________________________________________________________________________________
Reminder that every DAO is a self-administering bug bounty for all of the value under its control.
Reminder also that you don't have to "hack etherum"; there are plenty of spots more vulnerable than the blockchain itself at which value can be stolen.
(I would however be interested to know where all this stolen value ends up, and how well it can ultimately be laundered into the real world, or if this is more like driving a truck into an ATM that causes far more loss than is actually successfully stolen)
Stolen ETH goes here to get a shave and a new suit, then it can go wherever it likes
Amazing. So now you can steal a bunch of crypto and wash it. Holy shit, if you then create some BS coin which gets a bunch of "investors" (really just you investing the coins you stole), you could steal hundreds of millions if not billions of dollars and get it fully laundered and recognized as legitimate by the government, all from your computer anywhere in the world.
What a time to be alive as a criminal hacker!
I do wonder at what point this gets serious and starts interacting with OFAC; if it _really_ worked as uncensorable finance, we'd have seen a tanker of Iranian oil sold for bitcoin. Doesn't quite seem to have reached that scale yet. I suspect a lot of nonsense is tolerated by the US authorities because it's enabling Chinese nationals to evade China's export controls, though.
Isn't even better than that? They'd have anonymous internet cash to use to bribe foreign officials at a time when many nations have been tightening the noose around finance and what an individual is allowed to own.
Tornado cash doesn't launder your crypto. Just breaks the link between the heist and your new crypto address. If you steal billions, you still have the problem of justifying them.
That is the point of the BS coin, that is what you attach your identity to and then you trade all of the washed coins for your new BS coin. Creating/mining the BS coin is where your legitimacy comes from.
Unless you happen to know of jurisdictions where there's a "no questions asked buy government bonds jubilee".
You know, outside of use cases for scammers and hackers. This protocol is actually pretty interesting. I'm actually surprised it's not getting more attention then what it already has.
Could someone ELI5 how Tornado Cash achieves (or doesn't achieve) privacy? Their FAQ say:
> Is it possible to compromise the protocol and find out information about depositors? -- No, Tornado Cash is a decentralized protocol based on zero knowledge proofs. Its smart contracts are immutable, have no admins, and the proofs are based on strong cryptography. Only the user possessing the Note is able to link deposit and withdrawal.
That very much sounds like an impossibility statement like "Use Tornado Cash and no one will be able to trace your transaction".
OTOH, they also say that
> After depositing, users should wait some amount of time before withdrawing to improve their privacy.
and that
> To preserve privacy a relayer can be used to withdraw to an address with no ETH balance.
So it seems privacy is not a binary switch here and, instead, it can be "improved" and "preserved". But what is it then? Can deposit and withdrawal be linked or not? Are the privacy guarantees as absolute and strong as the FAQ make them out to be?
It's a coin mixer: you deposit ETH into a common pool shared with a bunch of other people, and you get back (off-chain) a code that can be used to redeem your deposit at a later date. Since there is no link between the code and the sender on-chain, nobody knows which contributor to the pool withdrew.
So if there are N deposits then later N withdrawals, the only thing you know is that each withdrawal matches one of the deposits, but not which one.
As for privacy improvements:
- If you deposit then immediately withdraw, observers might suspect that you instantly withdrew your deposit.
- You need ETH for the withdrawal transaction, which has to come from somewhere (making it potentially traceable). With their relayers you can withdraw to an empty account while hiding the origin of the transaction fee.
I wonder if it could be argued in court that use of such a system makes you party to a conspiracy.
> the only thing you know is that each withdrawal matches one of the deposits, but not which one.
If there were e.g. three deposits for 5.542, 3.799, and 10.4322 ETH, and someone withdrew 3.799 ETH, then it seems like you'd know which deposit they made.
Best case, you wait long enough and maybe someone else deposits 3.799 ETH.
It only lets you use fixed multiples for this reason (0.1, 1, 10, etc.). You can reasonably narrow it down as the amounts get higher, though.
That is why they have a few standard sizes.
If you put 123ETH into Tornado from address A and then withdraw 123ETH shortly after from Tornado to address B this will be written to the blockchain.
