have their investments hijacked or committed to proposals against their interest and intent.
The paper describes a wide variety of attacks, one of them is The Affirmative Bias, and the Disincentive to Vote No, in its current state, the DAO smart contract forbids a user to initiate a DAO split (to withdraw the ether) once they vote on a proposal, having to wait until that period is over. A user who negatively perceives a proposal can decide to inmediatly split from the DAO at no risk, or else they can vote NO.
Preferences of the positive voters will be visible early on, but the negative sentiment will be suppressed during the voting process — a problematic outcome for a crowd-funding organization based on measuring the sentiment of the crowd through votes
Another of the vulnerabilities described by the researches and the community is the one denominated The Stalking Attack, in this scenario, a malicious actor could stalk a user wanting to split from the DAO, preventing them to withdraw their funds through a series of votings in the victim’s split proposals. This vector is very costly for the attacker because he needs to monitor their victim 24 hours a day, additionally, the attacker has the potential to lose all their funds to the victim.
The paper was endorsed by Vitalik Buterin himself, Alex Van de Sande, another member of the curator team said:
I do not support a curator-led moratorium because I don’t believe our job is to lead but to follow the token holders. If you are a token holder, please start a self proposal tomorrow asking about the moratorium or vote in one if it’s there. Whatever the token holders decide, I will support.
Slock.it decided to go against this decisition by issuing a new security proposal to the DAO to fix its vulneralibities at no cost, and deploying a full-time security expert for 1 year to help mitigate further risks, the proposal has a cost of 8,000 ETH, and was succesfully validated by the curators, who are now deciding wheter to whitelist it or no. Stephan Tual, co-founder of Slock.it said:
This Proposal addresses all current governance issues (and yes, this includes the much talked about ‘Vlad attacks’), it also includes extensive testing, all of which will be delivered at no cost.
DAO token holders will have to decide wheter to abstein from voting on any proposals, or to vote on the one presented by Slock.it, alternatevely, they can activate the split function to recover their ether. The Merkle recommends to all our readers to excert caution, and to keep tabs on any develpments that may occur.
Apple users can now download the app of The Merkle in the App Store!
If you liked this article follow us on twitter @themerklenews and make sure to subscribe to our newsletter to receive the latest bitcoin and altcoin price analysis and the latest cryptocurrency news.