760 comments

[ 1.8 ms ] story [ 257 ms ] thread
This wallet contains the $625M funds in what appears to be the largest crypto defi hack in history.

https://etherscan.io/address/0x098b716b8aaf21512996dc57eb061...

Wasn't there another one in the billions a few weeks ago? The guy with the cringe rapper wife?
It ended up being worth billions, but at the time of the back years ago, Bitcoin was much less valuable than it is now.
That wasn't defi. That was a more traditional exchange hack.
Im not sure i understand the difference between various cryptoscams.

Is that the one where people launder money by buying jpegs?

The amount that was stolen in that case is worth billions now, but at the time of the theft it was only a couple million. It has since increased in value which led to the “billions” headlines.
For now. Cryptocurrency hacks are like EVE Online news, where there would be a story every few months about a massive heist totaling tens to hundreds of thousands of dollars of real-world currency, or yet another bigger battle that destroyed enough vessels equivalent to that amount. Just people outdoing themselves every time.
> The attacker used hacked private keys

Why do people write "hacked" instead of "stolen"? To make it look like robbing them is harder than it actually is?

Stolen implies a concept of property. Which doesnt exists here....
What meaningful distinction is drawn by using one of these words over the other? "Hacked" typically implies it happened over the net, whereas "stolen" typically implies it physically happened in person. The former is more appropriate here, no?
I like to distinguish attacks where money was stolen using stolen credentials from those that occured simply by manipulating smart contracts. Some crypto enthusiasts would consider the second type of attack to be legitimate activity rather than theft, so long as the attacker stayed within the letter of the 'law' as expressed on chain.
hacking a system and stealing a key (copying) is a lot less interesting than hacking a key by exploiting some cryptographic weakness
I'm not sure I agree. I mean secrets can be stolen. Apparently pirating music or movies is theft and so on.

We've often seen the naritive of Big company stealing ideas etc from smaller companies.

So stealing can extend beyond simple physical property, and could acceptably encompass IP as well.

It's a smart move by the entertainment industry to try to rebrand piracy as theft, as the public at large understand theft as a bad thing. Legally though I think it's 'copyright infringement' which sounds a lot less sexy.
Certainly in the UK theft is "taking possession with intent to permanently deny the owner of it". Copyright infringement is not theft by that definition.

Saw this great stand-up skit by someone who was asked to compare copyright infringement to stealing a car...

It like stealing a car but You just stick you finger out, touch the car, and it's your car!

And the owner still has the car!

And literally all my friends do it!

I guess I'm old, but "hacked" to me typically involves trickery in manipulating the object itself, not just exfiltrating it. You hack a system to copy data, you don't "hack data". If you say you hacked keys, I expect you manipulated those keys with some crypto wizardry, but in this case it just means somebody somehow obtained them somehow.
"Hacked" makes it sound like they had security measures against theft.

I wonder how good their security was? (Also, could an insider have done it.)

If you have a legal system, then breaking my lock is unlawful intrusion, and if you take something from behind my locked door, it's theft.

Without a legal system, e.g. crypto, if you solve my puzzle, then you deserve the reward. It's just math!

> Without a legal system, e.g. crypto, if you solve my puzzle, then you deserve the reward. It's just math!

My fear keeping me from getting into the... offensive crypto space has been that the original owners of the wallets won't see it that way, and an imperfect opsec will leave me as one of the 70% of murders that don't get solved in the US.

Someone with millions to billions in crypto has a decent chance of being diversified, and use to backfilling the lack of access to the state's monopoly on violence with some of their own.

I don't think any math was done. They sneaked a copy of the answer.

Of course, if someone does work out the math (as they did with MD5 and sha1) it's going to be popcorn time.

Steal, copy, exfiltrate, obtain - that's not the point.

The point is that hacking, when transitive, involves manipulating an object. It is not a synonym for "copy". When people use it like that, it's typically to hide the fact that their (human or technical) systems were so bad that somebody managed to copy data they should not have. "They hacked keys!!11!" - No, something or somebody gave them keys, but you want us to believe that it required incredible skills.

Stolen has a very specific meaning, it involves taking something from someone else, denying them the ability to use it. If the person still has the thing, you've not stolen it.

I think 'copied' is the right word here. They hacked the system, and copied the keys.

> make sure all funds are recovered or reimbursed

Does anyone know if they have the liquidity to actually reimburse over half a billion?

So close to April (greater) fools day. Who on earth is going to fill that $600M black hole? (No one.)

Or is someone going to reverse the Ethereum blockchain this time? (No one. Not even Vitalik this time.)

So I don't think there is anything going to save them from this hack.

> The validator key scheme is set up to be decentralized so that it limits an attack vector such as this

Even now, when it's obvious to everyone that only two parties needed to be compromised for this to happen (4/5 compromised nodes were effectively under one party it seems), they keep calling it "decentralized". Apart from the lack of gifs, memes and emojis in the post, I have a hard time coming up with a worse response.

Over half a billion in assets and..

> We discovered the attack this morning after a report from a user

Fuck me.

Seriously. That was really really hard to read.

So basically $600mm in a hot wallet and no one even watching it. Just wow.

They didn’t even hack the smart contract, they just compromised 4 systems holding the private keys, and there was an RPC signing function giving free access to the 5th. Good god.

Sounds like if they had a checking account with their bank credentials stored in ENV variables and someone got access to that server it would be the same outcome.

The details of it being on a crypto-currency are interesting but when password/passphrase/private key security is poor it doesn't really matter the medium holding the money.

Aren't there methods of rolling back transactions in the traditional banking system though? And additional validations on larger volume transactions?
That's right. None of these protections exist in their sidechain.
It would be much different outcome that would probably lead to recovering the money.
No, $625M transfer out of a single bank account would raise tons of eyebrows. No way it’s authorized by some env vars.
Maybe, but 30d ago it would have been "No way someone would store $625M USD in a game dev bank account".
If the hackers are sophisticated, I would think they would start wiring in much smaller amounts and thru accounts so tracing is harder. Much like what they are going to have to do with the funds in that wallet.

If they setup some plausible 3rd party company the game studio could use and started transfers of $10k a pop it might be some time before anyone catches it.

That is slow anything over 10,000 in bank transfers will reviewed, and there will be a dedicated account manager for a 600m account.

They are going to review and flag it. You might loose few hundred thousands but not all 625m.

Transferring $650 million out of a corporate bank account would usually require in-person approval by a C-level officer, or at the very least, prior notice to the bank of the transaction.
> they just compromised 4 systems holding the private keys, and there was an RPC signing function giving free access to the 5th.

This seems like the plot of a 90's hacker movie.

(comment deleted)
Yes, it is truly mystifying how they operate in some of these big projects.

Recently, we had Optimistic Ethereum (by my count, ~$250 million locked up in that network) adamantly insisting that they did everything they could to warn users that transaction history would get deleted off of Etherscan.io -- trivially avoidably, no less! -- even though none of their communication channels mention it.[1]

And that they had to make a "tradeoff" in how much effort to spend on warning users, even though their volunteers are choked every day, on Discord, with users wondering where their transaction history is.

Which, of course, pales in comparison to how a hacker found a flaw that let him print infinite ETH within their network (see the main story for that thread), and the project only lives on because he was a white hat who accepted a bounty instead.

[1] https://news.ycombinator.com/item?id=30293526

Which was 6 days after the original transfers. Unbelievable.
Wait, no, it's totally believable because this is the same story that happens over and over again with blockchains. It turns out that all of those pain in the ass compliance laws on traditional finance are there for a reason, and when you ignore the past you end up repeating it.
Most hacks are discovered within minutes or hours, not having the systems in place to know within seconds if your wallet is being drained is unbelievably bad for someone custodying half a billion.
> Most hacks are discovered within minutes or hours

Really? The figures I’ve seen have typically put it in days to weeks unless you’re talking only about the most obvious things like DoS attacks or defacing someone’s homepage.

Sorry, I mean crypto hacks specifically. Most crypto traders/companies/firms have apps and monitoring tools set up to report any suspicious activity on their wallets or contracts. Unfortunately it's sometimes too late at that point, but sometimes not[1].

1. https://ihodl.com/topnews/2021-07-19/white-hacker-helps-meta...

Ah, that makes more sense. I'd be curious how what the timing is like between the compromises which give people access to keys or supporting systems and when the attacker does the noisy part of moving funds around.
Well, yes and no. True, there are a lot of corners that banks would cut if not for regulation, I think we can all agree. But this one is so appalling and self-destructive that no bank would deliberately cut this kind of corner on purpose; it's just stupidity.
No monitoring whatsoever over $600M of funds stored in your system is crazy negligent.
It isn't like monitoring would have done anything. Once the transaction goes out it is gone. The core problem here is the massive private-key bounty being created by a ton of organizations that don't have world-class security teams.
True, but you would think they’d notice $650,000,000 missing before a user reported an issue withdrawing $5,000 (edit - 5k ETH). It’s honestly so impossible to believe that I’d wager the real story is they knew and were actively trying to recover the funds.
just a poke: it was 5K Eth ($16,924,050), not 5K USD, but i agree with your wager.
God damn, 17 million stolen forever from 1 person and there is nothing they can do about it.
Even more shocking, is why someone would hand 17 million dollars worth of assets to a random company that has no security apparently.
But the attacker used 2 transactions. The first one should have been flagged immediately. Plus the servers themselves were compromised. Four of them. The attacker was able to take control of 4 different servers without even being noticed. This is just one massive secops fail.
Yeah, I'm just picturing a Graphana chart going from $625M to $0. And then admins sitting around like, OK, now what?
Or malicious...similar to the DAO hack from 2017 suspected of being an inside job (with evidence pointing to the insider who lawyered up to refute it with code-is-law argument), somebody was accountable for security and they deemed it not worth it to secure it.

Axie Infinity was already struggling, and this happens a day or two away from scheduled distribution of rewards & update release.

Cui bono? Who could've known they were carrying funds in a hot wallet other than the people directly involved with the project? Unless there was a way to discover this from the outside?

Somebody at Axie Infinity could have been asking whether they want to get paid 0.025% of that hot wallet yearly or have it all up front, today. After all it isn't cash sitting at a bank they have to rob.

