The IT Implications of Decentralized Autonomous Organizations
Decentralized autonomous organizations — or DAOs — can be thought of as clubs for crypto enthusiasts, except they operate under a shared goal: provide each member with equal say in making decisions.
As the name suggests, a DAO involves a group of people who come together without a central leader or company dictating any of the decisions. DAOs are unique in having a completely flat hierarchy. They are built on a blockchain using smart contracts (digital one-of-one agreements).
DAO members will typically buy their way in, buying a governance token specifically for the DAO that enables them to vote on decisions about how the pool of money is spent and managed. DAOs can be international, with people from all over the world communicating online .
Each DAO will have a different mission, depending on the interests of its members. Some are based on personal interests, such as the ConstitutionDAO, which attempted to buy one of the original copies of the U.S. Constitution.
Others have broader goals, like running a business as a group. Mantra DAO, for instance, is a community-governed decentralized finance platform that lets people stake, lend, and borrow their crypto assets.
The flat hierarchy, business benefits, and often highly specific missions of DAOs make them fascinating to study, but what are their IT implications?
Security Vulnerabilities
It should first be noted that DAOs may be susceptible to cyberattacks. As a case in point, let’s examine The DAO, which was a digital DAO and a form of investor-directed venture capital fund. It was one of the most extensive crowdfunding campaigns in history after launching in April 2016 via a token sale.
The DAO’s objective was to provide a new decentralized business model for organizing both commercial and non-profit organizations. It was instantiated on the Ethereum blockchain and had no traditional management structure or board of directors (as is typical of DAOs). The DAO’s code was also open source.
But in June 2016, users exploited a vulnerability in the code that allowed them to siphon off one-third of The DAO’s funds to a subsidiary account. This amounted to 3.6 million Ether coins (valued at $55 million).
The Ethereum community then decided to hard-fork the blockchain to restore approximately all funds to the original contract. By September 2016, the value token of The DAO was delisted from major cryptocurrency exchanges (such as Poloniex and Kraken) and had essentially become defunct.
The DAO faced risks including unknown attack vectors and programming errors. Because of the events that unfolded, DAOs are now trying to prioritize security, to ensure that devastating effects don’t occur following a hack. Crucially, The DAO hack was not caused by any inherent weakness in blockchain or distributed ledger technologies; it was specific to The DAO’s smart contract code, a vulnerability that was identified in May, way ahead of the attack.
A Potential Lack of Regulatory Oversight
Unlike traditional financial intermediaries, DAOs do not appear to fall into any category of any regulated entity. As its name implies, DAOs are autonomous. And although one or more individuals may create the code for a DAO, it is not clear whether those individuals will ever be identified or will continue their involvement. Therefore, there may be no investment adviser, commodity pool operator, or other regulated entity taking responsibility for a DAO’s security.
With a lack of regulatory oversight, there is an increased risk that DAOs will either fail to spot vulnerabilities or fail to take action to correct them once identified. DAOs may have open-source code (like The DAO did), which means it’s open to the public to identify and fix vulnerabilities, but this does not mean anyone will actually take on the responsibility to fix them or take on liability for failing to fix them.
Due to the anonymous and distributed nature of a DAO, there is little (if any) incentive to commit to the cybersecurity measures that are implemented by traditional financial intermediaries based on existing IT regulations.
Learning from The DAO’s Downfall
The hack that The DAO faced should serve as an important lesson for DAOs operating today.
All DAOs using distributed ledger technologies or virtual currencies need to make sure that their own application, as well as those they engage with, put in place best practices for cybersecurity.
Not only should DAOs prepare for incident response and crisis management in advance, but they should also proactively review their policies and procedures, system controls, and vendor management practices. Conducting cyber risk reviews – including accessing threat intelligence and participating in Information Sharing and Analysis Organizations (ISAOs) – and timely organizational response should be continuous activities.
DAOs need to always be on the lookout for vulnerabilities in their code and fix them before hackers even get a chance to exploit them.
DAOs should ensure that they have adequate protection against the common methods hackers use to attack blockchain technology, including phishing, routing, and Sybil attacks.
These attacks have the potential to be severe, and need to be prevented and mitigated as much as possible.
Cyberlocke is a comprehensive, full-service IT services provider that architects and implements efficient and secure solutions for enterprise customers and their data centers. We specialize in security, cloud, managed services, and infrastructure consulting. Contact Us today to learn more.
