`

The Weekend Read: August 7

I'm subbing in for Todd this week.

Bitfinex and Other Tragedies

Earlier this week, the Bitfinex exchange was hacked to the tune of ~$60 million in losses. For a quick explainer on the topic, I recommend this video from Bloomberg.  It's still quite unclear who was involved, or exactly what happened, from reading public accounts. In the meantime, Bitfinex has proposed socializing losses among its customers. This will be awfully interesting to watch, particularly if some users have far more security on their accounts than others. 

Arguably the most painful part of witnessing episodes like this is that smart people have been trying to instantiate proposals that would make these attacks either impossible or orders of magnitude more difficult to pull off. In particular, Bitcoin Covenants would have almost certainly mitigated the attack on Bitfinex by making it harder for the attacker to abscond with the stolen funds. For an overview of this approach, see Emin Gün Sirer's latest blog post. Covenants were proposed over a year ago and most people think it would be a net-good to the Bitcoin ecosystem. Yet, I couldn't find any efforts to actually implement this technology. It's almost as though Bitcoin has a governance problem. 

Growing Interest in Fintech

This week it was announced that the Monetary Authority of Singapore (MAS) has set up an International Technology Advisory Panel to learn more about fintech solutions, including blockchain technology. The group includes some familiar names, including our own Tim Grant. We also announced a new type of member this week with Thomson Reuters

It's enormously encouraging to see a variety of institutions take interest in new types of technology and approaches. It runs against the way we've been taught to think, but innovations in software and networking now allow for smaller companies to punch above their weight in terms of impact. An example I cite often is WhatsApp, which had only 35 engineers on staff when it was acquired. As of late last year, this number hovered around 50 engineers supporting ~900 million users. (Wired wrote an excellent piece on the company detailing their approach.) I think a lot of good can come from collaboration between large institutions and smaller shops because of these innovations, allowing all parties to excel at their strengths. 

Software isn't Rocket Science

But rocket scientists use software. 

Where am I going with this? Well, in the wake of The DAO, many have been critical of smart contracts as a means to transfer value. The examples cited for their deficiency, however, come from practitioners who use methods, languages, and constructs which are known to be flawed for consistently well executed programs. We know better ways to deal with software, as noted in The American Banker this week:

Dealing with money, especially other people’s money, requires discipline, which does not occur automatically, but must be methodically implemented. Fortunately, the software industry is sufficiently mature to offer lots of best practices.

Given the importance of the smart contracts and the financial risks involved, we believe that the solution lies not in human oversight, but in objective testing and validation tools. Smart contracts are prime candidates for formal verification, one of the most advanced techniques in software quality assurance. Formal verification requires that the software be implemented in a language that has a strict specification of its semantics. Having this crystal-clear mathematical model allows to apply methods of logical proof to any piece of software written in this language to verify that it really does what it is supposed to do.
— http://www.americanbanker.com/bankthink/what-doesnt-kill-the-blockchain-will-make-it-stronger-1090554-1.html?CMP=OTC-RSS

I've been banging the drum of formal verification for years now. Appealing to authority, NASA agrees with me and NASA knows a thing or two about reliable programs. Good software isn't impossible to build but it also isn't obvious or easy to write. The fatalistic position that we can never trust these programs ignores decades of success in engineering and computer science to run some of the most sophisticated operations in the world. 

Other Links