Agreed, the system was designed to say "oops, we lost all of your money, how could this have happened"
is there no point at which these companies become subject to securities or financial laws? How on earth can a random game studio just casually hold half a billion dollars worth of assets apparently without any idea what to do with it?
Many crypto companies are subject to RIA compliance laws or are considered "qualified custodians"
(comment deleted)
A 51% attack on a blockchain with a grand total of 9 nodes... why would be people trust such an obviously insecure chain with such large value?
So they now have this giant sum of money sitting in their wallet

https://etherscan.io/address/0x098b716b8aaf21512996dc57eb061...

what do they do next? How do criminals even use this money to do anything?

Generally, they can wash the currency, either through mixers or by routing through a privacy focused coin like Monero.

Properly done, there is no direct connection between the new washed currency and the stolen assets.

They could just burn it - it makes everyone else’s ETH more valuable.

Or move it through decentralized tumblers. Which is why more and more these tokens are becoming non-fungible as addresses are blacklisted.

Non-fungible is another way of saying centralized, by the way. The whole system is a house of cards. The final straw will be when quantum blows it wide open.

https://tornado.cash/

Probably can get $3-5m or so a year slowly. (which would take ~25 years or so).

Which is what that horrible cringe rapper lady was doing when she and her boyfriend were busted.
No - they had Bitcoin, completely different beast. (due to lack of smart contracts, Bitcoin is a lot simpler/transparent/harder to hide stuff there).
She was converting her Bitcoin into Monero first before laundering it. The weak point is converting the resulting crypto coins into fiat money.
> harder to hide stuff there.

AFAIK, there are coinjoin implementations which cannot be traced to date.

Do note that exchanges are not too keen on accepting coinjoined bitcoin.

They could use it to pump the price on Uniswap of a low cap ERC20 crypto that they own a lot of. That's the safest way to launder that money imo.
I had multiple arguments around situations like this.

There are essentially two camps. The one side says:

- You can sell for cash, use mixers, NFT sales, $other_sophisitacted_technology and get away with it

The other side argues:

- You won't be able to ever cash out this sum and law enforcement will use sophisticated data mining on the blockchain and will eventually bust you

I think in reality it is like any illicit asset worth $650 Mio. It's gonna be extremely hard to launder but not impossible.

The $5b bitcoin recovery recently had the same problem.

Even if you converted 650m to cash it will be hard to move that around as well. At large numbers it is easy to flag for LEO in the economy crypto or traditional.

This kind of theft requires a mindshift change to be really successful, instead of thinking as 650m the hacker should think as few hundred thousands in annual income forever.

The amount you can safely move will increase as the market volume increases.

Others have talked about how you can use DeFi swappers, which absolutely will allow the hacker to convert a couple million per year into clean crypto if done meticulously, but the big problem is that they can't explain where the crypto came from. I don't think that's a death sentence, as you can still pay taxes and what not even if you can't explain where the coins came from, but if law enforcement catches onto you you'll have a problem. This is where NFTs come in. Since they're non fungible it's easy enough to buy a bunch for $1,000 and sell them to yourself for $100,000. This has the added bonus of pumping the artist you've invested in, so you'll be making money off the NFTs you legitimately sell on the market too.
Traditionally real world art market was a vehicle for illicit wealth transfer too. A good chunk of the art today is valued so high because of the illegal money that supports it .
This probably sounds like an insanely dumb idea to crypto people, but is it absolutely infeasible to reverse transactions when there's consensus that it's a hack? The TX fees need not be reversed (consider it to be a small price to pay for being hacked).

A little bit of centralisation could make the whole network safer. Who is that centralised authority to decide what's a hack, I hear you ask. I don't know, but the authority could be elected and impeachable to make it more democratic.

What is your threshold? Who decided what is "not legitimate" activity? Clearly in this case the money was spent using the keys that were allocated to be able to control the money, what process overrides that?
I mean we have an answer to that, it's called the law, and its worked since 1750BC. [edit] This guy, Hammurabi - king of the First Babylonian Dynasty - faced a similar quandary, so there's some prior art.

Disputes under the law are resolved in court.

Isn't that anathema to the new world order the crypto people are espousing?
Generally yes.

As someone who has actually purchased real goods with bitcoin (silkroad) and has dealt with the blowback of the MtGox scandal (still receiving court details to this day...)

Those crypto people are snake oil salesmen. Full fucking stop. They aren't interested in making anything usable, they're interested in wild speculation, gambling, and outright scams.

There are lots of us that recognize the new capability crypto provides (improved self-custody over assets, currency scarcity not controlled by governments) while also not claiming a new world order.

Like most things it's not all or nothing and there are pros and cons.

Hitting yourself in the head with a hammer might offer some benefits:

- The cool metal might cool your head on a hot summer day

- Might knock yourself unconscious to avoid boredom (could be real handy during long flights!)

But these nice features are inseparable from the fact that you're hitting yourself in the head with a hammer, which has many serious downsides, too.

The "improved self-custody" crypto offers is one side of the ledger. The other side is: you lose regulatory protection, and can be swindled with virtually zero repercussions. Crypto's entire reason for existing is to circumvent government control—it's pretty "new world order" all the way to the core.

This is a comparison dumb enough to basically be in bad faith.

Ignoring that and focusing on the substance:

> "The "improved self-custody" crypto offers is one side of the ledger. The other side is: you lose regulatory protection, and can be swindled with virtually zero repercussions."

Yeah I don't disagree with this - the risks are real. Some of this can improve with better tools, but some is just higher risk that exists with self-custody. You don't need to move 100% of your wealth into crypto (and I'd argue you shouldn't in nearly all cases).

Crypto provides a new capability to take control in a way that other options don't or don't support as well. There is value in this capability even though it has associated risks.

> "Crypto's entire reason for existing is to circumvent government control—it's pretty "new world order" all the way to the core."

Not all governments are good and even good governments can implement bad policy. Self-custody is a lever against the kind of top down CCP like control of entire economies and a totally controlled cashless future. It's also a hedge against stupid actions from your government (like what we're seeing in Russia currently).

New world order suggests replacing the entirety of the existing thing. I'm not suggesting that, I'm focusing on the fact that it offers a new/improved capability that gives individuals more power. I think this is a good thing, but good/bad subjectivity aside it's just a true feature of crypto.

https://www.lesswrong.com/posts/PeSzc9JTBxhaYRp9b/policy-deb...

> Not all governments are good and even good governments can implement bad policy.

Indeed! Many governments are truly awful. And it's a deeply complex problem to solve. The strategy of "screw it, let's just bypass the laws when I feel like it" is deeply troubling. And I think you needn't look further than the fact that so many despots have wholly embraced Bitcoin: Bukele, Putin, Kim Jong-un, Erdogan, Maduro, Assad, etc. Why do you suspect that is? Are they just clueless dummies who're getting fleeced by the Bitcoin pumper geniuses?

The problems with corrupt governments is the lack of accountability via regulation and legal redress. The solution is increasing accountability—often a difficult problem, no doubt. But advocating for crypto as the solution, is advocating for the harms done to people to be anonymized, and ultimately made unaccountable. That's a Very Bad Idea™.

You're arguing a strawman.
With all due respect, I don't think you understand the full weight of what you're arguing. Which was the point of my original comment. You don't get to just pick-and-choose which aspects of crypto are beneficial and ignore the side-effects. Crypto, by design, bypasses the legal system. There are some heavy consequences to that design.
I acknowledge the higher risk associated with crypto and self-custody. I just think the capability it provides is valuable. Like most things it's a nuanced issue and it's not all good or bad.

A lot of your argued side-effects are also true of cash. Yet most (at least for now) are not arguing to get rid of cash because not every transaction can be monitored and controlled.

Crypto gives more capability to individuals which is good (similar to cash). It creates a store of value outside of government monetary policy (in the BTC case more similar to gold).

People tend to simplify these things into "crypto is entirely bad" or "crypto is entirely good". I think it's a new tool that gives individuals new capabilities, but also has its own risks. I value the new capabilities and acknowledge the risks.

> "Crypto, by design, bypasses the legal system. There are some heavy consequences to that design."

This is mostly false. In the case of public ledgers - it's even easier to see transaction history than it is with cash (though this is less true of Zcash). It doesn't bypass the legal system it just requires a higher degree of intervention for your money to be taken from you (which is often desirable, especially if living under an oppressive government). Does cash bypass the legal system by design?

No one in crypto typically wants to acknowledge this, but this is the clear and robust answer.

Your keys your coins is obviously a situation rife for unreconcilable fraud, and is not a functional solution for anyone who might - ya know, want to spend these things as a currency.

I disagree. It's definitely a trade-off, and there are downsides to it (this security breach being a good example), but there are also advantages.

With normal ACH and credit card transactions, the payment never really settles, and can be reverted due to fraud for months. That means I have to slurp up lots of data (privacy?) about my users in order to increase my confidence that they won't try to scam me. And even with that, I end up losing significant amounts of money due to payments with stolen card numbers, etc.

With crypto, I know that any payment I receive is final, and I don't have to build privacy violating systems to avoid losing $$$.

Not saying this is necessarily "better", but there are advantages to it. As a user, I'd be happy to pay with crypto if the merchant passed some of the savings on to me.

What savings?

The savings associated with transactions fees (reasonable for very large spends - utterly ridiculous for small amounts, even today after the major drops, at more than 1.7 USD/tx)?

The savings associated with double spend fraud that occurs if you don't delay the transaction for 3 to 6 blocks even though you say it's final (hint - that's not true, and waiting is a large downside for prompt processing at a point of sale)

The savings associated with being literally dragged into court because it turns out that fraud is still a thing, and the legal system still matters, and despite you saying that the transaction has settled - the courts can and WILL disagree?

I just don't see it. I see a very nice way to send money to folks who are working dark markets and understand escrow (which re-introduces the risk that your transaction isn't actually settled), and a really shitty transaction method for basically everything else.

> The savings associated with transactions fees (reasonable for very large spends - utterly ridiculous for small amounts, even today after the major drops, at more than 1.7 USD/tx)?

On mainnet ETH, sure, but that arguably shouldn't be used for small payments like you are discussing. There are second layer networks that can do this for pennies on the dollar and make a lot more sense.

And arguably $1.7 USD / tx would compete quite well with credit card transactions. 0.17% vs credit card's 2-3%.