It might not be evidence that A and B are your addresses, but strong implications.
So, you put it into Tornado and wait days, weeks, or even months, so it could be a random transaction.
If I am not mistaken, the mixer has function to define how much you want to get out and on which address
so
123 in from address 1,
100 out to address 2,
10 out to address 3,
13 out to address 4,
if there is 1000 transactions daily, it gets a bit messy to match input and output.
Only real issue would be if you deposit 10k ETH to pool with 100ETH, then it would be hard to go unnoticed
Edit: HN destroyed formatting
I wonder what would be a legitimate, non-suspicious reason to interact with such a service at all?
There are entirely legal, legitimate things one might do while still wanting to have some privacy about it. Buying porn, for example, might be something you're fine with but not really want tied to your known address.
Even things like buying houses (and I have heard of people buying houses with ETH).
People generally like privacy when it comes to medium and large purchases, regardless of what it is that they are purchasing.
It would be illegal to anonymously buy property in the UK.
https://www.gov.uk/government/publications/how-to-buy-a-home...
> People generally like privacy when it comes to medium and large purchases
The "war on money laundering" goes against this.
https://www.cbsnews.com/news/pandora-papers-uk-real-estate-h...
> But the recent Pandora Papers leak has revealed that U.K. properties worth nearly $5.5 billion, according to those who've analyzed the documents, have been purchased through offshore shell companies that hide the owners' identities.
> "Using a shell company means that no one need ever know that the asset is yours," said anti-corruption activist Duncan Hames, Director of Policy at Transparency International. "Indeed, the British government probably doesn't know."
A very legitimate use is if you have a public .eth address but want to keep your remaining private addresses private. Privacy is security.
All transactions are public.
People can simply crawl the blockchain for addresses that have a good amount of money and then check which of them they can relate to persons.
If they know you and how much your crypto net worth is, they might start to attack you in some kind of way to get your private key.
If you tornadoed that money in an address that can't be linked to other addresses anymore, the work to relate the address to you might be too big so people won't try.
I fail to see the contradiction. All they claim is that the _protocol_ is secure.
It obviously cannot prevent you from revealing your transaction via other means. For example, by publicly announcing it.
I don't understand how these mixer services work with regards to law enforcement. Wouldn't the any outputs of such laundering services be considered dirty to begin with, regardless of whether or not the supposed inputs were clean originally?
If anything, I'd expect the output of such a service to be even worse than _most_ inputs, as the money will be mixed with all the inputs, some of which would be associated with horrible crime beyond just fraud or theft.
Isn't that a bit like saying cash is dirty? I don't think we are under obligation to keep our funds traceable? Perhaps we are getting closer to that point though.
> I don't think we are under obligation to keep our funds traceable?
Oh, you do. Not being able to prove the source of your funds puts you at serious risk of asset forfeiture.
Oh, once you’re talking about asset forfeiture, even an ironclad provenance doesn’t help.
That's not quite what I'm talking about. Obviously if you transfer money to your account you need to be able to explain where it comes from. But once you have the money, you can turn them into cash or gold if you want. At that point they are anonymous.
If you the give them to someone, well then _they_ need to explain where it came from.
Also, if you want to put them back into your account, you'd need to show provenance.
You're still required to keep records for things like tax purposes. More importantly, however, this is a service specifically designed to launder money which is going to look like a public declaration of intent to law enforcement types.
Since this costs money to use, most people are not going to use it unless they're trying to hide something so the big risk I'd worry about is similar to the risks of running a Tor exit node in your house. What happens when someone else using that service is investigated for some serious crime? Anyone who has transactions going to or from that pool is going to be under suspicion and it's really hard to _prove_ that you weren't knowingly helping them launder money when you have a public log of transactions involving the target.
This is like saying that Tor is specifically designed to buy drugs. It is designed for privacy, just like Tornado.cash is. Privacy can be used for many things.
People who really care about privacy don’t use public blockchains. Leaving a permanent public log of your transactions for analysts is reckless in general.
