1. 41
  1.  

  2. 9

    smart contract coding is so difficult and unforgiving that even one of the primary developers of Ethereum can’t do it without losing hundreds of millions of dollars to human error.

    Crypto advocates need to take the next logical step, and admit the possibility that irreversibility, an essential design feature of cryptocurrency blockchains, is the fatal flaw of cryptocurrency that is responsible for most cryptocurrency and smart contract disasters. Pervasive irreversibility has turned out to be a bad and stupid idea.

    The argument presented rests on the premise that smart contract coding is too difficult and unforgiving. But surely it must be possible to produce a coding contract language that produces programs that are easier to reason about that the current spate of Ethereum contracts.

    1. 10

      https://blockstream.com/simplicity.pdf

      This is essentially exactly what I’d been imagining doing if I had infinite time to work on side projects. A transaction language that’s actually good from a language design standpoint, not just some acceptably serviceable DSL (bitcoin script) or a horrendous, clueless hack (solidity)

      Check out the paper, it’s pretty sweet.

      1. 3

        the language is so simple that I have no idea of what can be done with it. The only example given is a full adder.

        1. 8

          That’s not true. The end of the paper gives this example:

          The basic signature program that mimics Bitcoin’s basic signature program

          basicSigVerify b c := comp (pair (witness b)
              (pair pubKey (comp (witness c) sighash)))
              (comp (pair checkSig unit) (case fail unit))
          

          Other, more complex programs can be built to perform multi-signature checks, to implement sophisticated smart contracts such as zero-knowledge con- tingent payments, or to create novel smart contracts.

          It is possible that this example program is so succinctly expressed in the language that you missed it skimming the paper.

          We have written the SHA-256 block compression function in Simplicity. Us- ing 256-bit arithmetic, we have also constructed expressions for elliptic curve operations over the Secp256k1 curve [9] that Bitcoin uses, and we have built a form of ECDSA signature validation [23] in Simplicity.

          Not only have they been implemented, but using Coq and verified implementations of the algorithms, their implementation in Simplicity has been proven correct.

          Did you read section 4 where they extend the core language to add combinators that would be needed to make contracts work? Namely sighash, witness, assertl and assertr, and checksig.

          In addition, it is stated explicitly a number of times that Simplicity is not meant to be used directly, but should be the compiled target of a higher level language.

          Simplicity is designed as a low-level language interpreted by blockchain software. We anticipate higher-level languages will be used for development and compiled to Simplicity. […] For the time being, generating Simplicity with our Haskell and Coq libraries is possible.

          Also, from the theoretical perspective

          While Turing incomplete, Simplicity can express any finitary function, which we believe is enough to build useful “smart contracts” for blockchain applications.

          Soooo, yeah, it seems it can get where it needs to go within the domain of smart contracts.

          1. 3

            thanks a lot, totally missed this part

        2. 4

          That paper was, indeed, very sweet!

        3. 4

          I think about a year ago I was quite active in one of the Ethereum gitter channels.

          It’s possible yes. You don’t even need provers or anything fancy. I reasoned that a simple state machine is everything you need for most contracts. And state machines, especially deterministic, finite ones are easy to reason about. You can prove things about them, like that they never loop endlessly or that they are the most efficient and smallest implementation.

          I lacked the expertise to write an actual compiler but I think that might be a good direction in which to develop smart contracts. But, I wrote some documents and I think I have a small pseudo code around in which a compiler for this language could tell wether a contract can get stuck. Ever.

          On the other hand, DFSM’s are very simple machines and aren’t well suited for making complex things. They lack the complexity.

          1. 3

            what are the reasoning you can have about simple state machine ?

            1. 6

              You can statically determine that from each state, the final/exit state is reachable. You can also determine that there are no loops in the machine that last forever (but it’s more complicated). You can also prove that the given state machine is the simplest (fewest states) machine possible and if not, optimize it to such.

              Lastly, DFSM’s are very simple constructs that don’t really have a concept of anything outside themselves, in that regard they are very close to purely functional languages and you can build a lot of easy compiler checks (types) that makes the machine safer.

              Compared to doing the same with proper, turing complete languages, you have less work and more, mathematically proven, securities.

          2. 4

            Nick Szabo proposed a formal example language that wasn’t Turing-complete (that I can see).

            The trouble is, Ethereum wanted uptake, so they leveraged “worse is better”. This resulted in Solidity being the language people actually use for smart contracts, on the platform people actually use for smart contracts.

            The results are … less than great, given how utterly unforgiving immutable smart contracts are.

