[aaron-lebo]

I watched Ethereum for several months after the initial announcement and was really excited about it. I know the network went live recently and it surprises me how little it's been discussed at places like HN.

How are things going as far as tech, adoption, etc for Ethereum for those in the know?

[mannykannot]

I am curious how one goes about verifying that these "trustless transactions of arbitrary (turing-complete!) complexity" will have the behavior that you expect (as a participant) or intend (as an author) for them to have, and that they are proof from subversion by a malicious counter- or third party. After all, this is not exactly a solved problem anywhere else Turing-complete complexity is employed, and it would seem to nullify the point of trustlessness if you are relying on someone else's word on this matter.

[drdeca]

Well, the compiled code is available, and if they provide the source code, you can verify that it compiles to the code on chain (or, you can analyze the code on chain without the source code of the contract, but that is harder).

The source code for the contract can be made to have a proof of correctness in it, or, as it is probably not all that long, if you look at the source code long enough you can be sufficiently convinced that it runs how you expect it to.

Regarding the problems with turing completeness, any transaction is guaranteed to finish within a particular number of steps, because the transaction includes an amount of "gas", which puts a limit to how many steps the contract will run. If it runs out of gas before finishing, all the changes in the state are reverted (but the person still pays the gas cost). If it finishes, then the extra "gas" is returned. (the transaction specifies some "gas cost", which is how much ether per gas or gas per ether (idr) , and some amount of ether, which is the max cost the transaction is allowed to take. There aren't "gas balances", any "gas" that is transferred just is ether at the end. Its just a unit of how much computation, and the gas price is how much they are willing to pay per amount of computation. I feel like I didn't explain this well...)

Checking that the contracts were run correctly is done by anyone verifying the block which contains the contract call. If the miner runs the contract incorrectly, then the people verifying the block will not accept the block as valid, so people won't mine on the block, so it wont end up in the main chain, so the miner will not receive anything from mining the block, and what happens in the wrong execution wont effect anything.

I'm not sure if this explanation has been very clear, but I hope it has been clear enough. I can try again if it isn't though.

[mannykannot]

Thank you for your reply, but I have to say that I think it understates the problem.

>The source code for the contract can be made to have a proof of correctness in it..

Has this capability already been implemented for the Ethereum contract language(s)? If so, I would greatly appreciate a link, as my admittedly cursory search did not find it (there is some discussion of verification of the Ethereum infrastructure, but that is merely a precondition to contract verification.)

Even so, I think it is significant that only a tiny fraction of today's software is written this way, and only a tiny fraction of all developers know how to do it. Someone has to write these contracts.

>... or, as it is probably not all that long...

Ethereum's promoters are imagining nothing less than a revolutionary new economy, with vast networks of interacting contracts. The amount of contract software implicit in these dreams is huge.

>If you look at the source code long enough you can be sufficiently convinced that it runs how you expect it to.

The steady stream of security vulnerabilities that are being found in ordinary software shows that this is not an effective technique. If you are a software developer, imagine doing your work in an environment where any bug of yours could cause you, personally, to lose a significant amount of money.

Nor do I think 'gas' completely solves this problem. Now your analysis has to cover the issue of whether your contract, or any of those it is dependent on, will run out of gas before completion. In most cases, and particularly in networks of dependent transactions, reverting back to the initial state is not a viable outcome (imagine that happening on the last payment of your mortgage on a house.) I can imagine that running out of gas on some obscure corner case might be used by an attacker as as a means to disrupt a network of dependent transactions.

[drdeca]

Afaik, no, proofs of correctness are not currently implemented in the languages that are used. Some of them iirc have a way to do that in part, but currently the languages aren't set up for full proofs of correctness. (But, iirc, some things can be shown)

It is planned though.

Ok, yes, I suppose that the contracts will/would eventually get kind of long. As it is now though, It hasn't taken me /all/ that long to read the contracts I've looked at. (But perhaps I've only bothered to look at the ones short enough to read )

Regarding finding security flaws despite people looking carefully: yes, that seems a good point. I think proofs of correctness will be important for important contracts. However, many contracts logic is not really all that complicated. A contract can be powerful without being complicated, I think. Because of this, I think much of the time the proofs should not be too hard to write.

Regarding running out of gas:

Well, yes, if the transaction you send does not have enough gas, and you needed it to run, that could be a problem. But, if you run the transaction locally, and use that to estimate the amount of gas which needs to be used (might not be exact if the state of the contract changes in a way that your transaction needs more computation, but for reasonable contracts I think this would not be much), and one can provide extra gas in case this happens (the extra gas will be refunded), to have a high confidence that it will be enough.

