The DAO is an exciting new construct: an investment vehicle governed by a program, directed by investors' votes, to seek out and fund proposals. Implemented as a smart contract on the Ethereum blockchain, The DAO has raised 11.5 million Ether, valued at $150 million at the time of writing. This is the largest crowd-funding event in history. The DAO now controls 16% of the total supply of Ether. It is arguably the most visible project in the Ethereum ecosystem.

We just released the first draft of a research paper that analyzed The DAO and its voting mechanism. This paper identifies problems with The DAO's mechanism design that incentivize investors to behave strategically; that is, at odds with truthful voting on their preferences. We then outline potential attacks against The DAO made possible by these behaviors.

In particular, we have identified seven causes for concern that can cause DAO participants to engage in strategic behaviors. Some of these behaviors can cause honest DAO investors to have their investments hijacked or committed to proposals against their interest and intent.

These concerns motivate a moratorium on funding proposals to prevent losses due to poor mechanism design. A moratorium would give The DAO time to make critical security upgrades. We encourage the community to adopt a moratorium until The DAO can be updated.

For expediency, we skip the background on The DAO and its mechanisms and jump right into the attacks. A primer on The DAO's operation can be found in the full paper.

Attacks and Concerns

The central point of the DAO is to enable token holders to vote on proposals. Every proposal has a clear present cost, specified in the proposal itself. It returns value to the shareholders either through an expected profit denominated in ether and paid back to The DAO, or through the implicit appreciation of the The Dao Tokens (TDTs). As with every investment, proposals to the DAO have a probability of success that depends on the nature of the venture and its business plan. For instance, a proposal may ask for 1000 Ether to make 1000 T-Shirts, and may estimate that they will sell them for 1.5 Ether each, to yield a total profit of 500 Ether over a few months, and thus estimate they will return 1500 Ether to The DAO. It is expected that vigorous debate and discussion during the voting phase will enable each voter to independently estimate the chances of success, and thus, the expected value (EV).

Good mechanism design dictates that the overall organization be constructed such that rational actors vote truthfully in accordance with their estimates of the expected value of each proposal. For the wisdom of the crowd to manifest itself, we would like a TDT holder to vote YES for a proposal that they believe has positive expected value (+EV), and NO for a proposal they believe has a negative expected value (-EV); alternatively, they may abstain if their vote is not going to change the outcome. We now describe why the current implementation of The DAO fails to uphold this principle.

The Affirmative Bias, and the Disincentive to Vote No

The current DAO has a strong positive bias to vote YES on proposals and to suppress NO votes as a side-effect of the way in which it restricts users’ range of options following the casting of a vote. Specifically, the current DAO restricts the ability of a token holder to split from the DAO once they have voted on a proposal until the outcome of the vote is determined. Thus, a voter who believes a proposal has negative expected value is in a quandary: they can split from The DAO immediately without taking any risk, or else they can vote NO and hope that the proposal fails to be funded. A NO vote is therefore inherently risky for an investor who perceives the proposal to be -EV, in a way that voting YES is not for a +EV voter. As a consequence, The DAO voting is likely to exhibit a bias: YES votes will arrive throughout the voting period, while a strategic token holder will want to cast their NO vote only when they have some assurance of success. Because strategic NO voters will cast their votes only after gaining information on others’ negative perception of the same proposal, the voting process itself will not yield uniform information about the token holders’ preferences over time. Preferences of the positive voters will be visible early on, but the negative sentiment will be suppressed during the voting process -- a problematic outcome for a crowd-funding organization based on measuring the sentiment of the crowd through votes.

The Stalking Attack

Splitting from The DAO (the only viable method of extracting one’s Ether holdings from the main DAO contract) is currently open to a “stalking attack.” Recall that a user who splits from The DAO initiates a new DAO contract in which they are the sole investor and curator. The intent is that a user can extract his funds by whitelisting a proposal to pay himself the entire contents of this sub-contract, voting on it with 100% support, and then extracting the funds by executing the approved proposal. However, recall that the split and the resulting sub-contract creation takes place on a public blockchain. Consequently, an attacker can pursue a targeted individual into such sub-contracts. Since a splitting user is the new curator of the nascent sub-contract, a stalker cannot actually steal funds; the stalkee can refuse to whitelist proposals by the stalker (though note that, due to potential for confusion and human error, the expected outcome from such attacks is still positive). If the stalker commits funds that correspond to 53% or more of the sub-contract, he can effectively block the stalkee from withdrawing their funds out of the contract back into ether. Subsequent attempts by the victim to split from the sub-contract (to create a sub-sub-contract) can be followed recursively, effectively trapping the victim’s funds and prohibiting conversion back to ether. The attacker places no funds at risk, because she can split from the child-DAO at any time before the depth limit is reached. This creates the possibility for ransom and blackmail. While some remedies have been suggested for preventing and counterattacking during a stalker attack, they require unusual technical sophistication and diligence on behalf of the token holders.

The Ambush Attack

In an ambush, a large investor takes advantage of the bias for DAO users to avoid voting NO by adding a large percent of YES votes at the last minute to fund a self-serving proposal. Recall that under the current DAO structure, a rational actor who believes a proposal is -EV is likely to refrain from voting, since doing so would restrict his ability to split his funds in the case that the proposal succeeds. This is especially true when the investor observes that sufficiently many NO votes already exist to reject the proposal. Consequently, even proposals that provide absurdly low returns to The DAO may garner NO votes that are barely sufficient to defeat them.

