Cornell Professor Calls for 'DAO 2.0' Movement

Emin Gün Sirer already helped identify the bug that led to an expensive exploit of The DAO. Now he's helping ensure future DAOs are safe.

AccessTimeIconJun 22, 2016 at 7:46 p.m. UTC
Updated Mar 6, 2023 at 2:55 p.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global hub for everything crypto, blockchain and Web3.Register Now

The Cornell computer scientist who helped identify vulnerabilities in The DAO revealed 10 new exploits in its code at an event in New York.

The statements from Emin Gün Sirer, a longstanding critic of the project, come amid broad concern over developments at The DAO, a smart contract-based funding vehicle built with ethereum that has effectively collapsed following an exploit of a vulnerability within its smart contract code.

Sirer warned that, while the vulnerability that led to the removal of tens of millions of dollars worth of the cryptocurrency ether is now well-understood, much remains to be fixed before another DAO (decentralized autonomous organization) can be launched.

The statements were the first to lay a clear path forward for how to build an organization run largely with code, and thus fulfill the original vision of The DAO.

Sirer, who is the co-director of the Initiative for Cryptocurrencies and Contracts (IC3), an academic research project focused on the technology, used the forum to lay out a detailed account of possible exploits for such projects that go all the way down to the Ethereum coding language itself.

Sirer went on to argue that the issues highlighted are relevant when looking at the question of creating similar projects in the future.

He told the crowd:

"The DAO 2.0 requires much, much more effort. It’s a much deeper field than people might think."

Vulnerabilities detailed

In the days leading up to the initial bug detection, Sirer and his colleagues published an overview of what they called a “recursive call” vulnerability that allowed the exploiter to move funds into a so-called “child DAO” that breaks off from the original DAO.

Addressing a crowd of about 70 bitcoin coders, ethereum developers, computer scientists and financial professionals at last night's event, Sirer went into detail about other possible threats.

For example, the “stalking” bug – which is currently being used to mount a counter-attack against a white-hat hack designed to move funds into a safe account – is an example of one of the vulnerabilities Sirer identified at last night’s event.

The 10 vulnerabilities Sirer discussed in detail include a "concurrent proposal trap" whereby an attacker makes an arbitrary proposal such as 'Do you believe in God?' designed to entice a high degree of response, and include long voting period during which the token used to vote becomes trapped. Then, a competing proposal could be made by the attacker after the funds have been locked up.

Another exploit, called a "majority takeover" attack, disguises a majority vote by a single party that might benefit from a successful proposal by splitting the voting power into smaller votes cast separately, for which he said there is no known defense.

Some of the exploits discussed last night were published in detail in the earlier paper. A full list, along with an account of how The DAO functions, can be found here.

"The whole point of smart contracts is to create exciting, weird financial instruments," Sirer told attendees, adding:

"This is not exciting, it’s just weird."

Tough love

In the hours leading up to yesterday’s event, Sirer engaged in an Twitter debate in which he argued that the Ethereum community should ostracize founding members of, a Germany-based startup that wrote The DAO code and spearheaded its deployment.

At the event in New York, Sirer doubled-down on his call, naming founders Stephan Tual and Christoph Jentzsch, in particular.

But while Sirer had some harsh words for, he said the problems extend to ethereum itself. He called The DAO a "ginormous $220m bug bounty", a criticism that extended not only to DAOs, but to ethereum’s smart contracts coding language Solidity, which he said is a work in progress.

Sirer told attendees:

"We should redesign Solidity, we should rethink what it means to write secure state machines, how we should specify them and how we should make sure that they do not mess up."

Image by Michael del Castillo for CoinDesk


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to to register and buy your pass now.