Humorously, here’s the DAO creators claiming they’re not vulnerable to this attack a few days ago.
Making the handling of millions of dollars completely contingent on the formal correctness of a piece of code is a questionable decision at best.
Especially if you do not even attempt to provide a formal correctness proof.
Libertarian paradise: working as intended.
The funny part is they said that in the event of differences between the code and the English, the code takes precedence.
We’ll have to tell them to update their blog title, then. This is not an vulnerability exploited to steal millions of dollars, it is an exciting emergent feature of smart contracts. By definition.
Watching programmers reinvent banking and business law by reenacting every historical error instead of reading some fucking books is depressing.
In the words of the eminent Twitter philosopher and juvenile canid wolf pupy, “the best way to solve problems is to create more problems until you are dead”.
“New Systems mean new problems.” - John Gall, “Systemantics”
Whilst I agree with your sentiment, I’m also ignorant and therefore curious what banking or business law books to read addressing this class of vulnerability?
Contract law has historically been rather split on enforcement of absurd contracts. Sometimes courts reverse a contract, sometimes not.
Normally there needs to be a “meeting of the minds” but in this case I think everyone was agreed that the code was the contract and the code does whatever it is the code does.
You can’t sign unconscionable contracts, like selling yourself into slavery, but is that what happened? Similarly, you can’t usually “exempt” yourself from standard law and practice, but isn’t that the point of smart contracts? That they are wholly contained without depending on existing law.
The world’s largest bug bounty program worked as intended, it found a bug.