In this specific case, you’re talking about a service people have to pay to use. That lowers the pool of people using it considerably which makes techniques like timing analysis easier and increases the odds that your transactions will be mixed in with someone else’s criminal activity.
Plenty of people concerned with privacy use public blockchains - you don't need to dox yourself to use them, just need a private key. Unlike traditional finance, where you just have to hope that your PII data won't get leaked one day with all your transaction history.
Timing analysis is a real concern, that's why they warn you about it on the front page and ask to wait before you withdraw.
It's not just timing analysis — look at their long list of difficult measures needed to make these transactions private and ask whether that's remotely plausible for widespread use:
https://medium.com/@tornado.cash/how-to-stay-anonymous-with-...
Very few people are so ideologically committed that they're going to pay extra and live with those constraints, which is a major problem for a protocol which is critically dependent on volume to deliver privacy and repudiation.
> Plenty of people concerned with privacy use public blockchains - you don't need to dox yourself to use them, just need a private key. Unlike traditional finance, where you just have to hope that your PII data won't get leaked one day with all your transaction history.
This is confusing a number of things. Most PII breaches are not the banks but the merchants who collect things like addresses because they need them for shipping or to satisfy legal requirements, and paying with a blockchain won't change any of those needs.
Similarly, very few people have a way to generate and spend a significant amount of cryptocurrency entirely for anonymous online services and will thus need to identify themselves for most transactions — a cryptocurrency exchange isn't exempted from Know Your Customer, companies which have to deal with abuse are going to want to prevent sock puppets or shell accounts, airlines aren't going to lose interest in checking your identity, buying a house without showing where you got the funds is going to attract a lot of attention, etc.
That link to the real world is the common reason why these promises don't pan out. In general, ask yourself how a particular activity would go if you showed up with a suitcase full of cash and refused to say where it came from. Cryptocurrency will be exactly the same in all but a very few cases.
Timing analysis is the main thing to worry about, if you're just looking to get some anonymous ETH such that people looking at the blockchain can't track it easily. Those difficult measures are not a requirement and can be ignored depending on your threat level.
And I don't know why are you talking to a strawman about a suitcase full of cash, etc. I just said that Tornado.cash offers privacy and that privacy is not always used for evil things.
We are totally under the obligation to justify funds. To start with, because taxes, but also there are a lot of legislation put in place to prevent money laundering under threat of very high fines for non compliance, even if no laundering happened
This all applies to when you receive the money. The discussion concerns what you then proceed to do with them.
UK: Unexplained Wealth Order
https://www.stpaulschambers.com/what-are-unexplained-wealth-...
It is important to note that this was not a smart contract exploit. The point of failure here was the website UI. Users were sent to a malicious website due to a stolen Cloudflare API key.
What can DAOs do to prevent the single point of failure that is the web front end? Is there a reliable second level of security to ensure you are at the site you intended? The SSL certificate didn't work because Cloudflare was still terminating the SSL connection.
DAOs nearly always have their front-end in a public repository so you can run it locally, but this is also convenient for the Cloudfare hijacker.
One defence is ENS. If your DAO's contract is registered for example as "BadgerDAO.eth", and your users wallet software shows that every time they make a transaction then it will be a red flag when the contract has been swapped out in the compromised front-end.
Unfortunately many wallets don't support ENS, and in those that do the experience could be better. So better wallets are part of the solution.
> _It is important to note that this was not a smart contract exploit._
I disagree that this is an important detail. Even though the smart contract code wasn't exploited directly (this time), this type of massive theft is only possible because the smart contract ecosystem thrives on a lack of accountability.
Smart contract ecosystem thrives despite lack of accountability.
This is effectively a supply chain attack. To defend against it you need to secure the supply chain all the way from build to deployment.
So a quick solution would be to run a job that checks your site every minute or so and compares the javascript against known hash values. Shut the site down if a hash has changed.
AFAIK, cryptocurrency companies are not looking for security experts at all. Users money are free, while company money isn't.
You’re wrong. Every crypto company I’ve worked with has spent significant amounts on security consultants, audits, test nets, and bug bounties.
Not every. I asked them directly.
Not DAOs, but users can examine the transaction that they are prompted to sign and make sure that it is interacting with the right smart contract.
