Patrick Murck and I are trading viewpoints on whether or not there should be a transaction rollback for TheDAO attacks publicized today.
I believe there should be a rollback. Patrick does not, and we agreed to write up our viewpoints: his will be better written, but mine is done first. I'll link to it here when he publishes.
Reasons To Blacklist and Fork
Consumers, some of whom can't afford to be harmed, are going to be harmed without a rollback. As an ethics moment, it's incumbent on a community to help out however it can.
That doesn't mean there is nobody to blame in this situation. Slock.it devs did not take an audit of this attack vector as seriously as they should have, going so far as to reassure people that 'no funds are at risk'. TheDAO boosters have been violating SEC laws (and their equivalents worldwide) with gleeful abandon -- see this exchange on Twitter for a taste of it.
Just saying "they had this coming" is not a reason to refuse to try and do good, though. We should try and protect consumers who were not sophisticated enough to assess the safety of their investments.
The Proposed Mechanism For Rollback
The solution proposed by the ethereum.org blog post from Vitalik Buterin is pretty simple - miners should refuse chains which move coins to a certain address. This will fork the blockchain, re-enter all other transactions into the txpool to be re-mined, and Ethereum will continue on without the hack as long as 50% of the mining power follows this consensus.
Until there is a shifted consensus, Ethereum clients will keep using the main chain. If there is never a consensus, they will notice nothing.
This rollback mechanism has a number of good elements: it relies on the agreed-on consensus mechanism in Ethereum, mining. The proposed patch for miners published by Gavin Wood does not force miners to blacklist, it leaves the option as a flag.
Smaller miners, as members of pools, can engage with their pool managers to see how a pool is voting, and change pools if they disagree with the politics of the pool manager. In all, this will not be a major disruption, except, of course, for the politics.
Costs To Not Rolling Back
There are two major costs to not rolling back these transactions:
- People, well-meaning (if overly trusting) people who probably can't afford to lose money will lose money.
- Ethereum will suffer a large-scale credibility problem with the 'rest of the world'.
1 is obvious, but I want to dig into 2 for a bit, and why I think people should take it seriously.
The General Media and Consumers DO NOT UNDERSTAND Blockchains
If you read this blog, you probably have heard of the Mt. Gox bankruptcy. What you may not know is that the Mt. Gox bankruptcy had a deleterious and chilling effect on Bitcoin and its global value for some time.
The news cycle story was "Bitcoin exchange loses/steals money" and that transformed, in laymen's heads, to "Bitcoin: Theft! Fraud!" This sort of chilling effect on the entire technology's value is real, and led in part to the creation of the term Blockchains. Governments and institutional investors stepped back for at least a year or two, and Bitcoin continues to have a tarnished brand for this (and other) reasons.
If you don't believe me, ask a few random people you meet what they've heard about Bitcoin or know about it. If my experience is a guide, a high percentage will remember or mention Mt. Gox, and with it the idea that Bitcoin is not safe somehow.
I don't want this to happen for the Ethereum community. But, if this hack is not rolled back, the entire community will spend years talking about and defending this decision, to the detriment of Ethereum's societal value.
The Cost of a Rollback: Libertarians Will Get Pissed Off
The most vigorous anti-rollback sentiment I've read today comes from people who have an ideological problem with a rollback. In short: "People read the code, they took the risks, showing this is not decentralized is far worse than TheDAO taking a haircut".
A rollback like this will be a sore point with a small group for a long time. But, it is a small group. More to the point, it's a small group that will continue to benefit from the rise in value of ether and the blockchain tech due to a prudent response. Let them complain, or find a more 'pure' solution -- it's part of the cost of the attack -- just don't think that pleasing them will help people who have lost actual money, or help the Ethereum blockchain as a whole.
These are coming up as I'm engaging on twitter and elsewhere. I don't think they are compelling.
"This would show Ethereum is centralized"
Don't confuse consensus by miners with centralization. The Ethereum project has a plan for consensus, and the public debate we see today is part of that consensus-building plan. To come to agreement is not centralization.
"Miners aren't that de-centralized anyway"
This may be, but is beside the point -- it's the most distributed consensus system available for Ethereum. In addition, pools are not as centralized as people like to claim -- individual miners can, (and have in Bitcoin's history) switched pools when they disagree with a pool miner's perspective. For some history, google Bitcoin-XT, Luke-jr and default rejection of Satoshidice transactions, and the version 2 block format voting.
"It's just insiders keeping each-other whole"
Even if true, they will be keeping small-time consumers whole as well. This is the most important consideration, by far. The alternative is to enrich a hacker at the cost of consumers and at huge detriment to the brand and value of the network as a whole.
"It sets a precedent that anything core devs don't like could be rolled back"
This is just silly -- this is about the least controversial bad transaction I can imagine -- there's no complex, other side of the story, it's a hack, plain and simple. Even then, the response from ethereum.org has been balanced.
Imagine how hard it would be to get a patch approved, pushed out to mining pools and to get them to reach consensus about a less clear-cut issue. It's just not happening in most circumstances. And, mining pools will get 'issue fatigue' as well.
But, Don't Take My Word For It
To continue, read Patrick Murck's counterpoint for a number of thoughts on why this rollback should not happen. At least, when he's published it, he'll have a link here.
As always, I'm available for consultation or audit services. Contact me here.