354 comments

[ 2.9 ms ] story [ 260 ms ] thread
Thankfully centralized things ljke laws, courts and police exist to bail out the code is law jungle of “decentralized” finance.

It’s becoming apparent to me that the main innovation of crypto is a form of regulatory arbitrage. You or me cannot sell derivatives like Goldman Sachs but in crypto land you totally can from your home with a laptop.

You can start a gambling casino on ethereum and get away with not following any of the laws regarding gambling as long as you couch it in financial and blockchain buzzwords. Some people will make a lot of money doing legitimate work and some scamming others until all of this becomes big enough to become mainstream and regulated.

It's endlessly amusing to watch a group of (mostly) finance "outsider" engineering teams rediscover all the reasons the current financial system works like it does.
This is what happens when you try to solve people problems with code.
It's like people watch and read all these Cyberpunk stories and say that nah, it's all fake, can't happen here, tech can solve everything.
This story is only notable because mistaken transactions get reversed all the time. This scenario was the result of a strange but intentional quirk in the law.
Of course the big difference is Citi actually owed that money.
Did you read your own link past the headline? Citi accidentally repaid the loan in its entirety earlier than necessary. No money was lost or stolen. The lender decided to keep the early repayment of its money which is legally allowed.
Yes, I did. Did you read the comment I was replying to? Isn’t it ‘endlessly amusing’ to observe one of the biggest banks in the world discover why the finance system works the way it does? And if it was ‘no big deal’ then why did Citibank sue to get the money returned?

I don’t use or advocate for DeFi, but the weird smugness of random people defending the existing financial system is quite off putting and frankly hard to understand given the last few decades.

In the process of that rediscovery, plenty of people will become rich. That's an incentive to not be too quick remaking those discoveries...
You are forgetting the multi-millions of people that lost money on crypto so far. They are just written off as sore losers...

Confirmation bias plays a big role in the popularity of crypto, in unsettingly the same way as it does with people dreaming to become a famous soccer player... mostly through confirmation bias and very little value-add.

It's also endlessly amusing to watch traditional finance types take every crypto 'bump in the road' as an opportunity to justify their careers + justify their delusions about the status-quo & future of finance.
It can only be "endlessly amusing" because there are "endless" of these bumps, so far.

But, as with cryptocurrencies, it just doesn't make any sense. Maybe a boxer taking it on the chin round after round can derive some satisfaction from still being conscious. But they aren't making any progress and would be rather stupid to continue considering it a winning strategy.

Oh, wait.. maybe it does make sense.

Yes, it's main innovation is "not doing KYC"

For those with a longer history on Wall St, it was essentially a new asset class with all the easy money arbitrage opportunities that went away in equities 20+ years ago back again.

Strategies that haven’t worked in regulated markets in 25-30 years are still minting cash in crypto.
Arguably "not doing KYC" was also Robinhood's secret sauce..
Or, like in the case of Ethereum’s DAO hack, they can hyper-narrowly renege on “code is law” for this one case, where the logic error affects politically connected leaders, which is soooo much better than the corrupt legal system it’s replacing.
That's the thing that kills it for me.

Always look for the chump at the table. If you can't spot them, you're the chump.

I’ve always heard it as: “Never play a game where you don’t know what the patsy is. Because you’re the patsy.”
Have any crypto hackers even been found, let alone punished by the law?
I don't know about punishment, but the recovery rate for stolen/extorted crypto is much higher than for fiat cash.

This is likely an issue of sophistication -- crypto hackers don't have decades of "best practices" knowledge to draw from, and may also feel a false sense of security.

> recovery rate for stolen/extorted crypto is much higher than for fiat cash.

Citation needed for such an extraordinary claim.

I can't find it for the life of me, but I remembered reading that recovery of stolen crypto was both faster and more successful. I'll retract that claim for now.

In the meantime, this article explains how and why that would be the case:

https://www.nytimes.com/2021/06/09/technology/bitcoin-untrac...

Basically the openness of the ledger allows law enforcement to skip some slow and difficult tracing and requesting of warrants.

On top of that, cybercriminals seem to make exploitable mistakes that have enabled stealing their private keys.

MtGOX comes to mind. A bunch of the ICOs were simple frauds so they would practically have a Wordpress website with a Bitcoin wallet address.
They still are. There are more coins released than ever
A distinction with MtGOX is that it was providing a centralized exchange and legally binding contract to its users (not a smart contract), which the owners violated. In this case they'd be criminally and civilly liable.

A person following the letter of a smart contract for their benefit, while not breaking the terms of any legally binding contract they've signed, has yet to be charged with a crime (to my knowledge)

(comment deleted)
You most certainly can buy and sell derivatives. Many (most?) discount brokers offer at least equity options, and many offer commodity futures.
I don't need a license or a lawyer or anything ? I'm talking about creating and selling new types of contracts not trading what brokers already offer.
There's a large difference in capex required to start and operate a lending/borrowing protocol on Ethereum vs starting a bank/credit union that has nothing to do with regulation.
Where do the capex differences come from ?
Look at the size of a dev team for Uniswap or Aave, then look at the number of employees for Wells Fargo. Then look at the physical assets of a bank like their branches and office space.
You're right, but is this news?

I understand the whole point of crypto is the future bet that centralisation/regulation by state actors will eventually be _less_ trustable. This one hack means $600MM lost, but how much has been routinely lost to bad governance, inflation or corruption? How much value has been destroyed in the 2008 housing crisis?

In the long run, the crypto market can professionalize enough while remaining decentralised, such that the risk/reward is attractive compared to holding 100% fiat – this seems to be people's bet, not that crypto is inherently safe.