But, if the transaction is important, one would be watching what happened carefully anyway, to make sure the transaction gets in the chain, regardless of the complications from the computations in the transaction. If, counter to your expectations, the gas you provided did not end up being enough, then you would be able to notice this, and, though you would be out that gas cost, you could just send the transaction again with more gas.

The block times are very short (under a minute), so you probably wouldn't have to wait long to send the transaction again with more gas. Most of the gas costs shouldn't be too large, so unless the transaction you are sending is very time sensitive, or very computationally expensive, a transaction running out of gas shouldn't be /too/ much of a problem?

I think you make some good points btw, just explaining my understanding of how those things are addressed.

Also, I'm not sure, but it seems you might have a small confusion about gas. Gas is included in the transaction, not stored by a contract over time. Gas only exists within the context of a particular transaction, the token which is actually exchanged is ether. You might have just been choosing not to mention the details of that though.

[nivertech]

I think @mannykannot misunderstands the purpose of gas in Ethereum. It's only purpose is a solution to the Halting Problem [1]. Alternative solution could be disallowing jumps backwards / loops or limiting time of the computation.

Why is it the problem? Because contract with something like while(1){}; will render the entire network of nodes useless.

1. https://en.m.wikipedia.org/wiki/Halting_problem

[mannykannot]

I am well aware of the purpose of gas. What I have not seen is any argument (from @drdeca or anyone else) that gas materially simplifies the problem of verifying that a contract behaves properly (from your perspective, as one of the parties to the contract) in all circumstances. The fact that it will always halt is only a tiny step along that road, and if it halts as a result of running out of gas, that is strong evidence that it has not worked as intended.

An example may be useful. Suppose I tell you that I have written an Ethereum contract whereby people can loan me money, and after a year, I will pay them back double. Before you enter into one such contract with me, I hope it would cross your mind to wonder if I might actually be running a Ponzi scheme. Don't worry, I say, Ethereum has this gas feature that means the transaction will always halt. How much more confident should that information make you feel?

As for your alternatives, gas is essentially the same as limiting the time of computation. If backwards jumps were disallowed, the language would not be even approximately Turing-equivalent.

[Retra]

You can only create a little trust by reading source code. You really have to analyze the whole compilation processes.

[steckerbrett]

What did you expect to be able to do with it, exactly?

[Moshe_Silnorin]

I'm interested in it, mainly as a tool of regulatory arbitrage. I chiefly find it interesting as a means of making decentralized prediction markets. Our governments don't seem to want to allow the innovation. However, if we can get a decentralized Prediction market liquid and running, then I think there will be significant pressure for the government to legalize centralized prediction markets, which will be much more efficient.

[adrianmacneil]

You might be interested in http://www.augur.net/. Although, I believe it uses its own native token, rather than being built directly on top of bitcoin or ethereum.

[tonysakich]

Hey thanks for sharing our project on this post! Just wanted to clear something up from what you said.

Augur's native token is not what is used to create markets, Augur's token is Called REP (short for Reputation) and holders of the token actually serve as reporters that serve as the basis of our decentralized oracle system.

We created a few resources to explain how REP works including how REP holders are rewarded for reporting the truth/punished for reporting lies. We created a short two minute animated video to explain this process you can check out here: https://www.youtube.com/watch?v=sCms-snzHk4.

Additionally there is a great resource going into much further detail about Reputation as well as an infographic to visually illustrate the process here: http://www.augur.net/blog/what-is-reputation

Finally feel free to reach out if you have any other questions. The Augur Alpha is out at http://demo.augur.net and our code is on github at http://github.com/augurproject

[Moshe_Silnorin]

Augur is built directly on Ethereum. Truthcoin will be making its own chain. I don't care who wins, and to be honest I don't give either a very high chance. I really really think prediction markets should exist though, So I applaud both efforts.

One real big problem is nobody wants to bet using shady highly volatile currency like Bitcoin or Ether. I'd much prefer USD markets, Vitalik has some ideas about making stable coins that track USD. Hopefully that works out.

[drdeca]

the DAI project (originally eDollar, which is now intended to be built using DAI) which tracks a value which I think is like, some basket of different currencies, is being worked on.

I don't really understand the mechanism by which it is meant to track the price of the basket of currencies, but I haven't seen many criticisms of it?

[steckerbrett]

Why does Ethereum help, and why do you believe Ethereum is invulnerable to the law?

[Moshe_Silnorin]

It allows you to build incentive structures that are not centrally controlled. There is no server to raid. This comes at the cost of enormous scaling issues. However,it looks like it will be able to handle a market with about $500 million in volume per year - at this point I hope the advantages of prediction markets will be clear enough that centralized markets will be made legal. Centralized markets are vastly preferable in most respects.