In four days The DAO will start accepting proposals from those wishing to claim a share of its $150MM. In this quick post, I overview some of the security holes it currently contains, and suggest how these might be fixed by a first proposal that upgrades its code to ensure funds are not accidentally dispensed in unexpected (and much less than perfect) ways.

Background for those coming to this post through some serendipitous route: the world’s first investment DAO (“Decentralized Autonomous Organization”) The DAO recently raised $150MM in funds. If this is news you may first wish to read my general introduction to DAOs and The DAO in DAOs: New Horizons and Challenges in Depth

Quick recap of The DAO’s proposal system

Anyone can submit a proposal for The DAO to dispense funds to their blockchain address, with one caveat;

The blockchain address must be on a white list maintained by a group of 10 people called “the Curators”

Each proposal specifies a “debating period” of between 2 and 8 weeks during which holders of DAO voting tokens can vote

A single token grants the right to submit a single vote

At the end of the debating period, The DAO determines whether a minimum number of people of voted known as a “quorum”

The required quorum increases as the size of a proposal’s payout increases relative to the total funds The DAO raised increases

If the quorum is met, and more than 50% of votes are “yea”, then the proposal is passed and the monies dispensed

The Curators can collaborate to call a special function that almost halves the minimum quorum size every two weeks

Issue No. 1: the game is stacked against “no” voters

While well intentioned, the current architecture implements an invisible hand that stacks the game against those voting no to a proposal. The problem arises because a proposal needs to receive a quorum of votes — any votes — to pass. Therefore those against a controversial proposal are faced with a dilemma. By voting “no” they will increase the total number of votes received, which will also increase the likelihood that the proposal will receive a quorum of votes and therefore pass should the “yes” votes be in the majority.

Naturally therefore those against a controversial proposal will be reticent about submitting “no” votes lest they help it reach a quorum. This is problematic since crowds are greatly influenced by the positive signals given by others. As I write special wallets to hold The DAO’s tokens are being developed that display progress bars for each proposal. If “no” voters hold back these progress bars will show all green, providing the misleading impression that the community is quickly coalescing on passing the proposal and encouraging others to vote “yes” in solidarity.

“Yes” voters do not face similar games.

Issue No. 2: game tuned to decide quickly rather than well

In a democracy, we require someone to run the government. For this reason, when we go to the polls to vote, we demand that whoever receives the most votes run the country. After all, we need someone in charge, for example in case a disaster strikes. However an investment fund should not be designed the same way. By contrast, there is no immediate imperative to make investments. In fact on the contrary, those making investments should refrain from making decisions until a proposal that will clearly generate returns is made.

Currently the design of the The DAO will ensure investments are often made rather quickly and with a small amount of agreement. For example, the required quorum sizes are low:

payout $10MM — quorum 22.6% —minimum yes 11.4%

payout $25MM — quorum 26.4% — minimum yes 13.3%

payout $50MM — quorum 32.8% — minimum yes 16.5%

payout $90MM — quorum 43.1% — minimum yes 21.6%

payout $130MM — quorum 53.3% — minimum yes 26.7%

A function is also provided to allow the Curators to dramatically reduce the required quorums. They can do this right now, and again every two weeks. If they called the function today:

payout $10MM — quorum 12.6% — minimum yes 6.4%

payout $25MM — quorum 16.4% — minimum yes 8.3%

payout $50MM — quorum 22.8% —minimum yes 11.5%

payout $90MM — quorum 33.1% —minimum yes 16.6%

payout $130MM — quorum 43.3% — minimum yes 21.7%

We might ask the questions:

Why are quorums so low and why can they be reduced so quickly by Curators? Shouldn’t they be brought down much more incrementally?

Why does The DAO adopt proposals if only 51% of votes submitted are “yes”? Surely we should be seeking a greater degree of agreement that signifies a proposal is good, especially when the payout is large.

Why might a proposal for a major investment be decided in only two weeks? There is no rush — in fact, the opposite would be useful.

Why is the quorum size not related to the size of the actual funds being dispensed rather than being related to the proportion of funds raised being dispensed?

Issue No 3: game tuned for big players

Imagine this scenario: A controversial proposal is submitted to dispense tens of millions of dollars after only two weeks of debating. At first, many who are against the proposal hold back from voting “no” to prevent the proposal reaching a quorum of votes. But when the proposal gains momentum and approaches the quorum threshold the no camp begin submitting “no” votes in earnest. With two days of debating remaining the community relaxes as nays appear to have comfortably beaten the yeas.

Unfortunately, what the community does not realize is that large inside players support the proposal. They hold large amounts of voting tokens (the top 50 holders have 36.6% of all tokens, so there are plenty of big players, see https://etherscan.io/token/thedao-token-chart) and furthermore have links to the cryptocurrency exchanges holding tokens for users, which they can use to vote themselves.

With a single minute of the proposal’s debating period remaining, the insiders and cooperating exchanges suddenly submit a large batch of “yes” votes pushing the yeas into the lead. “No” voters gaze in horror as a vast payout is unexpectedly made. Many against the proposal had no idea the system could be so discontinuous, and would have voted “no” had they known…

The solution

Luckily a simple solution to these problems is at hand. A majority of the Curators must whitelist all proposals. Therefore, they can ask that the first proposal accepted upgrades The DAO by switching in new smart contract logic. This will demand a fair amount of agreement in the community: such proposals require a quorum of 53% of all token holders (see the controlling code on github http://bit.ly/1WONnr).