> The savings associated with double spend fraud that occurs if you don't delay the transaction for 3 to 6 blocks even though you say it's final (hint - that's not true, and waiting is a large downside for prompt processing at a point of sale)

Again second layer networks, but even on ETH itself, you're talking 10 - 20 seconds for 1-2 blocks, which is PLENTY. It's not going to be worth carrying out a double spend attack for a few thousand dollar transaction.

I do get that you don't "get" it, but I'll just say - I happily send and receive both BTC and ETH, and it is a night and day difference from sending using traditional bank accounts. I actually feel like I own the money, I can send it to anyone I want at any time, and the transaction settles in seconds. Last time I sent money via ACH, it took a solid 4 days (since I initiated on a Friday). I can deposit money into my crypto backed debit card in under a minute in the middle of a weekend.

> I do get that you don't "get" it, but I'll just say - I happily send and receive both BTC and ETH, and it is a night and day difference from sending using traditional bank accounts. I actually feel like I own the money, I can send it to anyone I want at any time, and the transaction settles in seconds. Last time I sent money via ACH, it took a solid 4 days (since I initiated on a Friday).

This is just a criticism of US banking, not 'TradFi' as a whole. Most countries have let you do the exact same thing for free or at a low cost out of your existing bank account, no overhaul required, for years. The EU has SEPA, the UK has FPS, Canada has Interac e-Transfers, Australia has NPP. I suspect you'd have a hard time finding a country other than America which doesn't support this.

... and the US has RTP for about half the population, and is getting FedNow for everyone next year. Not to mention Cash App and Venmo and so on.

This is a solved problem.

If you can even call it a problem. The thing is, if it were actually a meaningful source of friction instead of a talking point, it would have been resolved years ago.

I get it, moving money is boring unless the money is also a scratch-off lotto ticket.

> I can deposit money into my crypto backed debit card in under a minute in the middle of a weekend.

This is also how Cash App and Venmo support instant transfers/deposits to a dollar-denominated bank account 24/7. You can do this via unlinked refund or whatever the new mechanism is. That's not crypto related, it wasn't developed for crypto but rather coopted (not just by crypto, but by Venmo and Cash App). That's just how debit rails work.

> This is just a criticism of US banking, not 'TradFi' as a whole. Most countries have let you do the exact same thing for free or at a low cost out of your existing bank account, no overhaul required, for years. The EU has SEPA, the UK has FPS, Canada has Interac e-Transfers, Australia has NPP. I suspect you'd have a hard time finding a country other than America which doesn't support this.

But what these services offer is still fundamentally different from what crypto offers. The money shows up in your account instantly, but it doesn't actually settle for weeks afterwards [0]:

> Unlike cards, SEPA does not have an additional authentication layer, such as a CVC check or 3D Secure. Consequently it is important to have good risk management tools in place to offset the threat of fraud.

> A shopper can perform a chargeback online eight weeks after the purchase, with no questions asked.

[0] https://docs.adyen.com/risk-management/chargeback-guidelines...

You're conflating two separate things: bank-to-bank person-to-person transfers and Adyen, which is a merchant acquirer. Merchant acquirers and credit networks operate under different terms. Chargebacks exist because there is a demand for them. They exist because customers want them - and yes, even businesses want them. It gives folks the confidence to buy without having to worry about trusting the merchant (because they trust the network to resolve a dispute). It increases average ticket sizes and payment volume. This is a good thing that crypto lacks. Finality isn't actually what you want in most cases.

However it's irrelevant to this conversation because it also doesn't apply to any of the networks I listed. Adyen != FedNow. The systems I listed actually do provide instant settlements - as the money hits your account it's yours to spend.

If for the bank, settlement isn't instant (and that's an if because again for the services I listed I don't believe it to be the case) they can just do what everyone else does and borrow against it for basically no cost while it settles.

Again, this is a solved problem and broadly not an issue.

[edit] Just as I suspected, FedNow settles instantly. [1] And all for the low, low price of $0.045 per payment, and $0.01 per invoice! I know, its pretty unbelievable they found a way to decrement a number in one database while incrementing it in another database without involving a global network of graphics cards, burning down the rainforest and re-inventing the very concept of money. (that is to say, without "going Rube Goldberg on it").

  Unlike cards, SEPA does not have an additional authentication layer, such as a CVC check or 3D Secure. Consequently it is important to have good risk management tools in place to offset the threat of fraud.
And this? Literally describes crypto. Because they both offer instant, final settlements without a second factor like a CVC check or 3DS.

[1] https://www.moderntreasury.com/learn/what-is-fednow

Same thing as "code is law". If a restaurant puts their ordering process on a smart contract and someone orders -1 packets of hot sauce and that rolls over to 2 billion packets that means the restaurant has to provide 2 billion packets of hot sauce to the customer?

Why does that sound like a good situation to anyone?

The only way to apply the court’s judgement (in the case of ETH) is to hark fork, because there is no governance contract in place.

A blockchain can in theory support such things, which would allow a majority vote to approve the court’s judgement, but not ETH as it currently stands.

Alternatively if you could get enough miners to just collectively agree to replay the blocks without that transaction you could let the owners move the funds, but it’s monumentally difficult as time goes on and the number of blocks to rewrite increases.

If it was detected in seconds, an emergency protocol does exist between certain large mining pools for this sort of thing.

Specifically, if you have contracts holding that kind of balance, if a transaction appears on the network which touches a percentage of the funds, you get blistering alarms ringing and someone can “break glass / pull lever” to lock the contract balance into an emergency cold vault. It freezes the DEX but better that then lose the funds. You partner with mining pools to pre-clear that TX and ensure your transaction gets priority in the next block, before the attacker’s transaction goes thru (making theirs the double-spend).

But they weren’t even watching. They didn’t even know until the next DAY.

> The only way to apply the court’s judgement (in the case of ETH) is to hark fork, because there is no governance contract in place.

Courts can and do issue orders against any kind of asset in order to enforce justice and unlike smart contracts, their orders are backed by men and women with dogs and guns.

Put another way: a court will not say "gee, gosh, if only ETH had a mechanism I could give orders for! I guess I'm beaten". They will instead say "you owe $X and I will seize all assets you have today, or will ever possess in future, in order to pay that debt". And when it turns out that people thought they were clever by evading the court order by keeping everything in a coin, they will then learn that ethereum can't buy top bunk at the federal penitentiary if you don't have access to a computer.

We are talking about two different things. I’m talking about a decentralized algorithm which runs on your own machine and can reach a conclusion about a transaction being invalid even though it may have a valid signature.

For example, imagine the thief just burns the ETH. $600mm notional value is destroyed in a few bytes of crypto. Whether someone goes to jail or not is besides the point.

Can the funds be recovered, and what is the algorithmic mechanism to provide for that recovery?

> you owe $X and I will seize all assets you have today

Who owes?

No no no. Crypto enthusiasts reject the idea of the law, and the tyrannical governments that enforce them. Code is Law! Therefore, this is perfectly legal.

Conceding that this situation sounds absurd destroys the entire raison d'être of crypto.

Code is not law, consensus is law. Big difference!

And it's not even law, it's consensus has value.

Disputes can still be resolved like that in crypto, it's just up to the legal system to track down the key holders to revert the transaction. Essentially - solve it at the legal layer, don't complicate the protocol.
Hammurabi's laws only work when they have a monopoly on violence to enforce said laws.

Shitcoins (all of them) remove the potential of violence as a means of corrective action. Instead, you have crazy hard math stopping you. Can't do the math? Then you're not forcing your decision.

> Shitcoins (all of them) remove the potential of violence as a means of corrective action. Instead, you have crazy hard math stopping you. Can't do the math? Then you're not forcing your decision.

Oh no they don't. You can still go to prison, and they can still smack you around. To pretend otherwise is to play emu.

Think about this a bit more: I steal your cryptocurrency. When the police show up at my door and I say “you’d have to solve an impossible math problem to get it back!” do they a) threaten beat me and/or my family (Russia, China, etc.), b) shoot my dog and put me in jail where they look the other way while other inmates beat me (U.S. version), or c) toss me in jail (best-case Scandinavian version) until I tell them the key? There isn’t any case where they say “math is hard, guess you get away with it!”
Courts and the legal system are centralized authority, not sure they are compatible with the crypto vision.
(comment deleted)
You’re describing a hard fork - exactly what created Ethereum and Ethereum Classic after the DAO hack. Even now it’s still considered a controversial move.
I think the majority sided with the move (which is why Ethereum soldiers on and EC is basically useless).

It's a good final social check on bad behavior. I think Vitalik as written about this (I'm pretty sure I read about it in one of his long form posts).

>I think the majority sided with the move (which is why Ethereum soldiers on and EC is basically useless).

Hahaha, no, the wealthy sided with the move. Of the 82,054,716 ETH in existence, only 4,542,416 voted, for a total voter turn out of 5.5% of the total supply on 16 July 2016; 3,964,516 ETH (87%) voted in favor, 1/4 of which came from a single address, and 577,899 ETH (13%) opposed the DAO fork.

Vitalik and his friends stood to lose a lot of money, and being the biggest players in town with their premined shitcoin, voted against them losing money.

The vote is only one part of it.

What people continue to use and build on is the other.

He's also written this, basically warning about something like the very situation now happening 2 months ago: reddit.com/r/ethereum/comments/rwojtk/ama_we_are_the_efs_research_team_pt_7_07_january/hrngyk8

The DAO "hack" was a bit different from this, around 14% of all Ether were in that contract. There isn't going to be another rollback, especially not for something like the here discussed attack. Trusting third parties is risky. It's like taking your money out of your bank account and sending it to a bank in Nigeria. Things can go wrong, the chain can't be rolled back every time someone loses money. People have to be more careful.

Yeah, this is my take of things too at least as I understand it.

There is increased risk moving stuff off chain to third parties.

> I think the majority sided with the move (which is why Ethereum soldiers on and EC is basically useless).

This should really be phrased "which is why the fork is called Ethereum and the original chain is called Ethereum Classic". And the majority (of what?) really had only indirect input - the exchanges decided which chain would get which ticker, and if they'd kept ETH=the original chain, it would still have the name Ethereum.