That technically just moves the problem one step further. How are users supposed to learn what is the right smart contract to begin with?
> How are users supposed to learn what is the right smart contract to begin with?
That's the definition of due diligence. It's not one thing and the specifics of what's involved vary depending upon the investment. At the end of the day, the onus is upon the user to determine if it's a fraud.
Being difficult or down right impossible for a non-technical person to audit a contract address or the contract code itself isn't a license for users to ignore that risk. It means they're accepting it in its entirety. Or they can defer to a trusted third party to make that determination for them. But even then, they're still on the hook for trusting that third party.
Is this not the same problem when interacting with any other site? There is nothing stopping people from navigating to faecbook.com and entering their account details. At some point there is a bare minimum literacy expected of users.
As to how they would know if it's the real smart contract: they would see what it was via their wallet after interacting with it the first time.
Proving the correctness of a program is a famously hard CS problem, not “bare minimum literacy”.
> As to how they would know if it's the real smart contract: they would see what it was via their wallet after interacting with it the first time.
In other words, the system is not safe to use. People will reliably be fooled into thinking that they're interacting with someone else — the difference is that if you go to amaz0n.com and enter your credit card info, your liability is capped at a low amount and will likely be zero because the regulated financial industry has a fraud handling mechanism better than “the people who profited from you buying their tokens will mock you for being phished”.
Smart contracts are immutable, so realistically, once you know which one is the right one you can just bookmark it.
If you don't want to trust anyone at all, you can read the contract code and make individual judgement whether it does what it's supposed to do.
Maybe don't put it behind cloudflare?
Can someone ELI5 DAOs please? Ideally without the buzzwords and more focused on the value they create and how.
I'm a software engineer but the idea of a "smart" contract working as an "organisation", none of which can be undone when there is an error seems like it has massive risk attached and little to no benefit.
It doesn't seem "decentralized" as there are still organised parties to write and deploy code and the tokens that inevitably belong with each DAO are usually majority held by the creators.
Currently I like the __idea__ of a DAO but see them massively overhyped and unable to describe or prove their actual value.
Please change my view.
You have to accept the premise that code as an absolute authority is a good thing, if you accept that premise, a DAO makes a lot of sense and can deliver a lot of value: no longer are we beholden to the weakness of corruptible man, we are now empowered by the strength of noble technology.
of course, as a software engineer, you know that is a hellish nightmare because the code we write is fallible so this entire thing makes no sense whatsoever.
Ok I can (hypothetically) accept that.
Let's imagine I'm creating a fresh business and choose to structure it as a DAO, does this mean that the ever understanding code is the CEO steering the company? Or is the DAO the product of the company itself? I don't understand the relationship here.
Following on from that, I am the party that writes the code for the DAO. Now I can claim that my code is perfect and we can trust the machines to execute it. But I'm still running the deployment of it and the weakness of corruptible man can still abuse the trust given to the code they create.
There's difficulty in translating these new concepts into examples using existing real-world concepts but as a broad generalisation: a DAO is a "company" that the shareholders govern and the DAO's code is the shareholder agreement which has zero implicit rights or behaviours.
The DAO itself could have code that enables something like, "the code for this DAO can be updated as if 50% of token holders vote yes" and then 50% of token holders could vote yes to a code change that appoints a CEO who has absolute authority or they could vote to change the code so that no vote could ever take place in future, and the code becomes "stuck" forever.
The code for a DAO lives and runs on the blockchain, so the integrity of the DAO is linked to the integrity of the network on which it runs: although there's no absolutes, in the case of a network like Ethereum, it is for all intents and purposes, secure, so deployment and execution is not a network-level attack vector.
Does that help?
The reason DAOs are considered _the future_ by some is the implicit assumption that perfect code is possible to produce. Many non-software engineers believe that _if we have the integrity of the network to guarantee the code cannot be changed without consent, then we can have absolute faith in the code_... but of course, as software engineers, we know code is very fallible, whether it's unintended side effects or malicious backdoors or just an honest misunderstanding of what the code is meant to do, there's millions of ways for code to go wrong long before we need to worry about code integrity.