That The DAO’s business logic can upgraded bodes very well for the future if the right decisions can be made. But what should be done now— after all the community is eager to begin analyzing proposals. While sophisticated new voting systems for DAOs are currently under development (see http://bit.ly/1qG3OY8) rather than test people’s patience I would suggest that a few simple changes are made to the existing system to address the issues described…

Fix 1: Require a quorum of yes votes, not of votes

Issue 1 forces those opposed to a controversial proposal to choose between submitting their “no” votes and thus helping the proposal reach its required quorum of votes or holding back and creating the appearance that the community is coalescing on passing it. This thorny issue gets particularly difficult if the proposal is close to its quorum with only a little time to go, as also hinted at by Issue 3.

The obvious and simple solution is to require a quorum of “yes” votes rather than the current quorum of total votes. This way those against a proposal can vote “no” without worrying about helping those supporting the proposal.

Fix 2: Relate quorum sizes and payout periods to proposal amounts

Issue 2 shows how a proposal for a $25MM payout might be passed with only 13.3% of the tokens voting “yes” after only two weeks debating. If the Curators so wished, the quorum threshold can even be lowered to 8.3% today, and again every two weeks.

To address this we must first require that the quorum needed to pass a proposal is related to the actual size of the payout to be made— which is what determines the level of investigation and agreement needed after all — rather than the size of the payout relative to the total funds raised. Secondly, we should require that the minimum debating period also scales up with payout size. After all, a proposal to payout $150MM in funds should certainly be debated for longer than two weeks!

For example, we might require that a payout of $1MM requires “yes” votes from at least 15% of tokens and three weeks of debating, while a payout of $25MM requires “yes” votes from at least 25% of tokens and eight weeks of debating. Lastly rather than simply requiring that 51% of votes made are “yes”, we might relate the proportion in favor to payout size too. For example, a $1MM payout might need 55% of votes to be “yes”, while a $25MM payout might require 67% of votes to be “yes”.

My example numbers might be too generous because — again — there is no rush, only a need to make good decisions.

Fix 3: Require “double tap” validation

Issue 3 has perhaps the greatest potential to create rancor in the community. It should be impossible for an insider to lie on the sidelines and then surprise those against a controversial proposal by deploying a large number of votes in the dying minutes of the debating period to deny them a chance to respond.

The solution is to use “double tap” validation. This would require that if a proposal meets the conditions to pass, there is then a cooling off period of 1 week during which voting can continue. If and only if the conditions for the proposal to pass remain by the end of this period — for example that 60% or more of all votes received are from the “yes” camp — should the proposal actually pass.

If the proposal fails to pass this period then a new cooling off period should begin. We can require a proposal to pass two consecutive periods to definitively pass and be adopted, or fail two consecutive periods to definitively fail.

Double tap validation greatly limits the efficacy of surprise voting — in the next period, the side that was fooled will come out in force.

A decision is always reached, because eventually no new votes can be brought to bear to change the outcome across successive periods.

Ending Note 1

I didn’t discuss the flawed implementation of The DAO’s splitting functionality, which allows a group to split a pro rata portion of their funds off into a new DAO. The theory is that if a very controversial proposal is made and might be accepted, disgruntled investors can split off. In practice though this won’t happen: a splitting proposal takes only a few days less time than a two week proposal. In this time nobody would be able to determine whether the controversial proposal would be accepted or not and therefore would not wish to take the irreversible step of splitting. Furthermore, if you have already voted, splitting is impossible. Possible improvements here include allowing people to split even after they voted “no” and increasing the time allowed.

Ending Note 2

The described fixes should ensure that The DAO makes vastly more predictable decisions and better reflects the wishes of the community. My final thought addresses the one thing not easily fixed by code changes — the types of investment considered. Personally, I feel that The DAO will be better off investing in fully decentralized ventures where it can receive a proportion of pre-mined (or otherwise created) value tokens that can be distributed to its investors. For example, had The DAO invested in Ethereum it might have received ether then distributed among token holders. The DAO could possibly create several incredible on-chain ventures with the funds at its disposal where the value generated by the investment can be fully captured in new tokens.

Investing in external corporations is a much more difficult proposition, not least here because the concept seems to be that they will simply enter into a “social contract” to pay back a share of the profits if and when they are generated. Many startups become valuable long before they generate profits, which can take a decade to generate — just look at ventures such as Amazon and Facebook. The real value often lies in the intellectual property, in the experience and business networks and team that is built, all of which cannot be captured by a promise on profits that may never materialize: it would be a shame if The DAO invests in a good proposition only to repeat Kickstarter’s Occulus Rift experience where investors received a beta headset beta while the entrepreneurs cashed out to the tune of billions in a sale to Facebook.

One way to combat this might be to demand investee companies that will be substantially created and funded by The DAO from inception to adopt some kind of “takeover button”. This might involve (i) transforming all existing shares into a new class of shares that vest, which will be returned to the company upon the The DAO producing a suitable proposal (ii) granting a single share to the Ethereum Foundation (or some other suitable organization) to be held in trust. The DAO could then effectively transfer ownership of the company to the Ethereum Foundation by destroying shares held by others. The foundation might then distribute its assets to a new owner nominated by The DAO. Some tax issues need to be worked out, but something like this should be workable.

Ok, over and out from me :)

Some links (not necessarily endorsed) discussing The DAO vulnerabilities on reddit.

https://www.reddit.com/r/TheDao/comments/4jzb08/dao_attack_series_the_dao_game_theory/

https://www.reddit.com/r/TheDao/comments/4khpx0/dao_15_protect_the_dao_in_the_short_term/