Forking is absolutely central to cryptocurrency. In the end, these are just rule schemes for interacting and communicating about value. If no one chooses to participate in it, it has no value. If a sufficient majority would like the rules to change, then they can simply do so.

People focus on the algorithmic aspect of cryptocurrencies, but this is simply the weedy details that enable certain properties of interaction. Nothing terribly interesting has happened here since the initial idea of using proof of work to regulate authorship of a blockchain. It is the social aspect that has been interesting to follow. Alt coins, forks, and the enduring primacy of Bitcoin.

So if they fork the chain again, does Ethereum Classic become Ethereum Classic Classic?
Or maybe don't lend a valuable asset to a game studio.
Maybe someone could invent the "FDIC" of crypto in smart contract form where everyone pays a periodic premium but if a hack occurs and there is consensus they get a payout.

Only problem is everyone would have to use their own wallets for it to work, and for most people it's safer to store large amounts of crypto on an exchange instead of a wallet for personal security reasons.

> and for most people it's safer to store large amounts of crypto on an exchange instead of a wallet for personal security reasons.

This is the opposite of what is usually recommended.

Yep, I realize that, but having your own wallet means:

- Everyone can track your transactions and personal wealth on EtherScan or similar tools, whereas in an exchange it is significantly obfuscated by the exchange's own collection of wallets and databases.

- You could be robbed at gunpoint for your hardware wallet.

- You could lose your wallet in a fire or other natural disaster.

- While you can back up your wallet keys online, most people cannot remember the long passphrases, and end up writing them down on paper which isn't secure if someone were to break into your residence or office.

For most users the combination of these risks far exceed the risks of keeping money in an exchange.

But yeah, if you're a billionaire with a 24/7 personal security team and personal firefighter team, then yeah, by all means, keep your own wallets.

> Maybe someone could invent the "FDIC" of crypto in smart contract form where everyone pays a periodic premium but if a hack occurs and there is consensus they get a payout.

Nexus Mutual, and a few other on chain insurance protocols offer exactly this. You pay them some premium, and they pay out in case of losses due to hacks, smart contract vulnerabilities, etc. So far they've worked fairly well, and paid out in hacks like this that occurred.

I'm not a cryptocurrency person, but my understanding is that that's happened before: ETH effectively rolled back the DAO hack[1] in 2016. The end result was the "Ethereum Classic" split, which continues to this day. There are all kinds of financial ramifications to this kind of split, nearly all of which (to the best of my knowledge) remain unsolved.

The problem that you've correctly observed gets to the very root of why cryptocurrencies are a farce: if participants need the confidence of an ultimate human democratic process, you might as well kick the immutable public ledger to the curb, skip the tire burning, and use the financial system we already have.

[1]: https://en.wikipedia.org/wiki/The_DAO_(organization)

they hard-forked the DOA, the old fork is still traded as ETH Classic no?
Yes, Ethereum Classic is still traded (although I have no idea how thinly). That's exactly why it's a problem: every account pre-fork now exists on two blockchains, and it's not clear what the tax, contractual, legal, etc. ramifications are of essentially doubling everybody's money. The nature of the blockchain also means that forks are destructive against innocent transactions: users doing "business as normal" who have the misfortune of being included in or after the rollback block have to re-coordinate all of their work.
It was the centralized nature of this bridge (5 private keys required) that allowed this hack to happen in the first place.
Well you can do anything with the ledger if there's consensus. That's how the entire thing works. How are you going to convince >50% of the mining pool to agree though?
Keep working at it and eventually you will rebuild "tradfi."
If you think that's actually a good idea, then do it. Make a fork where people can have their money back, and see who follows you. There's no need to ask permission. The entire crypto-ecosystem thrives on crypto-darwinism. Projects experimenting with various forms of governance to see what survives, and what sticks.

Axie's Ronin network was a centralized side-chain experiment. Unfortunately what got exploited was the bridge back to the more decentralized ETH Mainnet. They failed to have proper fail safes on the bridge, and they got looted. Maybe their project survives this, maybe it doesn't.

,, Originally, Sky Mavis chose the five out of nine threshold as some nodes didn’t catch up with the chain, or were stuck in syncing state’’

Sounds like a great plan for storing half billion dollars. I’m not blaming the developers, as they are incentivized to move fast and break things, I’m just sorry for all the people who trust new protocols so easily without any knowledge in safe software security practices.

Personally I’m a Bitcoin only person, because I respect the amount of work that the software authors do to minimize the attack surface, but at the end the free market will select the winners and losers.

"I'm not blaming the developers.."

I mean, I think it's time to put that on the table...

If I was betting, I'd put my money on VC pressure.
I am blaming the developers.

Perhaps this is not a popular view, but this "blameless" culture is fine and good when it's a random service going down for 15 minutes and you're trying to collaborate and prevent it from happening again.

There must be limits though. If you're handling that amount of money in a bank and you fuck it up like this, your ass is on the line, together with the ones who incentivized you to move fast and break things. This should be no different.

I have been to a few crypto meetups and seen people just talk about buying and selling tokens/cryptocurrencies without knowing more than the name of the currencies.

They are betting on software in alpha phase without knowing anything about it, or any detail about the cryptography, concensus mechanism or coding practices they use.

There are valid concerns with any asset where people want to store their wealth (which is at the same time a basic human need), but it's hard to reason with peope who are not interested in discussing those concerns.

Even developers who work on smart contracts don't understand the intricacies of the consensus algorithms and cryptography.

These are hard subjects your average developers rarely work on, and is usually smart enough to know not to roll their own.

Everyone in the market just is gambling on what other people think. Like playing poker only by guessing what everyone else does, knowing the rules.

Stock market is no different the subset who read annual reports and make projections or trust people who do are limited

I'm not surprised since a large percentage of crypto buyers are millennials that grew up during the great meme boom of the 2000's.
This is like the contractors working on the Death Star when it was blown up.[1] They knew what they were working on. They knew the dangers. Can't cry for them when they're blown to smithereens.

I've been asked on two separate occasions to work on some crypto startup idea. Aside from my skepticism that they were even worthwhile projects, I declined because hell no I'm not writing code that touches other people's money.

[1] https://youtu.be/iQdDRrcAOjA

In the real world a lot of army is conscription. Typically it not freelance mercenaries it can also be prisoners or threatened/coereced labour. Star wars actually highlights this in Rogue one.

Also in many economies this is literally only job available, same reason why syrian fighters are ready to go to Ukraine.

While death star attack wasn't a war crime, they weren't civies after all, it wasn't a simple as they knew the dangers

"Our software has some sort of race condition, it gets stuck every few hours, should we debug it? Could be difficult to find."

"No, just write a cron job to restart it every few hours, and we'll increase the error tolerances. Nobody wastes time debugging stability issues anymore!"

The blind leading the blind here in the wild, wild west of crypto.
I'm out of the loop and trying to understand - people lent over half a billion dollars of their 'real' fake money (ETH) to a game studio so they could transact on the studio's sidechain because gas fees are prohibitively expensive on ETH, and then the game studio got hacked and lost it all?

How was this ever going to end any other way? Imagine how preposterous the idea of storing $650mm in USD in a random game studio's checking account would be.

Yes. People worked hard for electronic dollars to be transferred to their electronic wallets.

They tried to use some of that digital money (in another electronic format) in a digital game, but the game got hacked and now those dollars are someone’s else dollars.

The hacker may have some difficulty transforming digital money into paper bills, because KYC, but he can launder it like old school people used to and have some.

> but he can launder it like old school people used to and have some.

Crypto provides exciting new ways to do that, too. First send it through a mixer service. Then, invest in some new NFT project. Six months later, oh nice, someone bought your NFT for 10x what you paid for it. What a great investment.

Selling NFT for over >$1000 should trigger an investigation into provenance of the funds.
when it comes to banking, random checking accounts are hacked into very rarely. to the point that in USA the FDIC is protecting your account up to $250,000. I don't recall last time seeing news on someone's bank account being hacked and drained, if anything its mostly family fraud.

also there are all sorts of checks when you try to wire or withdraw more than $10,000, not to mention wire hundreds of millions. Such transaction will manually cross a desk of at least 2 different bank managers.

Wire fraud results in billions of dollars in losses per year from checking accounts. Here's one article from 2019:

https://www.cnbc.com/2019/09/11/email-wire-fraud-cost-26-bil...

We talk about eth/btc as if they're just covering the function of the checking account, but it's also covering the function of the checks, wire transfers, ACH transfers, etc. So for a real comparison you'd have to count up all the related fraud from legacy checking accounts and their various mechanisms to move money between them.

This article is about people being fooled into wiring money to fraudulent actors, not about hacking.
FDIC protects against bank failures (like the bank goes bankrupts and looses all the deposited money). It has nothing to do with unauthorized transactions as far as I know.
Depends on the transaction type. Checks and debit cards are pretty well protected. Wire transfers aren't protected at all.
(comment deleted)
> I don't recall last time seeing news on someone's bank account being hacked and drained, if anything its mostly family fraud.

Anecdote time. My wife and I have a shared checking account that got hacked and drained. First her debit card got skimmed. Then the perp called USAA a half dozen times claiming to be her and asking for account credentials. Finally they got a helpful account rep to reset the password, disable MFA, and tell them the username. Yep. You heard that right. Social engineering works even on bank tellers who should know better.

Fortunately it's just a daily use account and I'm paranoid, so there was only 5K they could access there. USAA owned up to the whole thing and restored the funds, but now they punish my wife with a 10-minute interrogation to prove her identity if she ever has to get them on the phone for a legitimate reason.

Weird, USAA froze my cards and funds immediately the only time I've had suspicious transactions. I guess the social portion is where we diverge though, they definitely tried harder to get in to yours. Ours was just a guy in Vancouver trying to order Thai food through a delivery app.
They froze the card, but only after six consecutive withdrawals from an ATM in Miami. I was getting notifications on my phone about the withdrawals (did I mention I'm paranoid) but since I was driving, I didn't see them for about half an hour when I arrived at my destination. Called USAA immediately and they had already frozen the card. But the money had already been withdrawn.

I can't explain why it took many consecutive withdrawals in a short time, in a city that I've never visited, 3000 miles away from the most recent use of the card, to trigger USAA's protection algorithms.