While I understand how inflation may, in theory, be something that could change with some breakthrough in economics (even though I don't buy that inflation is actually a problem, or that cryptocurrencies represent such a breakthrough), I have no idea how they would be of help fighting "corruption and bad governance".

Which is the problem with that community: they seem to have these extremely naive yet cynical view of politicians just being "stupid", money being wasted, everyone being corrupt etc. And that, somehow, their funny little hashes are the silver bullet to solve these issues.

I think the Bitcoin community give the rest of the space a bad name. There are too many people with fringe libertarian views in that space that dominate the narrative. Ethereum, I've found is a much more interesting space. It's valuable because you can actually use the blockchain for things more complicated than just sending coins around. As stupid as many of the NFTs are right now, they have the potential to completely change how the art, music and gaming industries are monetized. Defi has a huge potential to make banking more efficient and provide banking services to underserved areas as long as they have an internet connection.
Bitcoin is an attempt to redesign the international monetary system by people who are clueless about economics. The result speaks for itself. A payment system that doesn't work and can't work, and a currency that would sink any country adopting it into a deep depression. Defi is to finance what bitcoin is to currency. A bunch of kids who wanted to "do finance" without actually knowing anything about finance. They still haven't figured out that you can't do finance with unconfiscatable assets. The main problem isn't lack of professionalism, but the fact that it's broken by design.
There is about 80 billion being used in defi right now and growing, I'd say that they are "doing finance" pretty well. The scams are outliers, comparable to the number of scams pulled over the internet in general. Calling them kids is just rude, save your ad hominem attacks for another site.
That's a lot of money being used in defi (whatever that means) but do you have a single example of financing through defi? Financing means providing borrowers with resources (such as money) that they don't already have. I think you'll have a hard time finding examples, because it turns out financing requires the ability to seize assets from a defaulting borrower, an ability which defi lacks.
That's just untrue, all borrowers from defi apps are required to be overcollateralized. The ability to pull from their collateral in case of a default is built into the smart contract.
Of course, but that's not financing. If they post more collateral than the amount they're borrowing, the net amount borrowed is < 0.
Currently looks like the attacker had legitimate access to the required keys, so perhaps more of a traditional compromise rather than a cryptocurrency/contract centric one.
Or the attacker had stolen the private key. But either way, I'm quite skeptical of Polychain's denial that a key was involved. We'll know for sure over the next few days at any rate.
Yes, by legitimate I meant genuine rather than authorized.
Aha, again, the monicker that all crypto is a gradually growing bug bounty remains true.
(comment deleted)
(comment deleted)
How could not all Bitcoin end up "lost" (keys lost) or stolen (by hackers)?
Because Bitcoin is much better designed and implemented than 99% of altcoins/shitcoins/tokens/etc.
It's lacking features.

You could argue that paper money lacks the features of bitcoins so it's easier to lose your funds inadvertently with bitcoin.

Shitcoins use literally the same source code as bitcoin.
Not completely true.

Dogecoin for example has some config changes to block size that make transactions cheaper.

It's factually "better" as far as code goes.

Presumably the hackers will recirculate their stolen Bitcoin by spending/cashing out. Likewise Bitcoin seized by law enforcement is auctioned.
"Money has three primary functions. It is a medium of exchange, a unit of account, and a store of value"

Crypto/BitCoin currently delivers mostly on the last one "store of value". So the hackers keep them. Indefinitely.

Eventually all bitcoin will be lost. It just might take a while.
This one is actually hilarious because of the messages onchain. People, including the hacker, are adding plain text to their transactions' metadata field to communicate.

But also, insurance products exist, they pay out pretty reliably. Are there any DeFi insurance products that would be able to cover $600M yet?

edit: some people seem to misunderstand, DeFi insurance products exist, the policies are not too expensive and they pay out reliably and quickly. The math is easy because of the transparency of "semi-untraceable internet money" and the Defi sector being much larger than any of the hacks. There are a lot of competitors in the insurance space. It is easy to make and rely on a claim because the damage is easily seen and verified for the policy holder. There are several sectors in the Defi space, such as AMMs, oracles, lenders, and some of those sectors are driving sentiment and attention more than others. Insurance is one of those sectors. My question was whether any of the insurance systems would be able to cover $600M, right now, it wasn't to entertain out of touch people's pre-existing skepticism.

Given the rampant fraud in the tangible asset insurance business, imagine the premiums and due diligence to deal with semi-untraceable internet money. I’d consider anyone selling it to be either a fraud or an idiot.
Our boring non-crypto services business just saw a 100% increase in our cyber premiums due to all the rampant theft and ransomware this wonderful little corner of the internet has given birth to. Great work DeFi world!
> cyber premiums

Truly, we live in the future.

(comment deleted)
Nothing stops you 'hacking' your own coin, then claiming on your own insurance. "The code is law" can't send you to prison for fraud...
I'm trying to imagine absolutely ridiculous amount of money you'd need to pay to insure something like a DeFi product. OTOH, there's a market opportunity to create DeIns products to handle the demand. Do it right and it's blockchains all the way down.
The premium would have to be insane for someone not to go bankrupt when they have to cover a 600M theft or even the more common 50M level. There are only a handful of profitable DeFi companies to buy the plan and I’d imagine most have a policy of YOLO when it comes to security
A cursory look at Nexus shows 1 year policies are about 2.5% of the amount needed to cover, I tested a quote up on their calculator up to 20,000 Ether ($62 million at time of writing)

I mean, thats what we are talking about here, products that already exist and are live right now and compete with each other. You can enter it though, there is room for differentiation.

