There appears to be a culture among crypto devs to reject the standard practice employed, in the fiat world, by technology companies that individually represent more than $1, to hire third-party security companies to audit their software/sites.
Indeed, the God of Computer Science Vitalik Buterin in his infinite IQ, needed not the council of some dusty researcher with 20+ years of experience on formal languages for smart contracts.
According to apocryphal sources, Young Vitalik was editing some HTML5 for a responsive website, when Jesus Crypto descended upon an air-cushion delivering this message: "You shall invent a language, Solidity. It shall thus, by definition, be solid. It shall be built in Javascript's likeness."
Who was young Vitalik to ignore techno-divine instruction? And so Ethereum was built.
And its duplicate in under a year.
I mean, when your organization make $1,000,000+ from premined coins, you can't afford not to bootstrap. So it stands to reason that you shouldn't hire security researchers for several tens of thousands of dollars.
Indeed, so Stephen Tual thought when in his infinite wisdom, he and his band of pioneers coded an immutable smart contract in crypto-Javascript without an update function built in, to respect the divine theology of immutability.
"We'll just hard-fork #theDAO 2.0 once the fund reaches $1 billion" was his response.
To be sure, that code was hacked together, yet they exercised greater diligence than their crypto-counterparts.
They paid a security firm $200 to research integer overflow risks.
"DAO is going to the moon. So we'll have to add realllllyy big numbers" he explained.
And your second point is wrong. The security audit made no mentioned of the recusive call function.
Hobbyists mentioned it in blogs.
Wrong. The LeastAuthority report reported "reentrancy hazards":
They described exactly the problem which affected The DAO, and how to avoid it, and how to make language/VM resistant to such errors.
$20M to play with. I don't know what world you inhabit. I inhabit a world where security researchers in dusty faculty buildings earn under $20,000.
This piece was satirical, so the details aren't 100% but I hope you understand the general message.
I don't care whether John, Mick or George invented Solidity. The Ethereum foundation created it, and my point still stands. There's tons of literature on formal languages no need to reinvent the wheel with a bullshit language.
Smart contract language research is decades old (read nick szabo's '02 blogs for example, which cites older research)
They have created no new unexplored field, just reinvented the wheel with half-baked pump material.
You don't understand what you're talking about. Formal language is a language which has a grammar. Pretty much any programming language is a formal language.
You probably meant formally-verifiable language. There are many ways to approach formal verification, none of them is general purpose. So it's still a question what kind of formal verification is needed for smart contracts.
Contract languages are still a research subject. Again, they are still not general enough.
Tbh I was sort of trolling, just skim read a reddit post on formal verification and jumped on the fud train
The real DAO hacker agreed to an interview
they all like to be "hacked"
going to the moon lol
Great post! :)
Thanks bro!