USAA did finally take care of it. My biggest beefs with them are 1) they dragged their feet a couple days on the investigation until I called them myself (I'm the veteran, my wife is not, and they were much more responsive to me), and 2) they really do punish my wife for something not her fault. You know those questions you get which are sourced from your credit file? What street did you live on, what's your mortgage payment, things like that? That's what they ask every time, after asking for a secret password and PIN code to be used for phone calls.

I'll give them credit though, for actually sharing the gory details with me once they were done tracking down everything, and admitting that one of their own employees had broken their rules and handed over the credentials to my wife's account.

This incident reinforces the rule never to use your debit card for credit card transactions.
Absolutely do not use your debit card ... well, anywhere if you can help it.

(Apologies, saw the wrong parent comment) How many utilities, credit card companies require a checking account for autopay? How many times have you thrown out an old checkbook that contains routing and account numbers on a carbon copy pages?

Bank accounts are not especially secure, we mostly hope to limit the risk/reward calculation for hacking them and basic security controls.

> How many utilities, credit card companies require a checking account for autopay?

In my experience, this is getting better! I now have all but one of my bills being paid by my credit card. Used to be that the utility companies made you pay extra and use a third party service if you wanted to use your credit card.

Not all, though. Verizon, for example, will let you pay with a credit card, but they give a substantial discount if you use a debit card instead. For obvious reasons. I hope that does not become normal. I'm used to Verizon being scummy, I hope it doesn't become the default behavior for the other utilities I pay for.

The US needs an automatic bill payment system with strong guarantees.

In Britain, most people¹ pay bills (electricity, water, phone, internet, insurance, car loan, credit card etc) by "Direct Debit"². (Most European countries have a similar system with similar guarantees, but this one is described in English.)

If anything should go wrong, the bank must fix it. There's a list of direct debits in the bank's interface, and they can be cancelled/suspended with one click (or by phoning or going to the bank).

It isn't perfect (see 3 from two weeks ago) but that sort of problem is rare enough that it was reported in newspapers.

¹ "Direct Debits are used by nine in ten UK consumers to pay some or all of their regular bills".

² https://www.directdebit.co.uk/DirectDebitExplained/Pages/Dir...

³ https://www.moneysavingexpert.com/news/2022/03/tsb-customers...

Ever, never, never use your debit card where credit card can be used in its place.

The mechanisms for restoring the charge on your credit card are much stronger than on your debit card. And a credit card is a FUTURE charge, so you have time to fix the problem. Whereas a debit card is your CURRENT money, so it's just gone unless you get it back.

I do not understand why people use debit cards linked to their actual bank account out in the world. Paying bills securely through the utility is the only thing we use that for.

Agreed. I almost never use my debit card. And now, my wife doesn't either. Though her card got skimmed at an ATM, not during a debit card transaction, so this advice doesn't work. Now she just doesn't ever use ATMs. For better or worse, we now keep a few grand in the safe at home and pull from that for the occasional cash need. When I need to replenish that, I walk into the bank and take it out the old fashioned way.

It's not paranoia when they really are out to get you...

I have stopped using credit cards for two reasons:

1. My debit cards allow me to directly import transactions into my personal accounting software while my credit cards don’t; and

2. when I shop online, my debit cards allow me to use them as a 2nd factor (using a USB card reader) while my credit cards require either an iOS or Android device for 2FA.

You’re right in that a credit card is a future charge and debit isn’t. But are debit cards really so much more insecure? What threat model do you have in mind?

If your credit card is compromised, you make a phone call and maybe can't use it for a few days.

If your debit card gets compromised, your rent check bounces.

Plus, frankly, banks are generally more protective of THIER money than YOUR money.

> If your debit card gets compromised, your rent check bounces.

I guess that depends on the bank and the country you live in.

Credit card transactions are much easier to reverse. For example, I went to a restaurant and a few days later I noticed they double charged the bill. I called the restaurant, they wouldn't fix the issue, so I called the credit card company and it was quickly reversed. That doesn't happen with a debit card.

Credit cards also come with all sorts of benefits. You can easily get 1-2% off all purchases through cash-back or gift card rewards. You can get free insurance with car rentals. Many cards also offer an extra one year warranty on most purchases, so if you paid for your laptop or phone with your credit card and it dies just outside of the manufacturer warranty, you might still be covered.

> That doesn't happen with a debit card.

Citation needed.

The scenario you described will absolutely fall under most card networks' transaction dispute rules. In day-to-day spending a debit card is just as safe as a credit card when it comes to fraud or malicious merchants.

The only time a credit card will be better is grey areas where a card network dispute doesn't succeed, in which case the law in most countries forces the credit card provider to eat the loss. In some of those cases, the reason why a credit card chargeback succeeds is not necessarily because you are right (if you were, the dispute process would've succeeded anyway) but because the amount is too low for the issuer to care so they just eat it to not have to investigate and/or litigate the issue.

(comment deleted)
There’s no reason to want your credit card to have 2FA. It’s not your money, so the only point is to annoy you when you’re spending someone else’s money.

Well, or to use it with sites that require 3D Secure, but that’s still something to help the merchant not you.

As if it was my choice.

EU-wide regulation requires all banks to force 2FA onto their customers for logging into their accounts.

>I do not understand why people use debit cards linked to their actual bank account out in the world.

Because this advice is USA only. All of my credit cards (well... two) are linked to the bank account and I don't even think there's a way to get a credit card without bank connection.

There is, but often it cost extra and we at least don't have the whole cashback system to cover those. Though the fees for merchants are lower so the prices should be too.
100%. The account linked to my debit card is empty unless I want to make an immediate withdrawal at an ATM. This being 2022, I can transfer whatever funds are necessary into the account in a minute or two using an app on my phone. I also have a separate checking account for linking to external services like Cash App, Venmo, or third-party bill pay systems. Again, the account remains permanently empty except for the brief window where I'm moving money between these services or paying a bill.

Given how quick and painless it is to transfer money between accounts, leaving substantial amounts of money in accounts linked with mechanisms that can remove that money is insane to me.

I just want to point out that this comment is exactly why social engineering is a problem. You have been a victim of what happens when a company doesn't put in enough effort to verify the identity of the person they have on the phone. Yet when that company starts putting in that effort, you object and call it a "punishment".

Convenience and security are often in direct competition with each other. Almost all of us would expect convenience in this situation. You should know better more than most the cost of choosing convenience and even you want that convenience. Is there any wonder why businesses select convenience over security?

I call it a punishment because it's over the top. It was a lot of money for an individual, not a lot of money for the bank. So the security should be proportional. Instead of putting in a 10-ton vault door in front of every customer interaction, I'd prefer they only escalated to that level when someone calls in saying things like "I lost my wallet and I'm stuck away from home, give me access to 'my' money, and oh by the way I don't even know my own login name."
This type of escalating validation is also ripe for social engineering. You said this person called 10 times. They don't need to do everything in one call. Instead the goal for earlier calls can be to gather information. You gave the example of the person trying to take over the account without knowing the login name. What information would someone need to supply to get the account name? Does that require escalation? If not, what is the value of requiring that as part of the identity validation process?

If the company is going to provide some level of support to people they haven't verified, that support will be abused as a means of passing the verification.

At the risk of being a software developer that always sees everything as a software problem, I feel like this could largely be mitigated with very simple improvements to the customer service application.

Back when this happened, that was my first question to USAA and one for which the security guy didn't have a ready answer, though probably it boils down to some version of "we are heavily regulated and continue to rely on software built for mainframes."

There are so many possible ways to mitigate the risk which should be triggered well before a half dozen attempts finally gets to a teller credulous enough to believe their excuses for ignorance.

(comment deleted)
When I was in a lot of debt, banks outsourced collections agency called many times on a private number and wanted me to verify myself before they would verify themselves. No. Bank denied they would do that but that was lies. They couldn’t even admit to trying to get in contact with me. Collections agency couldn’t even play the theoretically game of maybe there’s a certain someone out there, who knows who, who hasn’t paid off a credit card, maybe this certain someone would want to consider going into his bank and having a chat but that’s not for me to say ah capishe? I’ve got a rock you’ve got a sword how are we gonna play this out? Good times haha
> but now they punish my wife with a 10-minute interrogation to prove her identity if she ever has to get them on the phone for a legitimate reason.

How is that punishment? If USAA knows you or your wife were a target of somewhat sophisticated attack that ultimately broke their security barriers, wouldn't you yourself actually want some extra protection? If anything, this is a positive sign for USAA, I doubt with my Bank of America anyone would care with any sort of extra layers of security if my account would ever get hacked in a sophisticated way.

I call it punishment because I don't think the attack was really sophisticated, I think USAA's internal training and software was wholly inadequate to defend against a persistent unsophisticated attacker. Why were they still routing his calls to regular bank tellers after the first couple attempts? Why wasn't the security department involved at that point as the only allowable contact point? Why did they actually hand out the login name and password for an account without doing the 10 minute deep-dive identity verification they now make my wife do?
I guess on the bright side, nobody will ever hack into your USAA account :)
This is one reason to keep at least some accounts with a large national bank or credit union. If you need to prove your identity or deal with a lost card while traveling you can at least walk into a physical branch and talk to a manager.
Story time: I also once had my bank account hacked - in a manner of speaking.

I tell you this story in the hopes that it helps you recognize if you have similar flaws in your own security.

I used to run a VNC server on my home PC (flaw 1). Chinese hackers discovered it and spent three weeks brute-forcing the password (flaw 2). Once in, they installed TeamViewer to allow themselves future access. Then, they logged in at 3am and used my browser-saved PayPal credentials (flaw 3) to paypal themselves $5k from my linked chequing account (flaw 4).

I discovered this several days afterwards when I saw the withdrawals hit my bank account. I then found a few further pending Paypal transactions, and pieced the rest together from VNC and router logs.

Thankfully my credit union believed me that I didn't authorize the transactions and reversed them, making me whole again.

But damn, it's a scary feeling having someone break into your computer, not knowing what they might have looked at or accessed. Very similar to having your home broken into.