This kind of behavior opens the door to potential attack: A sufficiently large voting bloc can take advantage of this reticence by voting YES at the last possible moment to fund the proposal. Such attacks are very difficult to detect and defend against because they leave little to no time for The DAO token holders to withdraw their funds. Among the current DAO investors, there is already a whale who invested 888,888 Ether. This investor currently commands 7.7% of all outstanding votes in The DAO. For a proposal that requires only a 20% quorum, this investor already has 77% of the required YES votes to pass the proposal, and just needs to conspire with 2.3%+1 of the token holders, in return for paying the conspirators out from the stolen funds.

The Token Raid

In a token raid, a large investor stands to benefit by driving TDTs lower in value, either to profit from such price motion directly (e.g. via shorts or put options), or to purchase TDTs back in the open market in order to acquire a larger share of The DAO. A token raid is most successful if the attacker can (i) incentivize a large portion of token holders not to split, but instead sell their TDT directly on exchanges, and (ii) incentivize a large portion of the public not to purchase TDT on exchanges. An attacker can achieve (i) by implementing the stalker attack on anyone who splits and then making that attack public on social media. Worse, since the existence of the stalker attack is now well-known, the attacker need not attack any real entity, but can instead create fictitious entities who post stories of being stalked in order to sow panic among The DAO investors.

An attacker can achieve (ii) by creating a self-serving proposal widely understood to be -EV, waiting for the 6th day before voting ends, and then voting YES on it with a large block of votes. This action has the effect of discouraging rational market actors from buying TDT tokens because (a) if the attacker's proposal succeeds they will lose their money, and (b) they don’t have enough time to buy TDTs on an exchange and convert them back into Ether before the attacker's proposal ends, thus eliminating any chance of risk-free arbitrage profits. The combined result of (i) and (ii) means that there will be net selling pressure on TDT, leading to lower prices. The attacker can then buy up cheap TDT on exchanges for a risk free profit, because she is the only TDT buyer who has no risk if the attacking proposal actually manages to pass.

The extraBalance Attack

The extraBalance Attack is one in which an attacker tries to scare token holders into splitting from The DAO so that book value of TDT increases. The book value of TDT increases through splits because token holders who split can not recover any extraBalance, so the extraBalance becomes a larger percentage of the total balance, thus increasing the book value of the TDT. Currently the extraBalance is 203,257.65 Ether, which means the book value of TDT should be 1.02. If the Attacker can scare away half the token holders, the TDT will increase in value to 1.04. If the Attacker can scare away ~95% of the token holders, the book value of the remaining TDT will be roughly 2.00. In this attack, the attacking whale would do the opposite of the token raid by creating a self-serving proposal with a negative return and then immediately voting YES on it with a large voting block of TDT, thus scaring all the token holders, and then giving them 14 days until the end of the voting period so that they have more than enough time to safely split. In this scenario, splitting will be risk free (assuming that it is not coupled with a stalking attack), since voting NO could result in losses if the attackers end up having enough YES votes.

The Split Majority Takeover Attack

Even though the DAO white paper specifically identifies the majority takeover attack and introduces the concept of curators to deter it, it is not clear that the deterrence mechanism is sufficient. Recall that in the majority takeover attack outlined in the DAO whitepaper, a large voting bloc, of size 53% or more, votes to award 100% of the funds to a proposal that benefits solely that bloc. Curators are expected to detect such instances by tracking identities of the beneficiaries. Yet it is not clear how a curator can detect such an attack if the voting bloc, made up of a cartel of multiple entities, proposes not just a single proposal for 100% of the funds, but multiple different proposals. The constituents of the voting bloc can achieve their goal of emptying out the fund piecemeal. Fundamentally, this attack is indistinguishable “on the wire” from a number of investment opportunities that seem appealing to a majority. The key distinguishing factor here is the conflict of interest: the direct beneficiaries of the proposals are also token holders of The DAO.

The Concurrent Tie-Down Attack

The structure of The DAO can create undesirable dynamics in the presence of concurrent proposals. In particular, recall that a TDT holder who votes YES on a proposal is blocked from splitting or transferring until the end of the voting period on that proposal. This provides an attack amplification vector, where an attacker collects votes on a proposal with a long voting period, in effect trapping the voters' shares in The DAO. She can then issue an attacking proposal with a much shorter voting period. The attack, if successful, is guaranteed to impact the funds from the voters who were trapped. Trapped voters are forced to take active measures to defend their investments.

Independence Assumption

A critical implicit assumption in the discussion so far was that the proposals are independent. That is, their chances of success, and their returns, are not interlinked or dependent on each other. It is quite possible for simultaneous proposals to The DAO to be synergistic, or even antagonistic; for instance, a cluster of competing projects in the same space may affect each others’ chances of success and thus, collective returns. Similarly, cooperating projects, if funded together, might create sufficient excitement to yield excess returns; evidence from social science indicates that social processes are driven by non-linear systems.

Yet the nature of voting on proposals in The DAO provide no way for investors to express complex, dependent preferences. For instance, an investor cannot indicate a conditional preference (e.g. “vote YES on this proposal if this other proposal is not funded or also funded”). In general, the construction of market mechanisms to elicit such preferences, and appropriate programmatic APIs for expressing them, requires a more detailed and nuanced contract. This does not constitute an attack vector, but it does indicate that we might see strategic voting behavior even in the absence of any ill will by participants.