            Thankfully they’re proposing various new EVM languages that are less of a horror show. But it’s still overwhelmingly Solidity. You can propose things that will theoretically work better - and many are obvious - but then you need to get anyone to use them. Solidity coders in practice don’t even follow the many official guidelines to not making their code into Swiss cheese.

            Even then, I’m not convinced any human can program well enough to deal with smart contracts in an immutable environment, unless they’re coding like NASA for spacecraft. When not even Gavin Wood can write a smart contract that doesn’t proceed to lose him literally tens of millions of dollars, we might have a problem here.

          3. 2

            Remember (the first?) bitcoin fork? On August 8th, 2010, ~184,467,440,737 bitcoins were created out of thin air. Bitcoin had to be forked to fix it.

            https://en.bitcoin.it/wiki/Value_overflow_incident

            1. 5

              it is totally unrelated. bitcoin fork are related to weakness in the protocol, which have to be corrected to work as it should work. The problematic ethereum fork are here because the protocol work as it should work that is running program without human supervision

            2. 3

              irreversibility, an essential design feature of cryptocurrency blockchains, is the fatal flaw of cryptocurrency that is responsible for most cryptocurrency and smart contract disasters

              If people wanted repudiation, they would use PayPal.

              Repudiation is one of the worst parts of the existing financial system, because it encourages horrendous failure-prone system design (since we can just roll it back no problem!). On a practical level, repudiation is fundamentally incompatible with the goals of a trustworthy, mechanized, objective finance system.

              (Although arguably it makes sense for ethereum since they’ve already given up on all three of those things by manually reversing the DAO “hack” even though it was a perfectly valid contract. So much for “code is law”.)

              On a philosophical level, Bitcoin is all about giving you more control at the expense of no one holding your hand. That’s the way it was designed, and that’s the way we want it. Repudiation fundamentally means loss of trust or loss of control. If anyone can reverse their own transactions, we lose trust. If there’s some centralized party that can choose to reverse transactions, we lose control.

              1. 5

                as long as human will build computer system, you will have to have way to recover against human errors. The only systems that don’t support this recovery system is human endangering systems which are gambled to be error free.

                1. 6

                  Yes, I’m saying that’s unworkable for anyone who just wants to move value around in a money-like manner and isn’t ideologically committed to dealing with the brittleness of the resulting system.

                  1. 0

                    Is cash unworkable? It has basically the same non-repudiation properties as Bitcoin, and yet people seemed to do OK with it for a long time (and before that, same deal with specie, and before that with commodities, etc.).

                    The existence of repudiation is a consequence of the emergence of unreliable credit systems, not something people sought out.

                    1. 13

                      Actually no, repudiation in the sense of contracts existed long before unreliable credit systems. Courts would “rollback” a contractual transaction for various different reasons. Among them failure on one party to understand what the other party meant in the wording of a contract. This could be due to one or both parties interpreting the language of the contract differently. This is a feature and not a bug of contract law.

                      As the bugs in smart contracts indicate it’s frequently possible for both the author of the contract and the counterparties to not fully understand what the contract actually says. This is for most people a bug and not a feature. Only idealists and thiefs would look at it as a feature. The idealist is willing to sacrifice assets for the ideal of an unbiased contract enforcer. The other likes the idea that they can take money from people who didn’t think it was possible with no consequences.

                      Thiefs were exploiting the legal system long before this of course but since smart contracts are obviously capable of quite serious bugs. You’ve just traded one group of exploiters for another which certainly hasn’t moved us in a direction of progress, and may in fact have moved us a few steps backwards since the smart contract by definition doesn’t allow for any kind of remediation of the exploit.

                      1. 0

                        Contract invalidation risk is related to, but not the same as, counterparty and settlement risk in trading.

                        Modern credit systems didn’t exist until the late 1600s. Credit existed long before this, but its scope was strictly limited. Fungible obligations, short selling, futures, and all the other staples of modern trading are for the most part less than 500 years old.

                        As the bugs in smart contracts indicate it’s frequently possible for both the author of the contract and the counterparties to not fully understand what the contract actually says

                        You can’t blame human failures on the system they’re failing with. It’s not a “bug”, it’s the entire point.

                        1. 10

                          You can’t blame human failures on the system they’re failing with. It’s not a “bug”, it’s the entire point.

                          The entire point of systems engineering is to understand how system design leads to human failures.

                          1. 9

                            Fungible obligations, short selling, futures, and all the other staples of modern trading are for the most part less than 500 years old.

                            That’s not true. The ancient Babylonians had grains futures markets. Credit instruments, in many cases, predate cash.

                            1. 8

                              You can’t blame human failures on the system they’re failing with.