> The team behind the protocol also promised legal action and requested that hackers return stolen assets.

Legal action? By who? A central authority!? No way...

They may try to sue exchanges that let the funds be transferred out, as the addresses where the thieves sent the stolen funds have been published.

There's absolutely no need for a central authority, but as always we need local courts and law can be different in different places where those exchanges are registered.

Screw globalism and screw central authorities.

Having said that, this DeFi stuff is laughable. As if the main use case is to find greater fools or scam people.

Because the project was not very well known, or known at all, outside China and it looks like an insider job, I would say in China by Chinese authority.
So you're advocating for decentralize financial systems but a centralize legal system? How do you reconcile that?
I am not advocating, I am speculating what could likely happen. The Poly project seems to be obscure, low quality, so maybe it’s better for investors and users to lose what they had, so they can be smarter next time?

Also it seems the project was not very decentralised if everything was stolen with a single private key.

A project worth 600million usd is obscure?
Those are two different institutions right? I don't see the immediate conflict that you are supposing must be reconciled. Can you elaborate?
No one wants to pay taxes / be regulated, but do want the government to enforce law&order on.. everyone else
Keep in mind that previous attacks like this were dealt with by simple hard forks ie. current ethereum vs ethereum classic.

If the federal government mandates their citizens pay taxes on crypto, it most definitely should come with federal help in catching criminals.

Which federal government? The whole point is that these are assets that are not tied to any country.

The country you reside in may tax you non-state-currency assets, like selling a painting. But if a painting is stolen around the world at the same time, many governments may have collected taxes on part of that painting. Which government should be the government to persue the theft?

In a different way, if 600 million USD was stolen in cash in France. The US would work closely with the French government to close that case. The US would not be the one to foot the entire bill of solving the case.

Here no government has any real stake or harm to reputation to close the case.

Both sides of a theft are ppl, which are resident of some country.
But which country is it enforced? The one where the thief resides or the one where the victim resides?
Assuming you can find the thief and assuming the victim even wants to talk to the authorities about how they got it in the first place.
Yes but cryptobros want to have it both ways.. 1) It's not a security so it doesnt need to be regulated 2) But also if something bad happens the law should save me

Do the police get involved if someone steals your sword in WoW? Do they get involved if a bigger Twitter account "steals" your meme and reposts it without attribution?

> If the federal government mandates their citizens pay taxes on crypto, it most definitely should come with federal help in catching criminals.

Not necessarily. The OP is pretty light on details on what this "hack" was, but if this was the case of someone playing "code is law" games with a flawed smart contract, then I think it'd be totally legitimate for the government to require taxes be paid but not swoop in with law enforcement when someone made a bad deal (i.e. had their flawed contract exploited).

don't tell that to cryptofanatics they'll spin into orbit
There are all sorts of people working in this space with a variety of beliefs like any other industry. They're not all crypto-anarcho-capitalists.
But the entire premise of decentralized finance is to have no central authority, is it not?
Just because there is no central authority in control of crypto transactions like traditional banks does not mean laws and courts no longer exist. You can steal someone’s bitcoins by hacking their wallet but you can still be ordered by a court to pay it back and/or face jail time.
Thank God for real world centralized authority.
I think what the "centralised authority" steal from the people every year will put the all the crypto theft till now, combined, to shame.
> does not mean laws and courts no longer exist. You can steal someone’s bitcoins by hacking their wallet but you can still be ordered by a court to pay it back and/or face jail time.

I'm not aware of any court that would, for example, jail a Chinese citizen who stole virtual money of a US citizen? Are you?

If judges have the last word on who owns how many bitcoins why are you wasting all that electricity for? I thought it was to avoid relying on an authority...
My understanding is that decentralization helps avoid things like runaway inflation or banks deciding at will how much money they want to siphon off each transaction. If you are stealing someone else’s money, a court is not going to dismiss charges just because the transaction is not reversible according to the protocol of whatever cryptocurrency you used.
Decentralisation doesn't help with inflation, it only makes everything more expensive due to the extravagant cost of the consensus mechanism. Banks are already decentralised (should be obvious since there are many banks, not just one) and competition among banks is what prevents them from charging high fees.
Everyone wants no central authorities until they're being enslaved by their regional warlord.
Everyone wants central authorities until their money is incessantly devalued and squandered through cronyism and waste.
No central authority within the system. Treating the hacked crypto as stolen property to report to a central authority who can use the threat of physical violence is not incongruent with the current defi system. Its a false dichotomy presented by those naive to the pros and cons of all this.

Ideally governance would also be done in a decentralized manner, but we’re not there yet.

It's completely incongruent. The whole point of "decentralized" is to avoid relying on a central authority, and the price to pay is inefficiency. But if you're relying on a central authority anyway, why be inefficient?
Physical matter is decentralized but that doesn't give you a right to steal someone's gold without legal action.

Decentralized systems have different benefits for different people. For instance, some people like to trade 24 hours without corporate middlemen stopping you from trading at night. That's not the same as avoiding legal authority.

Probably dozens of defi hacks since 2019 and no arrests . Good luck with that
Strange how when the going gets tough, many cryptocurrency enthusiasts revert to statist inventions and conventions

I remember when the crypto market tanked and the fine folks on r/cryptocurrency were demanding the SEC shut down Bitmex and arrest its CEO.

Seems that at any given time, rugged crypto individualists are 10 percentage point losses from begging Big Daddy Government to step in.

> Seems that at any given time, rugged crypto individualists are 10 percentage point losses from begging Big Daddy Government to step in.

