In May of 2016 a thief was able to steal over $50 million in broad daylight from a pool of over 11,000 investors using one simple tool—a single line of poorly written code.
The money was stolen from the Distributed Autonomous Organization (DAO), a sort of communal venture capital fund coded on a blockchain platform and governed by a "smart contract," independent of any human manipulation or oversight.
Part of the lure of blockchain – a sort of shared, public, and decentralized ledger of transactions – is the transparency and security which it’s meant to provide. On a blockchain, transactions from multiple users are bundled into "blocks" and chained together to form a ledger that shows every recorded transaction. Many users within the system have a copy of the ledger, and every user is constantly checking their copy against the consensus of the other copies within the network. If it doesn’t match, someone may be trying to commit fraud.
"Blockchain is useful in situations where there is a lack of centralized trust," says CyLab's Michael Coblenz, a Ph.D. candidate in Carnegie Mellon’s School of Computer Science.
However, as the DAO hack illustrated, blockchain applications are still not immune to mundane coding mistakes. Coblenz is on a mission to create a new programming language that will reduce the likelihood of bugs and vulnerabilities in blockchain programs caused by these lapses. This new blockchain-specific programming language is called Obsidian.
Our focus is on reducing the chances of making a serious mistake.Michael Coblenz, Ph.D. candidate, CyLab
While blockchain programs are often written in a variety of programming languages and on several different major platforms, Obsidian is designed specifically for use in blockchain applications. The motivation for the project came from a few observations.
- Many issues result from actions carried out on assets in the incorrect "state," such as whether a bond is listed as either sold or for sale. Simple mistakes can cause these states to be ignored, leading to errors like a program trying to collect interest on a bond that hasn’t yet been sold
- Other problems result when users write code that simply doesn’t properly manage assets, which can cause money or whatever else is being handled by the program to be lost irretrievably
The common denominator: both types of vulnerabilities result from user error. Errors like these can be almost impossible to fix, as part of the security of blockchain is that the program itself is immutable once it’s been deployed.
Thus, Coblenz concluded that the issue was not anything inherently wrong with the blockchain platforms themselves, but rather that using them correctly is difficult and therefore prone to bugs and mistakes. Based off this finding, he decided that Obsidian needed to place an emphasis on "usability."
"Imagine a path that is slippery because it's covered in ice. You can still get across it if you don’t slip, but you’re more likely to slip because it’s covered in ice," explains Coblenz. "Our focus is on reducing the chances of making a serious mistake. You shouldn't cover your paths in ice; you should cover them in salt, so that they’re not slippery."
By crafting a more intuitive language, users will hopefully find it easier to write code correctly and without opening vulnerabilities like the one exploited in the DAO attack. Coblenz’s language employs a system of typestate and ownership to make it much easier for them to catch errors in code before the program is deployed.
Obsidian is still under development, and Coblenz has been conducting formative studies to test how users handle working with the new language, using their feedback to refine it and further increase usability. Soon, Coblenz hopes to test how his language stacks up head to head against other blockchain languages.
While for many, the word blockchain evokes thoughts of cryptocurrency, the potential applications for a safe and intuitive blockchain language go far beyond the likes of Bitcoin.
"There's a really wide range of uses from managing medical records to smart energy grids, finance, shipping, international logistics, food supply chains, banking and oversight," says Coblenz. "Blockchain 1.0 was about cryptocurrencies, but blockchain 2.0 is about building applications."