His suggestion was to create a general “smart contract swapping mechanism” that gives users the ability to replace a smart contract that’s gone awry with another one, simply by voting on it.
A Few Issues
The general idea of leaving it up to the community to decide what to do with smart contracts that have gone awry, is very sound.
However, there are still a few kinks with the idea that need to be worked out:
- New Attacks. That anyone can call for a vote on a smart contract opens the entire system to an attack where votes are being called upon random contracts all the time. It would not be good for the system if people had to constantly monitor and defend their smart contracts from these sorts of attacks.
- Agreement Threshold. Choosing “majority” as the threshold to replace a contract is arbitrary and dangerous, and more importantly it does not constitute rough consensus. Quite the opposite, a vote of 51% vs 49% only indicates extreme disagreement within a community on an issue.
Modified Proposal: “Opt-In” Voting
We can address the above issues, and most (if not all) of the thorny issues (technical, ethical, and legal) surrounding The DAO, by modifying SrPeixinho’s proposal slightly:
We create an “official override smart contract” that is:
- Simple, safe
To prevent a repeat of The DAO situation, this smart contract should be as small as is necessary. It should be vetted by multiple experts, and that requires time.
To give appropriate time for auditing, Ethereum can buy itself as much time as it needs by releasing a soft-fork with a hard-coded time extension.
To prevent attacks on smart contracts, developers must choose to use this contract.
The contract itself does not even necessarily need to be stake-based. It can simply act as a custodial multi-sig override. A stake-based version can exist for groups consisting of arbitrary or very large voting pools.
Developers can choose the threshold that’s suitable for their purposes (51%, 75%, whatever).
According to Vitalik, the simplest way to opt-in to such a contract would be something like:
def overrideWithdraw(destination): if msg.sender == VOTING_CONTRACT: send(self.balance, destination)
How Does This Help The DAO?
First, let’s recognize the three primary conflicting issues with “The DAO Situation”:
- The DAO’s own Terms & Conditions specified that users who
donatedinvested in it were agreeing to be bounded by the behavior of its code, and nothing else. Well, someone found a bug in that code and took advantage of it, making off with millions of dollars worth of Ether.
- The loss, however, is so huge that it threatens to harm the entire Ethereum ecosystem. This is against everyone’s interests, even the attacker’s (whose $ETH may not be worth much in the worst case scenario), and is clearly against the interests of those who participated in The DAO.
- This situation is fixable through a Soft Fork (Hard Fork appears to not be necessary), however no single entity, neither the Ethereum Foundation nor the developers of individual clients, can unilaterally jump in and “rescue” everyone without consensus, because such an action would be a clear sign that Ethereum is centralized at the developer level. That would also be bad for everyone involved, as it would open these individuals and groups to legal action or future coercion, and that would harm Ethereum as a whole.
Had The DAO had a vote-based “override smart contract” as a backup plan, we would not have found ourselves in this situation.
However, virtually no one is writing smart contracts correctly today. This entire experience is simply a learning experience for the Ethereum community.
If we take the perspective of humility, then it is still possible to both rescue The DAO and stay true to the spirit of the original vision of Ethereum.
We can do that if the community and the creators of The DAO agree to say:
“Just this *one time*—pinky-swear—we’ll patch history and make it look like The DAO chose to ‘opt-in’ to this vote-based override smart contract.”
Then the community can vote on what to do. Options include:
- Restoring the funds to their original owners
- Burning the funds
- Leaving the funds with “the attacker”
- Donating them to some charity or non-profit of choice
To the rest of the world, regardless of what decision is made, it will be clear that this was a collective, decentralized decision, made by the Ethereum community.
See also comments on r/ethereum.