People are typically "rugged individualists" only so long as they feel they're winning from the system.

It's funny, this is in many ways exactly the same thing that corporations try to achieve over and over again: reap the profits if they are there and externalize the costs. Of course crypto isn't any different. But if designed properly they've closed the door on this and that makes badly implemented crypto far worse than the alternatives, because the whole reason to exist is the lack of recourse.
> The user told the hackers to try depositing the stolen tokens without Tether, which the hackers did successfully and they deposited all the addresses into Curve. The hackers then sent the anonymous user about $45,000 worth of ethereum for their help.

The hacker can earn a bunch of Curve and treat this more like a larger flash loan. The market values Curve and this would either mint new Curve or distribute more Curve from the Curve organization's existing treasury.

Costly bug-bounty is all
Feels good just to sit back, relax and watch the chaos and carnage around the cryptocurrency market as I wait for the inevitable dive.

Coming soon.

I know what Bitcoin is, have read the paper and I totally get their value proposition.

But now a days it's hard for me to understand what's going on in crypto world. For example I couldn't even parse their statement:

"#PolyNetwork was attacked on @BinanceChain @ethereum and @0xPolygon Assets had been transferred to hacker's following addresses:"

Source: https://twitter.com/PolyNetwork2/status/1425073987164381196

It was too hard to fork the bitcoin codebase to make things like dogecoin so people figured out how to use ethereum smart contracts to make coins based on ethereum and then they did that again to make entire chains of coins based on chains on ethereum or something.
> use ethereum smart contracts....on ethereum.... to make entire chains....on ethereum

I'm getting CDO, CDO^2, Synthetic CDO vibes reading this.

PolyNetwork (whatever it is, first time I heard of them) has tokens (its own) and apparently some ETH, and USDC on the Ethereum and BinanceChain. These "assets" are locked with a smart contract (instead of a private key), so anyone figuring out the smart contract can move the money (which they did) and they posted the address to where they moved the money.
Same boat. I read this and the key take away is a bunch of buzzwords and smart contracts are still stupid.

eth peeps get rugpulled again! lest we not forget ETC ethereum classic is actually the real eth chain except they forked it to salvage the DAO debacle - except the internet has a short memory and no one remembers this any more.

inb4 ETH3 fork

> smart contracts are still stupid.

Haha, smart contracts are as stupid as the average "intelligent home" only worse: They cannot be updated.

People writing smart contracts should be the ones coming from a firmware/embedded writing background, not "webdevs". Right now DeFi smart contracts look like the 90s web: Tons of "Defaced" website every week. Of course now there's a stronger incentive given that monetary value is involved.

Upgradeable smart contracts are now a thing, although obviously you have to trust the governance structure that controls the upgrades.
Upgradable contracts look like a good idea until some hacker finds bug and upgrades the contract and the upgraded version is just a contract that sends all the money to her/his account.
> People writing smart contracts should be the ones coming from a firmware/embedded writing background, not "webdevs". Right now DeFi smart contracts look like the 90s web: Tons of "Defaced" website every week. Of course now there's a stronger incentive given that monetary value is involved.

This is an overly broad statement that doesn't accurately represent the entire space. There are a good number of projects with very experienced developers that use rigorous testing, multiple audits, etc. There are also teams that yolo smart contracts with very little testing. Assuming every project in the space is the latter is quite inaccurate.

Exactly th le same as the 90s. There were several serious companies and other not that serious. A cursory look at rest.news shows the amount of projects that have been pwned.
Translation:

Polygon is a protocol described as an 'Internet of blockchains' that is compatible with Ethereum and connects with other Ethereum-compatible blockchains.

They suffered an attack on its blockchain that affected other blockchains and the coins affected were sent to the hacker's address.

This was Poly Network, not Polygon, that got hacked.

From my understanding:

Polygon (formerly MATIC) is a token related to (built off?) ethereum.

Poly Network was a bridge layer that spanned polygon and ethereum.

Polygon and Poly Network are distinct entities as far as I can tell, but they are all overlapping and using each other, so I don't fully understand the distinction.

Most of it is scams/rug pulls/money laundering.
> The user told the hackers to try depositing the stolen tokens without Tether, which the hackers did successfully and they deposited all the addresses into Curve. The hackers then sent the anonymous user about $45,000 worth of ethereum for their help.

Best part of the article is how an anonymous person helped the hackers launder their money and got a tip for it.

Can they cash it out without getting busted?
They can do the same thing the hackers did and launder it before withdrawing to a new wallet
Yes, you can use mixers and coinjoins to launder non centralized crypto. The tip was in etherium, so it shouldn't be an issue to swap to monero, mix, and deposit to an exchange.
I think swapping to monero would be the weak link there. If they do it on a "legit" exchange, it at least makes an attempt to get the client's identity. If they do it directly with someone who has monero to sell, that person gets stuck with "tainted" ethereum.
There are defi(lol) swappers you can use. The hacker was using curve.fi, the tipster was actually telling the hacker why his transaction to curve wasn't going through.
Yes, anonymous blockchains like Monero allow you to ‘obfuscate’ the movement of your crypto.
They just explained what was happening, did they even do something that's illegal?
The message, "DONT USE YOUR USDT TOKEN YOU VE GOT BLACKLISTED", appears to be knowingly offering how to advice to someone actively committing the crime of hiding stolen money.

18 U.S. Code § 3 defines an "Accessory after the fact" as "Whoever, knowing that an offense against the United States has been committed, receives, relieves, comforts or assists the offender in order to hinder or prevent his apprehension, trial or punishment, is an accessory after the fact." and states that it's worth half the jail time as the primary offense.

