␛ [Analysis] A decentralized escape hatch for DAOs – Ittay Eyal and Emin Gün Sirer

One of the key lessons to emerge from The DAO's breach was a call for an escape hatch. An escape hatch is simply a mechanism to stop the operation of a smart contract, perhaps revert it to a lower-level safety mode, when something nefarious seems to be taking place. The problem with an escape hatch, though, is that it may seem to be at odds with the "autonomous" nature of smart contracts. . &nbsp The simplest escape hatch could be implemented by having a cryptographic public key embedded in the contract, allowing only a person holding an appropriate secret key to activate the hatch and push the contract into "maintenance mode," from which it could be debugged and restarted, using the same key. An upgrade would be to make it a multisig or a shared secret key. Both of these approaches are undesirable in a DAO, however, because the parties holding the keys present a point of weakness. &nbsp A simple decentralized escape hatch (DEH) mechanism works better for DAOs. A DEH comprises of three components:

• Buffer: This delay provides an opportunity to review the operation of the main contract for errors
• Trigger: A DEH implements a mechanism by which the money flows in its buffer can be reverted under precisely-specified conditions
• Undo log: An associated, application-specific undo log optionally provides a mechanism by which the DEH can specify how to revert certain actions

The implementation of the trigger is the sticky point. There are two, mutually complementary, options:

• Programmatic invariants can serve as automatic triggers where possible
• Crowd-sourced triggers can bring in human supervision and catch issues that are difficult or impossible to specify as an invariant

Let us know what you loved about the report, what may be missing, or share any other feedback by filling out this short form. All responses are subject to our Privacy Policy and Terms of Service.