The DAO model makes more sense when it’s only controlling on-chain cryptocurrency in ways that can be controlled entirely with smart contracts that can be voted on.
However, the most popular version of this DAO appears to be literal Ponzi schemes operating in the open. It seems people are more likely to trust the Ponzi scheme when they feel they have some degree of control over it.
Many of the high profile DAOs fail for exactly the reasons you highlighted: They’re sold as being built to buy or control off-chain assets (like a copy of the constitution or an NBA basketball team) but they lack any of the real-world contractual obligations that would actually link the DAO to the real-world asset. They’re relying entirely on the real-world volunteers to do what they claimed to do in agreement with what the DAO voted. This is why the constitution DAO had to make it clear that contributions were donations and tokens did not constitute actual ownership.
It’s possible that a future DAO will go through the trouble of setting up the appropriate real-world contracts and entities to make this all legally binding and an actual security, but at that point the legal entity is doing all of the heavy lifting and the DAO is just a very expensive donation and voting system where gas fees consume hundreds of dollars of every member’s interactions. Any breach of contract would still have to be handled in the real-world legal system, so the DAO wouldn’t really protect anything other than providing a record of who voted for what.
By default, whenever such hacks occur, I suspect the project creators are in on it unless proven otherwise. When you're talking about multi million dollar payloads that can be stolen without scrutiny from law enforcement, the incentive to abscond is huge.
Just remember - code is law. No takesies-backsies :)
The person who lost the 50 million probably insured his money with something like
. If you invest a large sum, you should always insure it against hacks.
Being decentralized does not prevent them from making the job of an insurer.
Nexus Mutual just told on Twitter that since it is not a smart contract attack, they're not going to pay.
The only thing riskier than smart contracts would be smart contract insurance products atop smart contracts. I'm sure they only allow for vetted contracts, but the incident discussed in this article was not a contract hack, it was a website hack to change the approve addresses. If that type of thing is going to be covered then it's well beyond smart contract due diligence. That would require evaluating end-to-end op sec practices on an ongoing basis.
https://twitter.com/nexusmutual/status/1466395880806928387?s...
Looks like they’re refusing to cover it because it was a supply chain attack.
I always found that phrase misleading. Code is automation, law is for the stupid things people do.
If they didn't use a centralized service like Cloudflare, this might not even have happened, lol.
Perhaps, but we know this kind of thing happens all the time even without something like Cloudflare in the mix
There are definitely takesies-backsies if a majority of validators agree on it.
While technically correct, amounts that have been stolen since the DAO hack have been 10x larger and no hard forks have occurred. I think the community consensus on this has evolved.
*if Vitalik agrees on it
Well, no, because the community voted on it, and people decided to run nodes that accept that.
all smart contracts have been paused to prevent further withdrawals
I'm curious — how do you just "pause a smart contract"? Is that written into the code?
I'd think so, yes.
https://ethereum-blockchain-developer.com/022-pausing-destro...
On ethereum, all tokens are actually custom computer programs. This token's program contained code to all pausing all the ability to have it transferred on behalf of an approved third-party.
Once again cryptocurrency shills are disproven in their core belief that they can do finance better than status quo.
Its starting to look like the benefits of decentralized banks lean more in favor of the bank robbers than the bank clients.
Luckily none of the bank clients actually have any intention of moving their banking into DeFi.
They just move some speculation and crime there.
Among the clients nobody innocent gets hurt, as there is nobody innocent.
Now ransomware and such...
Not sure I agree. I'm sure there's plenty of innocents who've been forcefully convinced by some crypto zelot, or FOMOed their way into the crypto world.
In terms of normal bank clients moving to a DAO bank or something silly like that, you're right, nobody in their right minds is doing this.
Maybe.
Depends how "innocent" someone is when they are blinded by greed, even if greed fueled by scammers.
Would that same person be culpable if they did as little due diligance before "investing" in more traditional organized crime, lured in by "you can't lose. It's a sure bet, 10x gains!"?
At best the innocents here "invested" in a lottery ticket, and lost in the same way that a non-winning lottery ticket loses.