However, it could also be argued that hanashiro.eth is aiding someone in committing the crime of money laundering, not just helping them avoid being caught, in which case 18 U.S. Code § 2 says that planning, ordering, or knowingly helping commit a crime makes one eligible for the same full full punishment as the primary actor.

It remains to be tested in court whether a smart contract exploit is illegal, since there's an argument one is simply following the 'letter of the law' aka the contract.

edit: this is also something different governments may take a different stance on. If the U.S. finds someone criminally liable, El Salvador may not. Also, it's contentious what the 'location' of the crime even is, as there are no physical servers which have been attacked; could the blockchain as a distributed database be considered to exist 'everywhere' or 'nowhere'?

I think he sent most of it to some charities that accept eth right away.
For real? Any source on which ones?
https://etherscan.io/txs?a=0xf8b5c45c6388c9ee12546061786026a...

binance charity and donations to archive.org, etherscan, infura.io, rekt... and Vitalik!

To be clear for other skimmers like me, the "helper" who got 45k is donating to various addresses, not the 600m hacker. (Posting this because I misinterpreted, not because parent was wrong)
I was going to say, sending "most" of $600M to organisations like archive.org would be quite a news story.
Poly Network has asked digital asset exchanges and miners to block any tokens coming from the above addresses [...] Tether froze more than $30 million in response to the hack

Decentralized finance at its best - so decentralized that individuals and centralized companies can decide to block transactions by themselves.

Decentralization doesn’t mean everything is decentralized, it’s a range of decentralization from fully decentralized to fully centralized. You can use DeFi without ever touching centrally-controlled assets like USDC or Tether. The key thing is that you get that choice.
All I’m seeing is “decentralized” figures making some very centralized moves when they see fit.
Tether is famously centralized, you’re attacking a straw man.
And I think you arefalling for the "true scotsman" fallacy. Tether backs 70%+ of daily BTC trading volumne, saying criticism against Tether is invalid because Tether isn't real crypto is a cop-out given how important it is in the ecosystem.
Bitcoin (and therefore the whole crypto space) should be valued in Tether-Dollars not USD. I wonder how much Tether-Dollars are really worth...
They are not saying criticism against Tether is invalid, merely that you cannot criticize Tether and call it a "DeFi" critique.

At the end of the day, centralized assets on Ethereum are as legitimate as decentralized ones. The whole point of Ethereum is that it permissionless. If we celebrate Iranians or 16 year olds being able to build on top of it then certainly Goldman Sachs may do so as well.

Decentralization means that each party gets to decide what assets and transactions they view as legitimate.
Miners have always been free to implement whatever logic they like, though. If you send out a mass communication saying "Address 0x12345 belongs to a very mean guy" and every miner out there denies service to that address, the decentralization properties of your system haven't been violated anywhere.
Decentralization usually includes the assumption that parties are acting independently and are not all colluding.

[Edit: Following the incentives of the protocol is not collusion. In a crypto context I would define collusion as something like multiple parties working together against their own incentives (e.g. rejecting valid, fee-paying transactions).]

(comment deleted)
If nodes in a network are fully independent and not cooperating, then you don't have a network, you have a bunch of disconnected nodes.
Is cooperating the same as colluding?
In the sense the parent used it, yes.

If a majority of banks and businesses agree to block transactions of a known terrorist, is it collusion or cooperation? I don't see a meaningful distinction at that point, other than the negative connotation of "collusion" poisoning the well. Which is why I referred to "cooperation" instead.

Well that depends upon who they're claiming are terrorists, and more importantly to what extent they're capable of pursuading others.
The later has a negative connotation of illegal (or at least secret) cooperation. So it's a form of cooperation.
that’s not a solid assumption.

if they can pursue their own interests freely and if those interests they pursue align with the majority or the totality it does not negate their decentralized nature.

Which is exactly the fundamental flaw in any argument that "decentralization" will somehow solve problems.

Humans are social creatures and collusion is the natural order. Humans will cooperate unless doing so is clearly to their detriment.

Decentralization doesn't mean isolation and that nobody is cooperating. It's a centrality measure. More decentralized networks have less nodes that hold outsized importance in the network.
But I imagine the reason exchanges are refusing these transactions is at least half because they would be receiving stolen property. I'm not sure but I don't imagine "I'm receiving property stolen from another country" will stand up as a defense in any court.
Does law enforcement bother it's self with internet play money? Until it touches an asset or currency governments care about I assumed they just let the kids have their fun.
It's not clear. But the lawyers at these exchanges aren't going to take that risk and will strongly advise against receiving stolen property.
It was marketed as censorship resistant and code is law and blah blah blah.
$30M far too small for a hardfork. You need something like DAO too be "too big to fail".
The miners will not block as it would destroy the credibility of eth itself. It would probably hard fork if such a thing were attempted. So dumb for them to even suggest it
They can only block if you are moving around centralized assets, which really isn't that shocking to anyone. There is a reason the hacker quickly tried to convert it to ETH, etc.
Someone tipped off this hacker on the blockchain to stop using USDT tokens because he was blacklisted, and the hacker tipped him back 47k lol
I knew someone once who, in the very early days of BTC (before it was worth more than $10 or something), helped someone with a technical issue and, unbidden, was sent something like 80 BTC as a thank you.

The running joke, before all the nightmares cryptocurrency has spawned since it took off, was that he'd helped some drug lord fix their metaphorical printer, but not so funny now...

With 600 million, I'd be feeling pretty generous.
> The user told the hackers to try depositing the stolen tokens without Tether, which the hackers did successfully and they deposited all the addresses into Curve. The hackers then sent the anonymous user about $45,000 worth of ethereum for their help.

