As a blockchain-based investment vehicle teeters, there are questions around security

There’s no shortage of futurists, industry analysts, entrepreneurs and IT columnists who in the past year have churned out reports, articles, and books touting blockchain-based ledgers as the next technology that will run the world.

In the middle of all this hype is a small fire that threatens to put some of those words to ash: The hijacking last month of around US$40 million worth of a cryptocurrency called ether — named after its blockchain platform Ethereum — from The DAO, a crowd-sourced investment vehicle that has so far raised over US$100 million in the digital currency. Instead, the DAO has become paralyzed and on the verge of collapse.

Briefly, on June 17 a hacker was able to create a second fund in the DAO, and, leveraging a vulnerability in the software-based smart contracts used to execute transactions, sent just over 3.64 million ether there. So far the attacker hasn’t been able to withdraw the funds, nor can the original investors get at them. In fact, in a bid to safeguard the remaining funds, the original investors moved their holdings to a separate fund, but the attacker was able to infiltrate that as well, setting off a complex cat-and-mouse game.

Which has put the investors in a quandary: Create a fork in the Ethereum blockchain, essentially re-writing the history of the supposedly unchangeable ledger – and not being able to change the ledger is the point of a blockchain – to erase the attack and accept a 30 per cent loss of their money, or close the DAO down and inves- tors lose everything.

“The DAO will definitely close down one way or another," says Cornell University computer science professor Emin Gun Sirer, who has written on distributed systems and cryptocurrencies and co-authored a paper on problems with the DAO.

He described the situation as “an on-going trainwreck."

“The DAO is a wake-up call for the whole (blockchain) community, saying that building smart contracts is a lot harder than it looks, and you need to worry about all kinds of issues … As a result I hope the community will be stronger, that we will see people pay more attention to how we get smart contracts right, and I hope that it will be a catalyst to getting to a better spot.”

It wasn’t supposed to be this way.

The DOA was created to fund projects through crowdsourcing, raising money using a blockchain platform cre- ated by Ethereum Switzerland GmbH and the non-profit Ethereum Foundation. According to its Website, the Etherum platform allows the running of applications like smart contracts “without any possibility of downtime, censorship, fraud or third party interference.”

The DAO investors, who buy tokens using the ether cryptocurrency, were supposed to form groups and vote on projects to fund. As the DAO’s Website says “its software operates autonomously and its by-laws are immuta- bly chiseled into the Ethereum blockchain ...The DAO is borne from immutable, unstoppable, and irrefutable computer code, operated entirely by its members.”

Project proposals are supposed to be written in plain English and backed by a software code in the form of a smart contract that defines the relationship between The DAO and the project contractors such as deliverables, responsibilities and operating parameters.

Something went wrong – and quickly, too: The DAO only started raising funds April 30. According to news reports the fund’s Ether value as of May 21 was more than US$150 million from more than 11,000 investors. That kind of money attracts attention from hackers.

But the DAO heist wasn’t the first for a blockchain-based entity. A number of Bitcoin exchanges have been raided, most notably Tokyo-based Mt. Gox, which closed in 2013 after the theft of some 650,000 bitcoin worth roughly US$344 million. In 2015 the Calgary-based CaVirtex exchange closed after discovering a database of two-factor authentication and hashed passwords might have been compromised. No customer funds were be- lieved to have been taken but the hit on its reputation was fatal.

Despite the reported thefts of bitcoin wallets and the breaches at some exchanges, there’s no shortage of organizations – so far primarily in the financial and insurance sectors – looking to leverage blockchains. For example, CIBC and Alberta’s ATB financial are among a number of global banks in Ripple, a network for set- tling international financial transactions. The Royal Bank and TD Bank are part of the R3 consortium looking at possibly exploiting its fledgling Corda distributed ledger for financial services.

Blockchain boosters

Microsoft launched a blockchain as a service (BaaS) offering on its Azure cloud last November, and last month announced “Project Bletchley,” a vision for an open, modular blockchain fabric for developers on Azure block- chain that includes middleware such as identity and operations management, and cryptlets, apps that enable secure interoperation and communication between Azure, ecosystem middleware and customer technologies. Meanwhile Amazon Web Services and the Digital Currency Group have created a BaaS for financial services firms.

IBM has a Blockchain Devops Service, and, along with other vendors, is betting on the Hyperledger Project, a Linux Foundation effort to create an open standard for distributed ledgers.