Not everything is this black and white. Some people are not motivated by greed as much as misplaced fear that's been stirred up by the crypto folks. Open any crypto discussion and see how many clicks it takes to get to someone panicking over hyperinflation, bank failures, invoking the ghost of 2008, ect. For all their talk of FUD, crypto folks dish the FUD out onto the traditional banking system almost as hard as the traditional banking system dishes it out on crypto.
Mix that with someone who's easily impressionable and anxious, and you get someone who'll likely make some very bad decisions.
Can you elaborate on how this event constitutes proof of your claim?
i'm not worried about my DIS shares getting hacked as they chill in the digital world compounding interest. It appears that investing in crypto is not quite as safe? One of my bros got hacked in mt gox and since then i've been a bit weary of putting serious sums of money into it (i have maybe 1-5% of my portfolio in crypto and not planning on betting the house anytime soon).
It's certainly not as safe. And one hack doesn't constitute "proof" that the entire space is a total fail at beating traditional finance, which should be obvious. Instead we have people like OP making sensational claims about "shills", providing nothing of value to any conversation about the topic.
It's not one. It's like one per week.
And every smart contract is a self-funded hack bounty.
Smart contracts are a complete misunderstanding of what contracts are, and what the hard parts of the space of contracts are. They're simply changing the simple problem to be enormously complex, without making the hard problems any easier. In fact it makes the hard problems harder too.
causing great public interest and excitement.
> OP making sensational claims
Def 1. "causing great public interest and excitement"
Well, not really. This story is just "huh, another one". Brings to mind the meme "I'm shocked, shocked!, to see another one of the cryptocurrency LARPers topple over"
Def 2. "very good indeed; very impressive or attractive."
Thank you!
One of the core pillars of cryptocurrency, and DeFi, is that traditional finance is anachronistic, and full of stupid stuff not fit for the modern age.
Take the first sentence on ethereum's intro to DeFi:
"DeFi is an open and global financial system built for the internet age – an alternative to a system that's opaque, tightly controlled, and held together by decades-old infrastructure and processes. "
Lots of the slowness and beurocracy of old finance is scoffed at as being, in more words, "stupid bullshit".
Rule after rule, and obstacle after obstacle, is loudly ranted about how terrible it is.
So the solution, in these people's explicit methods, is to throw away everything and start green field.
Now, I'm a software engineer. I understand the allure of green field. Surely, "how hard could it be"?
So because the description of how stupid cryptocurrency is can fill books (and there are several), let's stick to a short summary of the outcome of DeFi so far:
It's barely newsworthy every time one of these LARP banks topple over, losing all the money.
It's almost a weekly occurance.
And not only is all the money stolen, it's also not reversible!
When one of the founders of the pirate bay hacked a (real) bank's mainframe, he didn't actually get away with much (a couple of hundred dollars, I think was all that his accomplices managed to withdraw from ATMs). The rest was transferred back. (also suddenly "lack of extradition treaty" became a non-problem)
Basically cryptocurrencies and DeFi is software engineers with no understanding of economics, law, or society, discovering why all of the rules, laws, and procedures currently in place exist.
Another example is that AML/KYC laws didn't fall from the sky. "Well what if we didn't have laws at all?" is not really a rational place to start.
That's not to say that traditional finance is perfect. Absolutely not. But the cure for bad laws is not "The Purge".
So yeah, it's not this event, so much as this happens all the fucking time.
Imagine if these people were selling cars, and complaining about how much pushback they're getting for putting them on public roads, while every day there's deaths all over from unregulated cars that have swords on them, chopping heads off of the drivers themselves, and innocent pedestrians.
Like, how do you not see why this is causing pushback and that your way of replacing the seatbelt with a potato is stupid, and that actually the law that says a seatbelt is not allowed to be a potato maybe has a valid point?
Especially since things are more subtle than that. A non-techie cannot tell the difference between a seatbelt and a potato, and that's why the law says your car needs to have actual seatbelts.
"Decentralized" also means nobody takes accountability, something a lot of our society is built upon, evolved over many generations.