                              You can when literally Gavin Wood can’t write a contract that won’t lose him literally tens of millions of dollars. This strongly suggests the ideological imperative in question fails when it hits reality. “[ideology] cannot fail, it can only be failed” is the stuff of cults.

                              1. 0

                                You can when literally Gavin Wood can’t write a contract that won’t lose him literally tens of millions of dollars.

                                Sounds like Gavin Wood is one of the original developers of ethereum, which is exactly the sort of person I would expect to lose tens of millions of dollars due to lack of rigor.

                                “[ideology] cannot fail, it can only be failed” is the stuff of cults.

                                Are mathematics and formal logic cults?

                                That’s what this comes down to; I agree ethereum in particular is unsuitable as a financial system, but all that means is that we have to increase our expectations of formality in financial system design.

                                1. 5

                                  Are mathematics and formal logic cults?

                                  No, but the idea of wiring them into a financial system in a way that quite efficiently separates less-rigorous people from their investments sure is. People have a hard time dealing with formalized logic systems, and get tremendous value from a squishy financial system with chargebacks and courts and mutable rules.

                                  1. 4

                                    Also, we’re really bad at doing math good :(

                                    1. 0

                                      Good thing grandma doesn’t need to write a proof every time she sends Bitcoin; only expert imementers need to care about this stuff.

                                      1. 6

                                        This is categorically not true. Because when Grandma wants to send money via a smart contract on a blockchain she must either trust that the writer of the contract was a benevolent expert or be an expert herself. This continued insistence that math will protect less math savvy people from more math savvy people is why every conversation with the idealist breaks down.

                                        Grandma isn’t an idealist. She just wants to be one of the parties in a smart contract. But grandma can’t safely do it. Period.

                                        1. 4

                                          A good example is the EtherDelta hack. Approximately 0 crypto users can audit their software, let alone do audit it; they trust that someone else has done the security legwork to decompile and inspect a smart contract or a huge pile of minified JavaScript.

                                          One could then answer “well they deserve what happens to them, doing that in cryptocurrency” - but then you’re back to the problem that this is substantially only a problem if you insist on using cryptocurrency for things that are currently done without it. The primary use case is ideological, ‘cos it sure isn’t practical.

                                2. 4

                                  A bug is code that doesn’t work they way you meant it to. Blame lies with the Humans absolutely. But that’s the whole problem. Humans have to write the contracts. Humans also have to trust the contracts. Since Humans have to write them Humans also can’t trust them.

                                  This make smart contracts considerably more risky. That is the entire point of their critics.

                                  1. 0

                                    Humans have to write the contracts. Humans also have to trust the contracts. Since Humans have to write them Humans also can’t trust them.

                                    This would all be true in the absence of formal methods, which people whom I actually trust to build a working financial system are currently trying to fix.

                                    I agree that existing “smart” contract systems suck, but the fundamental idea is perfectly sound.

                                    1. 4

                                      We probably would need to agree to disagree. I suspect the above would still be true even if you had formal methods.

                                      1. 2

                                        I think so too. The issue here seems to have been a combination of the following:

                                        1. code sharing (“external library”) to reduce deployment cost in the form of gas
                                        2. not knowing or realizing the library was actually a multi-sig wallet contract and thus vulnerable to the previously fixed vulnerability
                                        3. not considering the ill effects of calling a “kill function” on such a wallet
                                      2. 3

                                        formal methods only prove what you specified. usually the way to hack formal proven programs is to play on unspecified things.

                                3. 4

                                  Is cash unworkable? It has basically the same non-repudiation properties as Bitcoin, and yet people seemed to do OK with it for a long time

                                  The widespread use of cash is actually a pretty recent invention. “Cash” as we currently conceive of it (paper money, gold coins, silver bars, etc) has not historically been the primary financial instrument in people’s lives. The primary financial instrument has been credit. Historically, people would ring up a tab, and then pay it off. Even as late as the 1600s, it was possible for English kings to recall all of the coins in circulation and have it reminted with their likeness.

                                  This was workable because people lived in close-knit communities, and social and legal remedies could be effectively used against people who failed to pay off their debts. Cash was used when trading with people who could not be trusted, usually because they were merchants who were from outside the community.

                                  It’s only as we move to a more atomized, anonymous society that cash becomes more widely used. But even in a highly cash-oriented society, if you actually looked at the transactions, most “large” transactions were conducted in a repudiable medium, like cheques or bank transfers.

                                  1. 3

                                    I’d rather trade some repudiation potentially happening to having to lug around gold coins when I want to buy something. I find the arguments against repudiation a bit overblown. There was no lack of fraud, insolvency or straight-up moral hazard in the “good old days” of the gold standard.