Which brings us back to the question of security. Experts we interviewed had two answers: Blockchains them- selves aren’t insecure; it’s what’s built on top of them. In the case of Bitcoin, digital wallets that hold the coin or the exchanges are the vulnerabilities. In the case of the DAO, the vulnerability was its smart contract.

The other answer is, anything made by a human is vulnerable.

Greg Wolfond, CEO of Toronto-based identity and authentication provider SecureKey, which is designing a blockchain-based identity management solution running on mobile devices said blockchain “is as secure as the applications you build on it ... You really have to think out the problem you’re going to solve and build a solution which is secure end to end. You can’t just say, ‘I have this technology so I’m secure.’”

As he understands it, the problems at the DAO were a flaw in rules in the smart contract that was exploited. “That one application wasn’t as well thought through as it should have, and people took advantage of a weak- ness.”

The solution his team is working on uses a blockchain to securely store personally identifiable data elements so it can’t be changed – a home address, for example -- without permission of the data owner and use of his/her private key. The solution would run on a smart phone, with the user able to call up selected and verified infor- mation – a health card number, proof of age of majority – without showing other personal information, such as a home address.

The DAO crisis won’t dampen interest in blockchain, he added. “Those who understand the technology know it’s a breach in an application that was built on top” of it. “People didn’t break blockchain.”

The blockchain in Bitcoin hasn’t been broken, points out David Decary-Hetu, assistant professor at the Uni- versity of Montreal’s school of criminology. It’s a “fairly bulletproof” technology if implemented correctly, he said. Developers just have to abide by standards and stick to what’s been proven, he added. “The blockchain is not a panacea for all our technical problems,” agrees Ryan Smith, chief technology officer at, San Francisco-based Chain Inc., which has built a blockchain specifically for organizations doing financial transactions. “We still need to apply the same type of design and engineering rigor into building smart con- tracts, into building these blockchain solutions. Even though the cryptography is really great and the distribut- ed database protocols are really good it doesn’t mean that we should throw any problem (at it) and have a good outcome.”

“When I look at the macro blockchain security issues I see problems of just trying to do too much too fast, and not focusing on what we know to be good software engineering principles.”

The DAO’s smart contract was one of the first of its kind, notes Brian Behlendorf, executive director of the Linux Foundation’s Hyperledger Project, aimed at creating open source tools or applications that can extend blockchains. In hindsight, he says the backers probably should have started with a limited release – say, capping each contract to $1 million.

But smart contracts are different from the usual way developers write software, he added. “We’ve had 10 years of agile software development drilled into our heads and getting a lot of benefit from that, where Facebook pushes updates to its Web site probably 50 times a day … but agile is pretty much at odds with smart contract, because it’s a smart contract. Once you and I agree to a contract, one of us doesn’t get to push updates to it – unless we both agree.”/p> “Security is hard, proper security engineering is hard.”

Even for a blockchain-related solution that includes a permission chain and the ability to log events, “there is no magic pixie dust here. Security is hard, proper security engineering is hard. I subscribe to the belief that with enough eyeballs defects can be found. But as we found with OpenSSL and Heartbleed, that doesn’t really happen unless the core (development) team is active and evolving the platform, and not everyone taking it for granted,” he says.

And blockchain-based applications have real advantages for protecting personal information, says Ann Ca- voukian, head of Ryerson University’s Privacy and Big Data Institute – as long as they are properly designed.

At the DAO, she believes, there was no English version of the smart contract. Had there been one investors would have understood the potential problem.

“These are still early days” for blockchain, she says. “The ability for the public to truly understand and trust this new medium is going to take some time, and I think for people working in this area one of their challenges is to make this accessible to the public in ways they can understand.”

Cornell’s Sirer is optimistic. “At the crux of it all there’s a very cool technical achievement and there’s enor- mous technical promise. At the moment we’re going through a phase – and we’ll continue to go through that phase – where we develop the technology and we will encounter all sorts of hiccups: We will see security flaws, we will see unexpected behaviours, like we did with the DAO, we will see well-meaning people write terrible smart contracts and losing other people’s money. We will see opportunists coming into this space with overt Ponzi (schemes), covert scams, and who knows what … I think it’s natural when money and new technology are involved,” he says.

“We’ve seen issues at every level of the stack” – the hardware, the messaging layer, the consensus layer, the contract layer and above that, people. “This is to be expected. The severity of the issues varies (but) the lower in the stack you go the less issues we have faced.”