But a mix of snake-oil salesmen and nerds dreaming of utopia try to convince everybody that their approach is somehow magically better.
No. "Decentralized" means everybody takes accountability, as opposed to just one corporation.
But you have to make use of it - e.g. by using
.
"everybody takes accountability" and "nobody takes accountability" have the same meaning. Accountability is tightly linked to delegation, and essentially behaves like a normalized variable.
I think BadgerDAO contract is still safe. Changing frontend would still require a new approve permission for the new contract address that should give user a hint about something is wrong.
It says a lot that these articles are always quantified in dollars.
Almost all thefts are quantified in dollars unless the numbers on the thing stolen are also newsworthy.
For instance, the Quebec Maple Syrup Heist is reported as both "3,000 tons of maple syrup" because, wow, that's a shit ton of maple syrup AND that the value of the heist was an "estimated $18.7 million".
It also said enough about Coinbase that they went public on an actual stock market, for actual money. Instead of doing for some blockchain buzzword ICO.
I guess it's hard to quantify an entire portfolio in their own fluctuating valuations? Would be interesting if they listed a longer list of their actual holdings though, but $usd (and not just any fiat) is still a great proxy for understanding the impact.
Reading guide:
DeFi: Decentralized Finance
DOA: decentralized autonomous organization; an organization represented by rules encoded as a computer program that is transparent
DAO* not "DOA"
Actually DOA is more fitting :)
Yeah, quite the Freudian slip ...
Of course, it may be decentralized but many projects advertise it as "distributed computing" which it isn't. Since every node has to do the same calculations, it's only as fast as a single computer.
It's great at instantly losing all your money to a teenage hacker though.
> DOA: decentralized autonomous organization;
DAOs are actually DOAs 'Dead on Arrivals' due to fundamental trust issues.
Shocking.
Another day another DeFi project rekt. What happened:
> The front end to the BadgerDAO website was reportedly acccessed, according to comments in the project's Discord channel, and used to intercept transactions. One admin said it appears that an API key for Cloudflare was compromised. > One user had around 900 bitcoin ($50.8 million) worth of tokens stolen in a single transaction. Another lost $5 million worth of tokens in one go.
Once that BTC is gone, it is gone. DAOs seem to have a lot of trust issues beyond a simple front-end attack and not even you should trust that they can keep their own websites secure. Where are the regulations, audits and security checks for this thing?
Oh dear.
> Where are the regulations, audits and security checks for this thing?
Missing by design. It is telling that a currency dubbed "USD tether" which (let's pretend) is backed by USD 1:1 magically excuses you from all regulations you need to abide by if you process actual USD.
900 bitcoin. Just sitting there in some fragile little exchange, or whatever this DAO is. If these people are so rich, why aren't they so smart?
It is possible that you make more money by taking this risks, 300% yearly yield in crypto is not unheard of.
So it could be just cost of doing business.
Probably a 'business' account
In general it takes years of education and years of real world experience to understand that almost 100% of code is going to have a bug or unintended functionality at some point.
The alternative is to learn this lesson the hard way, like these people have.
Regulations in DeFi would do nothing but turning it into traditional, permissioned finance but on blockchain. Nobody wants that.
I think that's the point. Regulations on finance are, in part, to avoid attacks, scams, misunderstandings... Blockchains only offer some security in a part of the transaction, but they do nothing for the "real world" part. If you want serious finance that people can rely on you'll end up looking like traditional, permissioned finance but on blockchain.
If you have regulations you'll realize that they're mostly sufficient to secure transactions as well, at which point the blockchain becomes unnecessary as well.
Not just secure them, but regulations and laws allow or require them to be overturned and reversed.
At which point the blockchain becomes a hiderance.
Nobody wants to lose all their money because the frontend got hacked, and yet here we are.
Nobody forces you to put your money in DeFi protocols.
That's a non-argument. Nobody forces me to buy baby milk. Yet it makes perfect sense for the FDA to regulate what is allowed to be in baby milk.
Baby milk is a disingenuous analogy since it's not expected to be consumed by the buyer.
If consenting adults voluntarily went out of their way to get an unregulated product, without harming anyone but themselves, then why should they be stopped?