FDIC does not protect against account hacks. Bank's assets and laws do. FDIC protects accounts against losses caused by bank failures.
The chance of $650 million being drained from a game studio’s bank account is significantly less than it being drained from their ETH wallets, at least as of now.
And if it was drained from a bank account, you have recourses to get it back.
Not true in the EU, we got scammed into making a bank transfer from Germany to Belgium for a bicycle that never arrived. We contacted the police and bank with all the details, and had to pay our bank about 40 euros to ask the scammer if they would refund the money, they said no and that was it. EU banking laws protected them. On the plus side the website appears to be gone now.
Voluntarily transferring money is very different from having it stolen. The bank should protect your money while holding it from theft. They can't protect you from your own decisions on how to use your money.
They voluntarily accepted a contract wherein they would transfer money in exchange for receiving a bicycle. No bicycle was received, so this voluntary decision does not mean that the money transfer was voluntary. They did not accept a contract wherein they would transfer money in exchange for nothing. Since they did not accept this contract, this does not make the money transfer be voluntary.

Being a victim of fraud is not "voluntary" in any meaningful way.

That's got absolutely nothing to do with the bank. It's between you and the 'merchant'.
> this voluntary decision does not mean that the money transfer was voluntary

Voluntary or not is a red herring. The word this discussion is looking for is authorized.

The transfer was authorized by the account holder. They were defrauded. But when they made the transfer, then intended to do so. (The situation is murkier with credit card transactions, at least in America, because they chose to accept a role in dispute resolution.)

The $625mm drained out of Axie's account wasn't authorized by Sky Mavis. That's a different type of fraud than being ripped off.

In the old American paper check system there was an important but subtle distinction between "fraud in the making" and "fraud in the inducement". If a criminal stole your checkbook and forged a check then an intermediary (like a bank or a grocery store) which cashed a stolen check could be on the hook for the money--if you protested to your bank the transaction could be reversed. However if the criminal simply induced you to write them a valid check (e.g. as payment for a non-existent bicycle) then any intermediary that cashed the check is not on the hook, and the only recourse is to get the money back from the criminal.
Banks won't reverse transfers depiberately initiated by the account holder. You would have had to go through the legal system to get your money back.

But that's a different case than money being "drained" from an account by someone else.

They sometimes do reverse these transactions, but the amount of money involved here (1 bicycle worth) is probably easy for the scammer to put out-of-reach of the bank very quickly -- withdrawing cash, buying gift cards etc.
Yeah, just like they won't reverse cash transaction. Pay someone on street for something, they take the money and don't give you what you wanted. Go to police, and they won't get your original cash back...
That's because you didn't use an escrow service between your account and the seller. If you did, the escrow service would provide some measure of legally-supported reversibility.
€40 is not the same thing. If you got scammed out of €650 million, you would have gotten better attention. That's the point being made here.
You aren't insured for $650M in a bank account
You have a legal system available, and banks that have to rigorously comply with that system.
This is true about cryptocurrency as well.
Where will Federal Marshals deliver the summons to the owner of wallet address 0x8723aa67f823dbe785dc923 ?
What percent of BTC has been stolen? What percent of USD has been stolen?

And that shows the difference in how each is protected.

Interesting thought. Bitcoin circulates, and you have to wonder how much of it has passed through a fraudulent transaction -- at any time in the past. Someday when it becomes straightforward to walk the entire life of bitcoin backwards, there may be people who want their bitcoin back...because it's stolen property.

If A has a TV, B steals the TV and sells it to C, who sells it to D...then the TV is still returned to A, and D is out of luck.

But bitcoin can be mixed, how do you decide which of the next transactions contain your part of stolen bitcoins?
This isn't a single user, FDIC insurance is for $250k per user per bank. The point is that for regulated banks that number is clear and if you exceed it you will be aware of it, and if you haven't exceeded it you have a federal guarantee to recover your money. What assurance does anyone have in this case?
People do not understand what FDIC insurance is.

It protects again bank failure. If the one's assets are drained from the bank, as long as the bank has not failed, it will have to make the account holder whole.

That's why a company would be stupid to hold $200M at Podunk Bank of Littletown, KS but is perfectly fine to hold it in a DDA account at Bank of America, Citi or Chase

The FDIC insurance of $250,000 is by the government in case the bank becomes insolvent. The FDIC can easily cover $650 MM in a single bank that has 3,000+ customers. Or really even fewer than that with multiple account types.

But even then, if you store $650 MM in a Bank of America account, that money is protected against being stolen by BOA's anti-fraud software, laws, the trillions of dollars of assets BOA has.

Depends on if the studio's bank account has security questions like "mother's maiden name", "first concert", etc type stuff and an employee with those answers that like to take quizzes on facebook. Otherwise, it could be quite simple to drain the account
It could, yet it doesn't.

For one thing, most business accounts do not hold 9 figures in cash.

Inflows and outflows are likely to be predictable, so you can set flags for certain thresholds.

A 9 figure transaction would absolutely be noticed, and possibly flagged before it was permitted to continue.

What do you mean not common? Bank account fraud is extremely common here in montreal, it even has a slang name "peter des guichets". It's probably much more common than crypto fraud here, and up until a couple of years ago it was so easy that your average person with no real technical knowledge could do it. Reversing an interac transfert here is just very very hard to do too
Just like SMS access to 'mfa' your bank account also provides an attack vector if they steal your number, stupid (aka all find-able) security questions don't help protect, they are another attack vector. I thought everyone puts fake answers and keeps them in a separate location. Then of course someone can come in an steal them too!

Since 16 year olds can hack into auth providers like okta and then hack into microsoft and steal source code, and this crypto stealing endless happens, there's just not good electronic security. But what is good is I can go to my bank in person and fix things. It would be so much harder for someone to get fake id. I actually have a personal relationship with my advisor at my 401k. Those things do give me some additional security, at least I think so.

At least with a checking account you may be able to have the transfer reversed.

The idea of buying game credits and trading them in game makes sense, but you would want the game publisher to have root on the ledger so that if there was a hack they could reverse it.

> but you would want the game publisher to have root on the ledger so that if there was a hack they could reverse it.

In other words, you'd want the game publisher to run their game on a centralized database, like MMOs have been doing for decades.

> Imagine how preposterous the idea of storing $650mm in USD in a random game studio's checking account would be.

But it's decentralized.

(Do the same hand movement as if saying "It's got electrolytes")

> Do the same hand movement as if saying "It's got electrolytes"

I'm stealing this.

Just in case you're not familiar with the reference, it's from the movie Idiocracy.
Apparently plants crave it though...
Mutilate your thirst
If you don't smoke Tarrlytons...f** you!
Mutilate your financial security.
Let's just call the bank and see if ...

* It's decentralized *

Oh, crap.

Customer support answers for most things crypto is of the "the fault is yours alone" variety.

Reminds me of the line in 30 Rock:

"Gentlemen, we have moved our customer support offices to a part of India that has no telephone service. We're now providing the same quality of service at zero the cost".

Someone actually made a gif of that scene with those words at that point, during the bitcoin scaling debate (where some wanted the block size to increase and decentralization was being ridiculed as a spurious defense of the small size).

I’ll see if I can find it.

Its got what the internet craves!
This seems to be literally true.
My favorite is the supposed "special properties" of copper. I once knew someone who swore by the healing properties of copper.
Giving $650mm in USD to a random company is still infinitely safer than doing so with crypto. If a regulated bank claims they got hacked and lost that amount, there are a slew of federal and state laws and agencies in place to investigate it. With crypto, it could very well be in the wallet of the CEO or IT guy and no one would know.
Cryptocurrency theft is illegal and the US government does investigate and prosecute it.

[0] https://www.theguardian.com/law/2022/feb/14/us-bitcoin-case-...

Yes, but it's an open question how successfully and how frequently they catch the bad guys.
It's only an open question to people who haven't actually looked into it. Yeah, criminals get caught trying to move around stolen cryptocurrencies all the time.
Out of, say, the last ten big DeFi hacks, in what fraction have the perpetrators been caught?

https://decrypt.co/93874/11-biggest-defi-hacks-heists

I looked up the first six (#11-#6) projects on this list and I didn't see that in any of those cases the perpetrators have been caught nor the funds returned. I could be missing something though.

That's all well and good when the thieves are in the US or a country that will extradite them. What happens when the thieves are operating out of a country without an extradition treaty?

In the regular financial world you can at least reverse the transaction. With crypto, is there anything you can do?

In principle if you had enough desire among world governments you could plausibly try and legally force a blockchain fork.
And do that every time a hack occurs? What would the threshold be for when that would be worth it?

Could I recover $100k that got stolen? What about $10k? $1k?

Sure, why not? You could even automate it, using a SWIFT-like messaging pipeline that all mining companies have to subscribe to. Blockchains are fundamentally a social construct, and governments have the ability to regulate the individuals who are creating the blockchain. If there was enough political will for it, you could absolutely bolt a "reversal" mechanism onto any existing blockchain. Unless you're doing your mining operation entirely on the black market, you're going to rely on the government for enforcement of your colo rent agreements, your electricity agreements, etc, so there's lots of incentive to comply.
What you have when you're done with the process you've described is a centralized banking system managed by world governments, which is what we already have. It's not perfect, but it works, and lots of people are actively working on improving it in ways that don't involve the contradiction inherent in centralized decentralization.
Yes? That's the point of my comment? I'm confused about what you're saying. I'm trying to answer your question "And do that every time a hack occurs?". The answer is yes, it's completely feasible and within the powers of a government or inter-government treaty organization to do this every time a hack occurs, because they already do. I'm not trying to say that such a system is good, just that it's possible. There is nothing "special" about blockchains that exempts them from normal government regulation.
Ah, I misunderstood what you were saying. I thought you were advocating that we should do that, and I was wondering why that would be better than the status quo.
(comment deleted)
(comment deleted)
Even if that is desired and wouldn't spark a philosophical debate about wether centralized entities should get involved at all, there is a much deeper problem.

Every transaction that is occurring now on the chain will be invalidated.

That means you can't even reverse a single transaction you will have to reverse one transaction and ALL other transactions that happened after the one you want to reverse.

If that happens too often why would I want to to transact on a chain that is under constant threat to be forked off?

You're thinking too narrowly about the types of "hard forks" that are possible and what the space of all possible regulations could be. For example, one possible idea (with a lot of downsides! this is just an example, not a proposal), is that the US government could just promulgate a "US super-key" that allowed it to sign any transaction and have it be considered valid, and require users running blockchain software in relation to financial applications to respect those transactions. This would be a bad proposal for a number of reasons, but it's possible, because blockchains and the code that enforce them are inherently a social construct, an agreement made between all participants.