This is pretty amusing, if anything.

13.37 ETH at that, even more amusing.
(comment deleted)
(comment deleted)
Decentralized In Name Only

DINO, not defi

It looks like they were able to write themselves a check using or spoofing a legit signature. A traditional bank would put a hold on any amount over a certain threshold to prevent this kind of fraud. I wonder if DeFi has some kind of option for an Oracle to a human verification step over a set amount. An attacker could flood transactions to avoid that limit, but maybe network delay and/or some kind of throttling would buy enough time to ensure some safety.

I’m still bullish on defi but there is a lot of incidents like this that need to happen before these systems become resilient.

> I wonder if DeFi has some kind of option for an Oracle to a human verification step...

"For safety, all transactions have to go through Dave" == "Free money to anyone who manages to hack/bribe/kidnap/etc Dave"

Very unlikely to succeed if you choose someone with enough vested interest in the company. Also “Dave is the only one that could have approved this, he’s who we sue”
If Dave owes you $600K, Dave's got a problem. If Dave owes you $600MM, you have a problem.
I phrased this glibly for comedy value, but this is not a silly problem; it is part of the "Oracle problem" and it imperils the entire fundamental value prop of defi.

If it's not clear why, consider: what keeps defi from implementing gambling (or as it's known in the financial world, "options trading") on real-world data outcomes, like stock prices? Answer: that data isn't programmatically available on the blockchain. You can make a smart contract that depends on the closing price of ETH, but not AAPL.

So, what if it were? What if someone decided to publish AAPL's closing price to a ledger somewhere? Then people could make a smart contract that effectively implements options trading against AAPL stock, right? In theory, yes. But in practice, the people that trade options will say, "How can we trust that you won't screw up, get hacked, get bribed, go out of business, etc? Every dollar we entrust to a smart contract that relies on your data is a prize to be won by the first person to find a way to subvert your service's data integrity."

And they'll be right. There are lots of people trying to find fancy solutions to this problem, but to my knowledge we're no closer to a real solution than we were the day Ethereum went live.

Part of the problem is in the nature of one of the ‘pluses’ of crypto - lack of the ability to roll back a transaction.

If someone breaks into the fed and transfers a billion dollars to their account, it’s pretty pointless, because the next day or hour or whatever, it will be rolled back and except for them being in jail, it will be like it never happened.

For it to be worthwhile, you would need to avoid having any of the oversight mechanisms step in, AND get the cash out in a way that is independent of the system AND won’t leave a trail for the army of slow and methodical investigators. And that is waaay harder.

Providing an ability to do something criminal that will cause a non-reversible transfer of value? Ho boy. That raises the stakes a LOT - and it’s why you see so many bank robberies and why gold transports are guarded so heavily.

I think there are efforts to create oracles like LINK, but you’re right that the only trustworthy data is from within the chain.
It’s easy to put these safeguards in place, the hard part is designing the right safeguards.

I prefer cryptographic fraud proofs.

Based on another link posted here it looks like the hackers just called the half of a cross chain transaction that does the Eth payout. Could they not just make sure that there is a corresponding TX in the other half of their handshake rather than trusting the caller is actually their other contract
It wouldn't be too hard to make a smart contract only be able to transfer X amount out per time period and then still allow individual users to emergency exit. Then you can concentrate auditing logic on the emergency exit code as opposed to the entire surface area.
That's just censorship. Why would you do that in a decentralized system?
> I wonder if DeFi has some kind of option for an Oracle to a human verification step over a set amount.

Sometimes I feel like crypto doesn’t stop to ask if the institutions and processes they seek to deprecate exist for a reason?

I absolutely believe that blockchain/DLT have some very promising use cases. But so much in crypto land just screams out that people don’t truly understand the systems they oppose so strongly.

Tether just froze a bunch of funds. Like a bank. Or PayPal. One of the most repeated slams against TradFi is the “PayPal locked my funds! Money belongs to the people! Self sovereignty!” But we’ve seen time and time again with the ETH fork, Tether freezings (they’ve had multiple), that we end up right back at these processes. People will claim that if everyone in a decentralized network decides to do something (like hard fork), that doesn’t violate the decentralization. But what do you think society is? We’ve all come together and decided on a bunch of rules we want to live by. Hack by hack we are seeing these same functions replicated in crypto.

> Tether just froze a bunch of funds. Like a bank. Or PayPal. One of the most repeated slams against TradFi is the “PayPal locked my funds! Money belongs to the people! Self sovereignty!” But we’ve seen time and time again with the ETH fork, Tether freezings (they’ve had multiple), that we end up right back at these processes.

Tether is one of many assets on Ethereum, each with their own properties. Some are centralized, some are decentralized, some are stable, some aren't, etc. It's about choice at the end of the day, and crypto actually gives you this choice vs paypal or your bank.

ETH was forked because of a much smaller hack. So the most decentralized, stable choice in Etherium (the layer 1 itself) isn’t immune.
> But what do you think society is? We’ve all come together and decided on a bunch of rules we want to live by.

And whatever those rules are, a minority has to accept the decisions made by others. When it comes to the rules for a financial system, you now have many choices.

I purposefully didn't put "Stolen" in the title because who's to say that this contract was not executed as intended. Who defines what is the intended use of functions that reside on the blockchain?
+1

The article would have benefitted from an explanation of how operation of this code in a 'Code is Law' scenario can result in 'stolen' ledger entries. It's like complaining about an 'illegal' court judgment, after the appealing court says it wasn't illegal.