> Baby milk is a disingenuous analogy since it's not expected to be consumed by the buyer.
This is a disingenuous argument. FDA doesn't regulate only stuff that is not expected to be consumed by the buyer. GP could have said wine instead of baby milk.
And yet they chose baby milk, not wine. Why?
Because not everyone would agree that governments should necessarily regulate everything that you consume. Especially when it's advertised as "consume at your own risk".
> _Especially when it's advertised as "consume at your own risk"._
Yet alcohol is highly regulated, much more so than baby milk.
But does it make "perfect sense" to regulate it? No. Especially not when there is a large group of population who disagrees to those regulations.
There is always large opposition to regulations of any kind petty much by definition.
"There is always large opposition to restrictions of freedom".
That's a very poor rhetorical tactic since that sentiment could be applied to literally any law, since all laws restrict freedom.
Not every law is a restriction of freedom. My freedom ends where yours begins.
Sadly, some people are more than happy to force their worldview on others, "for their own sake".
What is an example of a law that does not restrict freedom?
A law that bans murder. There is no freedom to murder so it does not restrict any freedom.
Where there is no law against killing people, people are free to do that.
And when people who want to kill people and have been free to kill people get told they are no longer allowed to, they have also been unhappy about it.
No, there is no freedom to murder people no matter where you are. My freedom ends where yours begins.
You appear to be using the word “freedom” to refer to something other than the ability to act without constraint. The phrase “My freedom ends where yours begins” (and its many variations and false attributions to various famous figures) is one of moral considerations and generally used to argue for what the world _ought_ to be, but it is not and never has been a fundamental — i.e. even when the law falls silent — truth of the reality we actually live in.
The same is true for selling poisonous baby milk or wine.
If I want to sell a poisonous wine to an adult that understands the risks and still wants it, then it's none of your business.
Murder means to _unlawfully_ kill a person. Without laws against killing there is no such thing as murder.
So if the laws allow murdering people you would think that you have the freedom to murder people? Or that such laws are psychopathic and don't respect anyone's freedoms at all?
Laws "cannot allow murder"; murder is illegal _by definition_. For example, if two hypothetical killings take place under identical circumstances but under two different legal jurisdictions, the killing could be considered murder in one place but justified in another. This happens all the time, see Florida's stand your ground laws for instance.
Not true! A lot of code written for financial applications, and a lot of the complexity in those systems, is there just to synchronize, reconcile and settle between the independent data silos maintained by the various entities involved in a transaction. Blockchains can do a lot to eliminate that complexity.
Also, there are interesting advantages to the transaction authorization model that blockchains have whereby a message is valid only if signed by the sender, enforced down to the data layer.
Traditional finance did settling just fine before. The only reason they are getting into blockchain now, is that it's a real alternative that people prefer to the banks.
Just because they did it just fine before, doesn't mean that there isn't a better way that will provide massive competitive advantages to companies that adopt them.
Big companies ran payroll 100 years ago without IBM machines, but IBM made it easier for big companies to run payroll, so companies that bought IBM machines were able to scale.
Company budgets were done just fine on big sheets of paper 50 years ago before PCs loaded with VisiCalc or Excel deployed to every desktop. What company that still did it the old way survived the 1980s?
Credit card transactions even 30 years ago were still often done with a physical mechanical impression at the point-of-sale. That worked just fine, didn't it? Yeah, there was some fraud, but the people who were given credit cards were few enough that it wasn't unmanageable. But online POS systems now mean that almost everyone today makes payments with debit or credit cards most of the time.
Is "things are working just fine" a reason to not innovate?
Or just put in what you can afford to loose. No hand holding from regulators needed.
"The future of finance" or "so unsafe you should only put play money in". Pick one.
DAOs are totally experimental and the future of finance is pluralistic, so reductionism is doing it a disservice.
Rockets: "The future of space travel" or "so unsafe you could die on launch". Pick one.
If you don't like DAOs or any experimental finance -- which I think is a totally sane thing to do -- then just don't use them. That's why traditional financial structures like banks exist.
Hhhah crypto is for morons
Wow