                                    1. 0

                                      I’d rather trade some repudiation potentially happening to having to lug around gold coins when I want to buy something.

                                      Bitcoin allows you to keep both. It’s easy to transport and non-repudiable. That’s the point.

                                    2. 4

                                      Two problems with the cash analogy:

                                      1. Someone can’t pick your pocket from the other side of the world.
                                      2. Bitcoin acts much more like a balance in an electronically-accessible bank account. Except with no customer service and a terrible user experience. And ridiculously high fees. And long transaction delays.

                                      It combines the worst of both worlds.

                                      The existence of repudiation is a consequence of the emergence of unreliable credit systems, not something people sought out.

                                      This is completely historically false, as zaphar points out below.

                                      1. 3

                                        Actually, bitcoins have lot of less problems than ethereum. It has an only point of failure which is to keep the private key secret. (There is several variation on how this secret key can be stolen, but it is far smaller problem than the way bug can be introduced in smart contract)

                                        1. 2

                                          Someone can’t pick your pocket from the other side of the world.

                                          Someone also can’t steal your cryptocurrencies from the other side of the world unless you’re acting stupid and trust a third-party wallet service.

                                          Bitcoin acts much more like a balance in an electronically-accessible bank account.

                                          “Cash acts much more like a balance in a physically-accessible bank account.” What are you trying to communicate with this statement?

                                          Except with no customer service

                                          You don’t need one; anything that’s possible you can do on your own. Sure, if you’re totally clueless it might be harder for you, but it’s a massive improvement for people who know what they’re doing.

                                          and a terrible user experience.

                                          Right, because banks score so highly for customer satisfaction. The reason I tried bitcoin was because banks kept fucking me over in ridiculous ways. The state comptroller stole thousands of dollars from my Wells Fargo account because of a paperwork error (not possible with bitcoin), and after I got it fixed and had the money refunded, Wells Fargo charged me hundreds in “legal fees” for the pleasure of helping the government steal my money.

                                          And ridiculously high fees.

                                          Compared to what? Even with the current insane transaction volume, it’s still cheaper than PayPal or credit cards, for any purchase over, say, $50. It’s only going to get cheaper as we find ways to take the pressure off (a la lightning network).

                                          And long transaction delays.

                                          I thought you were the one who liked repudiation? A transaction “going through” just means it’s no longer repudiable. Bitcoin transactions clear to the level of a credit card transaction instantly, and to the level that credit card transactions do after ~6 months on an average of ten minutes.

                                          This is completely historically false,

                                          No, it’s really not. For some historical context look up Hawala (early credit system) and then read about the emergence of modern financial instruments in the Netherlands in the late 1600s, including modern notions of settlement.

                                          1. 5

                                            Someone also can’t steal your cryptocurrencies from the other side of the world unless you’re acting stupid and trust a third-party wallet service.

                                            Except the article in question is exactly that with no one acting stupid. A contract had an unintended effect that allowed someone playing around to accidentally revoke access to assets guarded by that contract. That is demonstrably the entire thing that a smart contract is for. Are you suggesting that your money is safe as long as you don’t use a smart contract and don’t be stupid? I would agree but the context of this conversation isn’t crypto-currency. It’s smart contracts.

                                            1. 6

                                              Someone also can’t steal your cryptocurrencies from the other side of the world unless you’re acting stupid and trust a third-party wallet service.

                                              see, you say this, but it turns out that “be your own bank” also means “be your own financial institution chief security officer”, and that turns out in repeated practice to be really hard, hence the repeated tales on /r/bitcoin of people losing their holding to user error or computer mishaps.

                                              Here’s the Bitcoin Wiki guide to being your own bank: https://en.bitcoin.it/wiki/Securing_your_wallet Give that to your favourite nontechnical relative and see how they do.

                                              it’s still cheaper than PayPal or credit cards, for any purchase over, say, $50.

                                              This is entirely false in the UK.

                                              The rest of your post is a Gish gallop of non sequiturs.

                                              1. -1

                                                hence the repeated tales on /r/bitcoin of people losing their holding to user error or computer mishaps

                                                Yes, you expect some level of failure in a population of millions.

                                                Give that to your favourite nontechnical relative and see how they do.

                                                Any idiot can use a phone app like Mycelium and be sufficiently secure. Give them a Trezor if you’re really worried.

                                                This is entirely false in the UK.

                                                Are you claiming that credit cards don’t charge fees in the UK?

                                                The rest of your post is a Gish gallop of non sequiturs.

                                                Everything I said was a direct response to one of your points, so I think you mean “I don’t know how to refute what you said so I’m going to dismiss it instead”.