If I have a bank vault that can only be opened by one key, an attacker comes to my house, steals the key, opens the bank vault, and takes everything valuable inside, I think that it would count as stealing in every sense of the word, regardless of the correct behavior of the bank vault in only opening for the right key.

I know there's a fun semantic debate about smart contracts hacks, but at the moment this theft does not appear to be in that category.

I'm eagerly awaiting the https://www.rekt.news/ writeup, which as of this moment is still missing. They have decent technical analysis, and certainly far more than the linked article.
Was going to post about rekt.news . I was surprised that I didn't learn about this hack from them. That site is golden, and reminds me to the early 90s era of the internet: Where you had tens of "defaced" web pages (private and government) every day.
Interesting that everybody accepts that this was a "hack".

Initially the idea of crypto was that "Code is Law". The code sent the funds somewhere, correct? So by the "Code is Law" standards, this would have been just a legit transaction.

Now it is like in the old world. Whoever has the highest reputation is right.

And the code was flawed, doing something that was unintended, therefore the law was flawed.

This happens all the time in traditional written law. Legalese exists for this very reason.

How do you know it was unintended?

Just because one side says so?

Because that side has a big brand name?

That is exactly what I mean with "Whoever has the highest reputation is right".

The initial promise of crypto was the opposite: That the little Joe has the same rights as the big guys. Because code is law. And code does not care about the budget of your legal department and your marketing department.

"Code is law" is either nonsensical or redundant when applied to a complex Turing complete language such as Solidity.

If you can't accurately predict the implications of the lines of code in a smart contract, then it's as good as saying "The laws of physics are laws. That ball ended in my garden following the laws of gravity and thermodynamics, asking for me to return it to you is breaching the initial promise of the physical world". This may change with better smart contract languages that can reconcile intent with effect[1], but while talking about complex Ethereum smart contracts, the "Code is law" argument has no value.

Furthermore, as long as you keep within the bounds of trustless cryptocurrency (unfortunately not a tautology these days), code is indeed law. The ETH this person acquired cannot be confiscated.

[1] e.g. https://scilla.readthedocs.io/en/latest/

> The ETH this person acquired cannot be confiscated.

That's only because there's no ETH. All there is is a ledger. And ledgers can be "ammended", as they have been in the past, effectively stealing the hacker's ETH back.

Yes, but loopholes in law still allow something to happen until the law is fixed.
The main issue with law is that it is written in an ambiguous language.

Theoretically you could write more precise laws with code.

Maybe they should have let a group of contract lawyers proofread what the code does. Lawyers look for bugs, inconsistencies, errors, loopholes all the time.

"Code is Law" unfortunately glosses over the fact that most code is not very well written.
"code is law" unless those with concentrated power doesn't like the code
just like with real laws
The same applies to law (loopholes for tax evasion etc) yet we follow the law to the letter.
Well, we don’t follow the law to the letter basically anywhere. The law gets interpreted and judged by courts (at least in the English common law tradition, though it happens to some extent everywhere), precisely because people generally dislike someone doing something against the spirit of the law, and using technical terms to try to pretend it’s ok.

Doesn’t stop people from arguing that no one could tell what the intent was, or the intent was actually what they did, or the law was so badly written that they are right because. And sometimes they win. But it’s rare.

Not really. The US is a common law system. The letter of the law is secondary to judicial opinions by definition.
I think it's worse than that. I think the core problem is that the world is a messy complicated place and any time you take a simple, straightforward set of rules and require strict obedience to them in the real world, you're going to end up with situations that produce absurd results.

It's like trying to fit a finite-term polynomial to a fractal - there's literally no way to make things match up everywhere. [1]

People complain because law/finance/whatever seem to be too complicated, so they try simpler, more "obviously correct" sets of rules that perform even worse in practice than what we already had because the world is still a fractal, and simpler rules just mean you're trying to use fewer points to fit that infinitely complicated curve. It's easy to look at existing law/finance/whatever from the outside and say "it's too complicated, we should refactor everything from first principles" but there's good reason to believe that is always a mistake [2].

Simple, obvious rules like "Transactions should be immutable once they are completed" seem like a good idea, but then they encounter incredibly common real world situations like "what if somebody made a mistake when they specified the amount of the transaction or the account number in the 'to' field?" Real world finance has ways to handle this - if nothing else, you can take it to court and ask a judge "does this seem reasonable?". "Code-is-law", like Procrustes "perfect bed", only has admonitions to be completely perfect yourself or suffer the consequences.

So IMO it's not just that most code is not well written, it's that the very idea that any finite amount of code, no matter how "perfect", can be a good fit for all the intricate needs of the actual lives of billions of people is fundamentally flawed.

And also, most of the code is not very well written :)

[1] as an alternate analogy, it's like trying to fix Godelian incompleteness in a formal system by adding a finite number of axioms.

[2] https://www.joelonsoftware.com/2000/04/06/things-you-should-...

The ethereum crowd has never really bought into the “code is law” thing, except maybe in marketing. There was that whole fork a few years ago between ETC and ETH when ETH reversed a big hack transaction.
Up until the DAO hack (that you're referring to) "code is law" was commonly believed.

That is until the Ethereum Core developers were massively affected by the hack and decided on an unprecedented rules rewrite to address the hack. (Which they haven't considered ever since, despite other hacks of the same type.)

Your just citing when they abandoned code is law. So it was a thing until your fork example.
The largest community I know of that truly believes that "Code is Law" is the side of Ethereum that simply accepted the DAO hack: Ethereum Classic.

