Why The Stalker attack is a non issue
##Introduction Lately there has been a lot of talk about the stalker attack. It’s a very high-risk attack for the person conducting it to the point that it makes no sense as an attack. Perhaps if someone has too much money and wants to annoy other people he can attempt that but still he has nothing to gain and a lot to lose as this section attempts to show.
The scenario is as follows. A malicious Dao Token Holder (DTH) will make bots that will vote in all split proposals where the amount of tokens at stake is less than the amount of tokens the attacker is comfortable playing with.
In order to split there is a two step process. First you must vote for a new Curator. In this case we will set ourselves as the new Curator. After the debate period you can see who voted yes on your proposal only these people can join your new DAO. If no one did you are safe from the stalker attack.
If not and you call splitDAO() anyway, an attacker may also call it and essentially they will both end up in the same child DAO with the victim being the curator but not having the majority of tokens.
From this point on both the victim and the attacker are locked. The attacker will need the victim to add him to the whitelist so he can be the recipient of anything, and the victim will need the attacker to not downvote him in any proposal.
The only thing that can happen now is that the attacker can blackmail the victim promising them to allow them to get 70% (for example) of their money out while the other 30% would be the profit the attacker makes.
The problem with any such attack is that the victim should trust the attacker. And that is not going to happen since you have absolutely no guarantees from the attacker. So in essence the attacker would achieve nothing, apart from locking someone else with him in a DAO where they can both do nothing ... or so the attacker thinks. Refer to the Solutions section to see how patience can save the victim and cost the attacker all his money.
The prevention of the attack is quite straightforward. Before calling splitDAO() make sure that none else apart from you has voted in this proposal. If someone else did, then don’t call splitDAO(). The UI that will be offered by us for voting will actually include a warning for that, by checking if you are trying to split and if other people will follow you in the split.
There are two main ways to address this attack. We will detail them here one by one.
One way to make sure that nobody will follow you to the new DAO is to wait until the very last minute to split. Say that both you and the attacker have voted for the split proposal. The attacker’s bot would be waiting until you call splitDAO() so that after that he can call it himself and join you.
There is a period after which you can no longer call this function. That period is splitDebatePeriod + splitExecutionPeriod. With the average block time being 15 seconds that gives you about that much time to make the splitDAO() and make sure it goes in the very last block before the splitExecutionPeriod expires.
The attacker would need to wait for this block to be mined in order to see that you actually called splitDAO() and then he will try to do the same to join you. Only he won’t be allowed to do so, since we would be after the period where calling this function would be allowed.
So as a result you would safely be split alone in your own solo DAO.
Note: If the attacker is smart then he can circumvent some of the actions taken in this approach but in the end he will end up losing time and still get trapped.
If both you and the attacker are in the new child DAO then you can repeatedly call [halveMinQuorum()] (https://github.com/slockit/DAO/blob/master/DAO.sol#L833) so that you can pass any proposal you want with as little tokens as possible. If the attacker is smart he can also make proposals all the time to reach the minimum Quorum and as such get it back to the original.
After that you need to separate your tokens into 2 different accounts. One with as little tokens as required to pass a proposal (remember you can halveMinQuorum() as much as you want, you are the curator) and the other with the rest of your tokens.
Subsequently you can add yourself to the whitelist, make a proposal to send all money to yourself, with proposal debate period ranging from 35 to 56 days and vote on it with the account holding the least tokens. This proposal is checkmate for the attacker.
If he does not downvote it he will lose all of his money. So let’s assume he does that. The minute the attacker downvotes the proposal his tokens will be blocked and he won’t be able to execute any subsequent splitDAO().
To end it all then you make a new split proposal with minSplitDebate period of 1 week and vote on it. This would give the attacker 34 days to try and join you in your new split attempt. Unfortunately for him even if he votes for the split proposal, he would not be able to call splitDAO() in time because he would be blocked by our other proposal to transfer all of the money to yourself.
The final result of this would be:
- The attacker’s money is stuck alone in a DAO where he is not the curator. All his money is lost.
- The attacker can no longer get rewards from the parent DAO.
- The “victim” has most of his/her money out safely in a 3rd DAO from where he/she can forward them wherever he/she wants.
- The “victim” also has enough tokens back in the 2nd DAO to make the attacker’s life miserable so that he/she can make more proposals and keep trying to steal all of the attacker’s money and since he/she is still the curator of the 2nd DAO can also claim rewards of the original DAO as soon as the attacker is dealt with.
To counterattack the scenario above the attacker could also start splitting his tokens accordingly to keep enough unblocked to be able to still block you. This will start a tit-for-tat where both the attacker and the victim will be splitting their tokens. The attacker will always need to have a little more than the victim in each account to be able to block the victim's votes putting him at a big disadvantage.
This makes the stalker attack even more a waste of time for the attacker since he can never get anything out due to not being the curator, he can only lose the money he has there because the victim has control of the whitelist.
The stalker attack, though sounds terrifying is a non-issue since it makes zero-sense for the attacker as we have shown above. That point aside, the very conversation around the topic proves that one of the first features a DAO 2.0 should have is a “solo split” option.
- Table of Contents
- Wiki Home
- View The DAO on the Ethereum Wallet
- DAO v1.0 Verification and JSON
- DAO Deployment
- The DAO Accounting
- Proposal Creation
- Token Creation and Transfer
- Proposal Voting and Executing
- DAO Splits
- Why Stalking Solo Splitters Makes No Sense
- Turn the Ethereum Wallet into a Mist Browser to Vote
- Proposal Framework Explanation
- PFOffer Workflow
- DAO-Improvement-Requests