But the answer to "why would I want to to transact on a chain that is under constant threat to be forked off" is even simpler: It's because, in this hypothetical, the regulatory environment you operate in gives you no other choice. Unless you and everybody you transact with has the ability to boycott or subvert the regular financial system entirely (e.g. you're doing entirely black market transactions), then you'd have to fall in line if a government that was crucial to your operations or your downstream supplier's operations required it.

Anyone could start a cryptocurrency today with such a key and give it to the FBI, and if people thought that made them safer, they could buy that currency and use it.
You wouldn't have to reverse all the transactions. You could trivially create a fork (which has to be longer, and therefore have more transactions available) that includes every transaction but one from the blockchain. Well, that is you can create that fork as trivially as you can create any other fork.
Sure maybe. But that only really works if few (if not all) entities have control over the consensus mechanism.

On a regular PoW blockchain you will have to recalculate all the hashes according to the difficulty which will up to the miners.

But even if you could, it's an absolute technical nightmare.

To build an analogy that somehow fits. If you have git repo and you find out that a particular commit that you want to undo, what do you do?

- Rebase all changes to an earlier commit, remove the faulty commit and recalculate all commit hashes that follow it.

or?

- Create a new commit that reverts the old commit.

In reality you opt for option 2 99.99% of the time. The only reason you would ever want to remove a commit from history is if you accidentally exposed information to an audience that is not supposed to see it.

When you first responded to chippiewillie you talked about how forking would produce a reversal of all the transactions. That's not true, but it is what you identified as a "much deeper problem"
My apologies, I used “reverse” and “invalidate” synonymously.

Nevertheless on a public blockchain all transactions would be invalidated and that indeed is a problem.

Because everyone who received coins would have to wait again for n confirmations in order to be sure they got their money. In theory nobody should be able to add a double spend transaction to the pool but I wouldn’t bet on it.

That’s what I mean with technical nightmare.

You would have to make sure to properly identify all transactions. Possibly take down the system, exclude a single transaction. Make sure that the miner who will find the next block will include the right transactions. Make sure of that for the following block. I don’t see that happening with a large coordination effort, meaning: centralization.

And when you come to that conclusion you should probably take a step back and rethink “why are we doing all of thatch blockchain stuff when we need to rely on a central authority?”

> when you come to that conclusion you should probably take a step back and rethink “why are we doing all of thatch blockchain stuff when we need to rely on a central authority?”

I think blockchain is going to eventually die for that exact chain of reasoning.

Even if you could isolate output chains, that means many of subsequent transactions that are legit would get cancelled...

Or you would need to make more crypto cover those... Which then would destroy the whole deflationary idea with likes of bitcoin...

You'd have to be forking it once a week, because there is so much stealing going on. We'd probably end up with a weekly split. Imagine how crazy that is. And of course people would make false stealing claims. Maybe you are on vacation when they reverse something that takes your money, because you have a chance to weigh in.
You can't always reverse the transaction in regular financial world. It is typically possible if all parties involved act in good faith, and often possible in other cases too, if you act fast, or the bad faith actor is less than competent. However, this is not always the case.

Imagine the following scenario: bank A sends $100M to bank B, which then sends it to bank C. By "reversing" the A->B transaction, all you're doing is making bank B on the hook for the $100M. Bank B will obviously not be very happy about this, and if you try to force it through some legal means, this will effectively amount to stealing $100M from bank B and its customers.

Reversing erroneous transactions is a useful feature of regular financial system, and lack of it in blockchains often poses huge and avoidable practical problems. At the same time, this in no way should be seen as panacea for restoring stolen money, neither in real financial systems, nor in blockchain.

The shifting of the goalposts is incredible.

Yes, there are flaws in the real world financial system as well.

Yet, we’ve heard of more of these scams in years of crypto than in decades and centuries of banking.

And no one has still provided an explanation of why crypto is better than the established working system other than “it’s decentralized” except as we find repeatedly, it’s not decentralized.

I wouldn't go with "centuries" of banking on that one. Truth to tell the early days of banking, which is most of the 19th century for the US, were replete with exactly the kinds of frauds and cons that crypto is now replete with. Which is what has led to the regulation and supervision that crypto is in de facto rebellion against.

Of course, the best way to find out why something is not done a certain way, is to try doing it that way.

> Which is what has led to the regulation and supervision that crypto is in de facto rebellion against.

Who supervises the supervisors?

It's not really goalpost shifting - thieves in countries without extradition treaties and with justice systems that don't care are a serious ongoing problem with the existing banking system, and those transactions are not in general reversable. Hell, someone managed to steal a substantial sum of money from Bangladesh's central bank and almost none of it could be recovered. The only reason they didn't manage to rob all 1 billion dollars of the central bank's reserves was a random false positiver in some AML check.
> no one has still provided an explanation of why crypto is better than the established working system

because the govt cannot ban you from receiving payments if they dont like you.

They can’t with fiat currency either, if they could crime would be almost impossible.
Wikileaks were banned from receiving payments by the US govt.
And they found no workarounds to that whatsoever? (that didn't involve crypto)
Should a govt be able to ban your payments or take your cash if they dont like you?
Yes. How else do you police criminals? It's an absurd question anyway, they can and do, while there are methods people use to try and evade them. There's nothing about Crypto that changes that. It's just another system.

https://xkcd.com/538/

> How else do you police criminals?

Who is talking about criminals? Just because you expose the misdeeds of US govt does not make you a criminal.

> There's nothing about Crypto that changes that. It's just another system.

You can still receive payments in Crypto even though the govt forces the bank and credit card providers to close your account.

Its not just the US govt who wants to control your life, other govts want to do it to.

Payments might be a joke to you but there are many people whose life depends on it.

https://cointelegraph.com/news/how-are-afghans-using-crypto-...

I’m talking about criminals. I’m raising them as an example of why governments need these powers.

404 BTW

The link opens for me just fine, try using a VPN.

So your argument is that cash is also used by criminals so cash should be banned. Do you realise how ridiculous that sounds now apply the same logic to crypto.

Isn't the obvious solution to also reverse the transfer from Bank B to Bank C? If multi-hop transfers are treated as irreversible, then it creates an incentive for fraudulent sellers to collect all payments through multiple hops. If instead fraudulent transactions may be reversed at the first payment processor, the payment processor then has a financial incentive to make sure that they only pass through valid transactions.

In an analogous situation, suppose I go to a physical store and buy a TV, only to find that it doesn't turn on. I have the right to return it to the same store that I bought it from, and to receive a full refund. Nobody at that store manufactured or designed the TV, so why should they take the financial hit for a broken TV? Except that without that financial incentive, the store has little reason to bargain with their suppliers about defective merchandise, and the supplier has little incentive to fix a defective product.

(comment deleted)
> If instead fraudulent transactions may be reversed at the first payment processor, the payment processor then has a financial incentive to make sure that they only pass through valid transactions.

Yes, but it's only one of the incentives they're facing. Another one is to provide useful and convenient service to its customers.

Try to think more about the example I provided. The account in bank A is victim's, while accounts in banks B and C are owned by the fraudster. The transfer from A to B is fraudulent, but the transfer from B to C is perfectly legitimate as far as B bank knows: the name on the destination account in bank C might even be exactly the same as in bank B, so why would bank B have any suspicions? At best, it could reject incoming transfer from bank A if it had suspicions (which, by the way, why would it have?). Would you want to be a customer of a bank that can just reject incoming transfers, so that you have trouble getting paid?

Finally, consider that bank C might then allow the fraudster to withdraw the proceeds in cash. Bank C might be foreign, and B communicates with it through SWIFT, and might simply refuse reversing the transaction, or again might already have sent the funds to bank D in yet another country. The point is that you cannot treat regular financial transactions as reversible either. They might be reversible sometimes, especially if everyone involved acts in good faith, but there is no guarantee.

> In an analogous situation, suppose I go to a physical store and buy a TV, only to find that it doesn't turn on. I have the right to return it to the same store that I bought it from, and to receive a full refund.

That's not really an analogous situation. Here's what would be closer: imagine you order a specialty TV online from China. The retailer A orders a company B that manages it warehouse to pack it on a truck of company C that specializes in LTL, which then ships it to company D which coalesces LTL freight into packed containers, then puts on containers owned by a shipping company E, which ships them across the Pacific to port authority F, then we have a shipping company in G in states, another truck company H to ship it to train yard H that gets it to LTL company I's warehouse, which then is passed on to courier company J, an independent subcontractor K of which finally gets it to your front door. Then your TV doesn't work, and you want to return it.

Will you try to unravel the chain back the same way it arrived? Are you going to find the subcontractor K, and have him ship it back to courier company J, to send it back to the LTL company K etc? No, you'll go straight for the original retailer. Similarly, with financial fraud, you'd need to go straight for the fraudster.

> Isn't the obvious solution to also reverse the transfer from Bank B to Bank C? If multi-hop transfers are treated as irreversible, then it creates an incentive for fraudulent sellers to collect all payments through multiple hops.

Well ... some kinds of transferring wealth are legally harder to reverse after the first transfer.

In the United States, an old-fashioned way of moving money between people, the "check", has behavior specified in Uniform Commercial Code Article 3, Negotiable Instruments.

Article 3 is worth a read; it has filled in a lot of gaps for me about the bare-minimum legal requirements associated with activities like writing a check, post-dating a check, negotiating a check, stopping payment, etc. (In practice banks may do more than the minimum for customer service but it's interesting to understand the basics).

One of my favorite parts is the "holder in due course" rule ("§ 3-202. NEGOTIATION SUBJECT TO RESCISSION.")

If a check gets endorsed a couple of times and a new person takes it in good faith, then that new person is a holder in due course. Some remarkable things happen: even if the check has gotten a stop payment or has otherwise been dishonored, a holder in due course now has the right to the money promised by the check.

I wondered why the law would set up such a convoluted way of making certain payments irreversible. My dad explained:

"""[A] a widely accepted legal framework for negotiable instruments was critical to trade in the era before electronic payments. The problem is convenience - how can a buyer safely pay for goods or services without carrying around a lot of cash? The holder in due course rule basically lets the buyer's bank rely on the form of the negotiable instrument (including a genuine signature) without risking a claim for wrongful payment based on other facts about the sale it can't know."""