EDIT: here's a pretty good write up of why you might think that ETC doesn't follow "Code is Law" either. In short after forking from ETH years ago because they had a stronger conviction that code is law they decided to break compatibility of existing code deployed on the chain to keep in sync with ETH development.

https://that.world/~classic/2020/06/10/deprecate/

They are also probably the most popular chain to suffer multiple successful 51% attacks. I have no idea how they're still worth anything at all, but then again I have no idea why any cryptocurrency is.
the DAO hack and the resulting outcome was the first major thing that shook my faith in the idea of cryptocurrencies. I never had any skin in that game, but I liked the idea of Ethereum as it was posed at the time, it seemed really cool. then the DAO hack happened and everybody kept trying to justify a reason to pretend like the hack didn't happen and move on ("it's not a rollback! it's totally different! here's why it's justified!! it's totally not because us DAO folk have so much invested in it!!!"), and it all just seemed to me to be completely at odds with the "code is law" idea, i.e. the thing that was supposed to make Ethereum different from both fiat currency and e.g. Bitcoin. the fact that Ethereum enthusiasts were largely saying, "well, if we don't 'undo' this hack, it'll cripple Ethereum as a cryptocurrency going forward, and we'll never recover!," but to me, collective human action overriding the "code is law" concept was exactly what destroyed any faith I had in Ethereum, and largely damaged it w.r.t. other cryptocurrencies as well. you're not making a true ideological alternative to fiat, you're just making a new kind of currency with its own vested interests controlling what happens to it... which, I thought, was the main reason for moving to crypto in the first place. when push comes to shove, you're still going to get The Government involved in resolving your disputes.
I thought that too. I didn't touch Ethereum until 2020.

My feelings have now changed and IMO Ethereum will or already has overtaken bitcoin in importance. In general if you want to do "dapp" development you will write for the EVM, although you probably won't deploy on ETH L1 as your first place.

Ethereum has some very serious network effects building up behind it even if your favorite aspect of it was shed during the DAO hack.

"Interesting that everybody accepts that this was a "hack"."

I much prefer this interpretation. I think this should be considered ipso facto legitimate use of the contract.

The more frequent these contract "failures" become the more suspicious I am that the authors of the contract themselves are the ones exploiting them.

It's an obvious scam in this frothy market: introduce a contract with an intentional defect and then exploit it yourself.

Again, I am tempted to consider this a legitimate use of the contract.

Your honor, that outdated Apache server let me gain remote access to the machine. I was only doing what the code allowed me to do. This should be considered legitimate use of the software.
I mean here in the real world that argument falls flat. Our legal system isn't code. It is warm fuzzy meatspace with concepts like "intent" and stuff.

But that isn't what The DAO was advertising. It was "code is law", which was supposed to remove the element of messy human judgement from things.

Of course, it was a spectacular failure because nobody actually really wants "code is law"... instead all they did was re-invent mob rule and those with the loudest voices decided what to do about the "theft".

> Of course, it was a spectacular failure because nobody actually really wants "code is law"... instead all they did was re-invent mob rule and those with the loudest voices decided what to do about the "theft".

IMO Ethereum did something that would be really nice to be able to do in the real world. A chain split, each participant got their resources on each side of the split (except the hacker) and each person got to choose which one to support, or both.

There was no need to bend to the "loudest voices" as to what to do with the theft, but rather to create two parallel chains and let each individual decide.

Yes, generally law doesn’t work as code and allows for retroactive human interpretation rewriting of transactions.

But the DAO contract specifically said, “we are bound by the results of this state machine, and it takes precedence over any human description of it”, and then wanted take-backsies as soon ask they didn’t like the result.

code is law until core devs lose money.
That’s right, and then they fork in such a way as to return to themselves more than they put in (because later theDao shares were sold at 100x, and they refunded equally).
In this case it looks like it wasn't a smart contract hack, but instead a traditional key compromise [0]. From what I can gather it looks like it was essentially a custodial provider that allowed users to easily swap between different crypto networks.

[0] https://twitter.com/Mudit__Gupta/status/1425115177771405312

Please note there are different meaning of the "law". And for blockchain it's "law of nature", i.e., just how it works, the principles you have to accept, not legal laws.

So at least for the Ethereum Classic thing, the code was written in the way that just allowed such action and therefore you should not reverse the transaction. Note that the hack was still illegal, that's the fact, so you can (and should) go to the law enforcement to do something with it. But there was no bug in the code of the blockchain itself, it was working exactly as it was supposed to. There was a bug in the smart contract though, but it's not a part of the blockchain, so it's not a violation of principles/nature of blockchain ("code is law") but a 3rd party mistake.

Same here, no principles of the blockchain was broken. So the "code is law" stands. But the transaction is still illicit, and is a hack.

Defi can sometimes unknowingly expose your money to the whelms of single contract error or stolen key that you don’t even own.
Sometimes? Defi runs on smart contracts so you're permanently exposed.
> The market remains stable, despite the news

This is what I don’t understand... There is nothing that prevents something 10 times bigger to happen and cause many people to quit crypto en masse leavingg others holding the bag... this is going to embolden other hackers. It’s an awful lot of money!!

Because stolen crypto effectively lowers the supply.imagine if binance were hacked and everything stolen. 50 billion taken out of circulation because its not like a hacker can cash out to fiat or sell their loot on an exchange.rather it must be sold very slowly or on the street. A major hack is sorta like a bunch of ppl at once losing their keys
The article has a quote speculating on the market’s (lack of) reaction (a quote I find rather horrifying):

> DeFi has survived so many individual hacks and exploits that people are less scared of their assets going to zero as a result.