[heliumcraft]

It's a code mistake by who did the DAO code. (DAO != Ethereum) It's more the equivalent of using eval in your nodejs code to evaluate some parameter received from a user. It's a stupid code mistake, but you wouldn't say the internet is a bad idea because some website got hacked.

[stcredzero]

It's a stupid code mistake, but you wouldn't say the internet is a bad idea because some website got hacked.

But if you're setting up a situation where server after server is constantly compromised because of hard to discern reasons, then yes, that is a bad idea. Having an internet is something as obviously good as electrical wiring and highway bridges. Having a badly implemented internet is as obviously bad as faulty wiring and badly engineered highway bridges.

This stuff is making Ethereum sound like it was written by people as unqualified to make such a system as a dev who would use eval in nodejs code on a user supplied string is to implement an ecommerce site.

[heliumcraft]

Essentially this is the equivalent of a dev mistakely using an eval in the wrong place in a nodejs code. But all these articles are making it sound like the Ethereum team created the DAO and this issues affect Ethrereum as whole, which just isn't true.

[tremon]

The way I see it (continuing the simile): if you're writing something as critical as monetary transactions, everywhere is the wrong place to use eval in nodejs code. And when you're writing a dedicated language for monetary transactions, including eval in your API is just as wrong. The last part is why this issue affects all of ETH.

Solidify is a new language, specifically designed for Ethereum. If the response to contract issues like this is "but that's a known failure mode, don't do that", then that signals a problem with the language, not just the contract code.

[stcredzero]

If the response to contract issues like this is "but that's a known failure mode, don't do that", then that signals a problem with the language, not just the contract code.

It also signals a problem with the culture, with respect to the perceived amount of rigor required by the problem domain.

[cel1ne]

I know that DAO != Ethereum.

Letting programs call arbitrary function on each other is a fundamental design-flaw in every concurrent system.

[heliumcraft]

I dont think I would consider Ethereum a "concurrent system" in the same sense.

This functionality is there because it allows contracts to interact with each other. This allows a million different type of applications, e.g you could create a crowdfund using a gold token hold by a multisgn.

The contracts are usually trusted and their addresses set from beginning, so this is never an issue (unlike what the article implies). The DAO however allowed an arbitrary address to be used as the contract to talk to. This is flexible because it allows contracts to be update themselves, or update who they talk to, but if the contract is malicious and there is a reentrancy, then that's the issue, but again, it's the contracts fault, not the whole platform.

[msbarnett]

> This is flexible because it allows contracts to be update themselves, or update who they talk to, but if the contract is malicious and there is a reentrancy, then that's the issue, but again, it's the contracts fault, not the whole platform.

The platform is being shown to be superhumanly difficult to write secure contracts for. That's a platform issue.