Forks, DoS, and what to expect in the future of Ethereum

Sculpture by Gary Hovey… that’s a bearish fork.

Recently, it appeared that soft forks are a vector of Denial of Service (DoS) attacks. This is a very serious matter as we might need to soft fork again in the future. The vulnerability seems huge; you can check Hacking Distributed for the details. This article by Emin Gün Sirer, River Keefer and Tjaden Hess points out that blacklisting is a terrible idea because nodes need to be updated to perform the requisite checking, or else they can be cut off from the network, thus fracturing it. I hope and want to believe that a “soft” forking mechanism could be achievable without the DoS issue described. By “soft fork”, I mean an exception in the miners’ behavior that “censors” undesirable transactions. It is a kind of emergency button to stop a critical contract behavior. A “naive” way of achieving that censorship with DoS would be a fork (a change in the protocol) that throws a banned address invoke instead of considering it invalid. The gas spent would be writen in the blockchain but this approach would be a hard fork because every nodes would have to update and thus would not be a practical solution.

Allowing DoS would put ethereum in a tough spot. It turns out handling the DAO problem will require to hard fork quickly. Let’s explore other reasons to fork.

“Soft” forks, the IoT scenario

Consider an automation box that handles several devices at home. The box can be activated with a contract deployed on the blockchain. That kind of box would be very handy to keep track of who uses what at home for instance.

Bad news: the code of the contract has a critical flaw. An attacker can recursively call the rolling shutters function and make the electrical engine overheat while potentially igniting fire.

On a small scale, it would be possible to deal with this security issue with usual human intervention. But what if there were too many boxes installed, no more after-sale service, and/or a lot of users unaware of that flaw?

A fork rejecting the hash of the contract would solve the problem and, as the box would have stopped working, the owners would certainly seek an update by themselves.

Angelo Bronzino — Details of Portrait of Andrea Doria as Neptune (1530)

don’t turn your eyes away from forks

Would the “it’s an undocumented feature” argument hold in that case? No. The average user of the automation box would probably never have read the contract’s code anyway, and that fork would only affect people concerned. The firm selling the box would be held responsible if a dramatic fire happened but what if it had asked the network for a fork to prevent it? Doesn’t the fact that the network let malicious transactions be included in the blockchain means it is at least partly responsible for the damages caused?

When asking that last question I have been opposed to the kitchen knife seller argument: “you cannot blame the guy that sold the knife for the murder.” Well ok, but consider the same argument with a car seller: “you cannot blame the guy that sold the car for the car accident.” The manufacturer realizes that the car can be remotely hacked to deactivate the breaks and asks the seller for his help. I say the seller is partially responsible if he does not cooperate.

I do not think that forks should be a normal way of dealing with faulty codes but we have to acknowledge that as of yet we do not have the best and proper practices, guidelines and security experiences. Considering a fork to ban a contract that does not execute properly should always be a last resort solution, as it requires achieving a consensus among miners and burden the protocol. Still, it should not trigger hostility among the community we’ve seen these days, such as blaming the people concerned to take responsibilities for a previously unidentified problem, or claiming that the whole ideology of the network is at stake.

“Build unstoppable application. Ethereum is a decentralized platform that runs smart contracts: applications that run exactly as programmed without any possibility of downtime, censorship, fraud or third party interference.”

In the case of the automation box fork, the interference would come from the author(s) of the contract; so censorship and third party interference are safe. For a fork to reach the consensus among miners it has to be advocated by key influencers and recognized developers. This can pose a problem because not everybody has the privilege of having a direct line to Ethereum foundation. Anyone can propose a fork and I believe that any serious malfunction that would require a fork will quickly be taken into account by key figures. To what extent will a case be considered serious? I can imagine that the more interactions between the Blockchain and the meatspace, the sooner the jurisprudence will have to be established.

DAO (Hard) forks: what about the miner perspective?

Disclaimer: I own very few DAO tokens (less than 5K) and I hope my views are not influenced by the possible losses.

Specifically about the DAO hack, the choice to do just a soft fork, soft fork and hard fork, or nothing is — to me — very close to the “fat villain” variation of the trolley problem. I see the blockchain as the trolley and the attacker as the fat villain who put thousands of honest investors in trouble. Therefore my position is that pulling the lever “soft fork and the hard fork” is a moral imperative. There have been thousands of discussions about the forks, I was astonished that very few were about the consequences for the miners. In the end, it is only their choice that matters for soft forks and a hard fork with no miner is likely a no fork (if you want to learn more about that moral problem you should check this out).

J. M. W. Turner- Rain Steam and Speed the Great Western Railway (1844)

Voting in favor of the soft fork can be seen as a rational choice in the sense that the forks results in an evaporation of an important share of the total Ethers in circulation. On the one hand, you can expect that if the supply of Ethers is reduced the price of Ethers will rise. On the other hand, you can also have concerns about what the soft fork implies in terms of image for Ethereum and maybe expect that Ether holders will sell shortly afterwards. Does the “tarnished image” effect overcome the greed to reduce the money supply? It looks like no is the answer as the gas limit in favor of the fork has been reached very quickly. The DAO soft fork is now an almost certain future and will come with allowing DoS on the blockchain. It is too bad the vote took place before we knew about this last implication.

The DAO hard fork appears much more difficult to analyse. Let’s put away the DoS stuff and try to reject some very basic arguments, most of which not being miner-profitability oriented (and therefore not to be taken too seriously by miners):

- Hard forking will created a precedent and eventually lead to raise this spectre every now and again

I understand that from a Bitcoiner perspective a hard fork is utterly scary, the entire confidence and legitimacy of Bitcoin as a currency kind of relies on the constant averse to change of its miners. This fear does not apply entirely to Ethereum in my opinion. Ethereum is not a currency per se and Ethereum is designed to have a whole ecosystem built on top of it. Hard fork could be a way to let potential investors and attackers know that the mining community will not allow major heist.

- Hard forking will lead to governments and central powers imposing their own forks

Nonsense, one does not impose a fork. If someone wants to have a fork implemented he or she needs to campaign for it among miners or to control 51% of the network hashrate (good luck with that).

You can imagine a scenario where a government would forcefully push a fork by threatening legal actions towards miners, but that would require the help of several countries that don’t have a past record of successful legal coordination. If a state threatens miners that would mean that very serious matter happened and miners would certainly pay attention and come to a consensus.

I also believe that if the fork is reasonable it would be accepted anyway such as: “hey miners, someone hacked our website and changed the Ethereum address where we collect our taxes, can you undo that?”… Sure from a libertarian point of view if taxes are theft, if you steal from a thief well… no seriously I’d like to see what happens with this proposition.

- Hard forking will lead to another hard fork every time someone loses ether

This one is a basic slippery slope. I did lose Ethers by sending them to the wrong (valid) address. There is no reason that I should not take responsibility for that mistake but if you have a link where I could file my complain hit me in the comment section below. Miners are rationals and able to understand the stakes of different situations.

Rembrandt — Details of the Blinding of Samson (1632)

So, if you set aside signals for investors in the ecosystem who, from my point of view, expect to see this fully corrected by a hard fork, I think the critical question is:

What will token holders do with their newly recovered Ethers?

That would be one interesting poll to start.

My guesses are that the few whales in the DAO are too involved with Ethereum to lose faith and that small investors expected zero compensation so they will either keep the ethers for the next opportunity or forget about it.

Conclusion:

If you are a miner and believe Ethereum will thrive with the ecosystem built around it and not as a bitcoin-like payment system, you should vote for the hard fork.