So -- can someone take advantage of this behavior to turn a dubiously valid check into an irreversibly one, and get the money?

Yeah! Totally! There's a guy named Robert Triffin who is, like, famous for buying dodgy checks at below their value, cashing them, and suing to get his money when the payor refuses to pay up. I don't have firsthand info about this, I just read news articles, but I think he gets a decent ROI. (See e.g. http://appellatelaw-nj.com/the-first-triffin-case-of-2011/

P.S. Some of my other favorite things about this instrument in the UCC:

* a signature is any mark you intend to be your signature (§ 3-401);

* a check can be written with almost any text and in almost any format on whatever you want (§ 3-104);

* checks can go stale six months after the datestamp but banks can choose to honor them anyway (§ 4-404);

* writing a future date on a check doesn't legally prevent it from being cashed unless you also tell your bank about the postdating in the same way you would make a stop payment order ( § 3-113, § 4-401 )

* If you have a dispute with someone about how much money they owe you for a service, and they give you a check, you can cash the check and write "without prejudice" to indicate that you aren't agreeing that this is the correct amount owed but you do want their money (§1-308). UNLESS the payor has written on the check "a conspicuous statement to the effect that the instrument was tendered as full satisfaction of the claim" (§ 3-311), in which case cashing that check discharges your claim. Which all frankly seems like a mess.

Reversing erroneous transactions is a useful feature of regular financial system.

Yes. A friend of mine is a branch manager for a major bank. She's one of the people who has to deal with unhappy customers victimized by scams. Recently, she had a customer who wanted to send a significant amount of money to a country in Southeast Asia. That's not unusual for a California bank. Then the customer showed up at the branch in tears. It turned out the customer was being victimized by a "relative in trouble" scam. Fortunately, the receiving bank had flagged the account at their end as suspicious, and hadn't yet let the recipient withdraw the funds. This allowed the transaction to be clawed back. It took phone calls, messages, management signoffs, and work by people in multiple banks to unwind the transaction, but the money was back in the customer's account in the US in a week.

Reversing a fraud transaction in the banking system is a rare event, and not easy, but it is often possible for a few days after the event.

I'd imagine "customer suddenly initiates an international wire transfer for a large amount, with no previous history of doing so" is a pretty reliable signal.

I've certainly had banks call me and explain the nature of wires, in an attempt to prevent me from financially foot-gunning.

In other words, the conventional financial system has footguns that you have to avoid too.
Nice, so it's just money with extra steps.
Sounds like a non-sequitur. Theft of cryptocurrency being illegal does not mean that it is safe, and doesn't offer any evidence at all against the parent's post that it is "safer" to use banking systems than to use blockchain.
Not to anywhere near the extent as they'd investigate and prosecute for $625M stolen from a normal bank.....
Do you have any sources to support that claim? You can see in the link above that a task force worked for years to catch that Bitcoin heist couple.
Sure. Google how many bank robbers got caught the past ten years. Do the same for BTC. Then look at what percent of BTC has been stolen. Look up what percent of USD has been stolen.

Conclusion? Far less effort spent on BTC cases and far less thefts resolved.

Sure but it doesn't mean I will get my "money" back like it would with a bank. There is no FDIC for crypto.
Plenty of crypto companies insure their deposits through third parties. Actually, Ronin users should have been able to insure their deposits with Nexus Mutual.
Unlike traditional banks with their burdensome regulations and gate-keepers, the permissionless, decentralized nature of the blockchain means that they can't get the money back.
The increased risk of total loss in the edge case is in exchange for a more efficient system with lower prices in the average case. Individual users should make an informed decision about the tradeoff.

See also http://go/hackernews/item?id=30838572 and https://en.wikipedia.org/wiki/Financial_crisis_of_2007%E2%80...

The whole thing exists because etherium is prohibitively expensive. And blockchain is far from efficient
This sounds like an argument for why companies should be allowed to sell unregulated drugs and use asbestos and lead paint.

Individual consumers, who we all know are extremely knowledgeable and informed on all topics interacting with their lives, should weigh the increased risk of total loss against generally lower prices. And then in the event they unluck into in the total loss case, they should just shrug their shoulders and accept that they were lucky.

Companies selling "unregulated drugs" could also mean people getting the covid vaccine in mid 2020 rather then waiting months and months for trials. People could have made that personal choice based on their own situation and risk factors. Also compare the regulation between "drugs" and "supplements" in the USA.

I find it hard to argue that "asbestos and lead paint" are the same kind of individual choice as a bank or unregulated drugs.

Yes, and it could have led to scammers selling fake vaccines that did nothing, or worse, killed people.
oh cmon, this comment (gowld's) should not be downvoted like that. It's a reasonable point to make even if you disagree with it
>> Imagine how preposterous the idea of storing $650mm in USD in a random game studio's checking account would be.

> Giving $650mm in USD to a random company is still infinitely safer than doing so with crypto.

Chris Roberts has a very interesting opportunity he'd like to propose to you...

Just as a side note, people give Starbuck literally billions every year. Not sure what would happend if starbucks get hacked and lost people money.
The difference is Starbucks have 6.5B in cash/cash equivalents, and there is no ways to convert SB gift card balances to cash. What is the hacker going to do with it, order 1B cups of coffee?
Well, he can delete all records about who has now many credits.
If that's all there is, it's easy to have a backup and bring back the balance into everyone's account.

This is a poor comparaison. This Starbuck money cannot be "stolen".

Here's another preposterous offering: 20% APY "risk free" from owning crypto.
They must just be loaning it out and slaying people endlessly on margin calls.
Congrats, you understand defi better than most degens now.
or muling for money laundering.
Everybody thinks they can time their exit before the Ponzi reveals itself.
If I recall correctly, so did most people in 1929 but when it came time to exit, the to rush to the exits overwhelmed the order sale system so people couldn't sell until it was too late.
I report each of these schemes that advertise on facebook as scams; they used to have a rule against crypto advertising but apparently that was lifted last December.
Cash app, Venmo, Wise, and hundreds of other payment apps are also this - perhaps a bit larger, more reputable, more regulated, but not fundamentally different (or am I missing something?)
What do you mean by 'real' fake money? ETH is money.
It is amazing to me that these bridges can't figure out a reliable auditing mechanism. I can't wait to learn about how this was accomplished. But with the amount of money at risk, it seems like there has to be a mechanism to secure these things and maybe have a backstop in the even something does go wrong.
Lots have bridges have figured out good auditing mechanisms, and have built in fail-safes, circuit breakers, daily limits, etc. Those aren't the ones in the news for getting hacked though.
In a system run by people, the transaction could be reversed, traced, and the culprits eventually brought to justice.

In a system run by algorithms, designed to avoid oversight by people (governments), there is no such powers. There's no reversal. There's no checking the name on the account the transfer was to. It's just gone.

I do not understand why people who have legal intentions would want to be part of the crypto economy. There's nothing but more risks with zero benefits.

Arguably it's the same risk as holding paper notes right? If I steal your life savings from under your mattress, there isn't necessarily anything to trace it back to me.

However, there is a physical limit, pretty damn hard to run off with half a billion worth of paper notes.

It isn't even just the limits of the notes themselves. Physical theft has to be done on location. You have to steal the money and get away as far as possible as quickly as possible. And there are local laws and police equipped to go after you.

How do you deal with it when the money could be in the pockets of an Eastern European teenager with one script run?

parent is talking about the financial system run by algorithms designed to evade sanctions and regulation, not being your own bank.

You absolutely can keep millions under your mattress and some do when they cannot launder it but it would be up to you to reverse the transaction in a forced wealth transfer vs the bank who can simply trace or even reverse a fraudulent transaction.

Why did you equally conflate the risks then immediately back peddle and say "physically stealing is harder i guess"?
I guess it comes across as me saying cash and crypto are equal. They're not. I was just trying to add nuance to the conversation.

I am wholeheartedly a supporter of centralized, fiat currencies.

You confuse legal with right. When the government is out for your money, crypto can be a life saver (as the recent russian example shows).

So maybe you shouldn't dismiss it so quickly just because it never happened to you.

Because it's cool money, and because it's a legal gray area.

I can't wait for the law to change.

At some point there will be a tax for receiving and sending dollars to a blockchain converter, or it will require some heavy regulations and control, and then maybe things will improve.

Unless people understand the Blockchain is used to launder money, nothing will change.

They think that government is tyranny, therefore lack of government is freedom. Yes, they are dumb as hell.
They forget, freedom to be screwed is also freedom
I don't think anyone actually forgot that. It's kind of the point.
What's so dumb about the idea of wanting to be responsible for your own outcomes? You make a stupid mistake, you suffer, nobody else does. If you don't want take responsibility for your own actions, feel free to stick to the mainstream financial system. Note however that as a result of that you'll be on the hook for bailing out other people's stupid mistakes when they fuck up, like how the taxpayer bailed out banks that made stupid loans during the GFC.
With that kind of attitude, how are you going to get more people to come in and provide you with exit liquidity?
More likely they think government monopoly over money is a form of tyranny, or that unchecked government power is tyranny.

See:

Civil forfeiture: https://en.wikipedia.org/wiki/Civil_forfeiture_in_the_United...

Executive order 6102: https://en.wikipedia.org/wiki/Executive_Order_6102

Greek austerity measures (which include the reduction of social welfare and benefits due to incompetence of government spending): https://en.wikipedia.org/wiki/Greek_austerity_packages

And the most important consequence, hyperinflation, often caused by central banks and governments: https://www.investopedia.com/terms/h/hyperinflation.asp

The illusion of security and stability is a very nice fantasy to live in. The price of everything you bought went up ~7.5% in the last year, the debt grows perpetually higher with no plan to ever pay it off, housing and stock market bubbles continue to grow, and this is totally normal and sustainable.

What I was saying... the government doesn't have a monopoly over money. The whole crypto narrative seems thought out by people who don't have a clue about how things work and have zero real-life experience.
> the government doesn't have a monopoly over money

Who is determining our monetary policy then? Who is setting interest rates? Where does the money for a trillion dollar stimulus package come from?

> The whole crypto narrative seems thought out by people who don't have a clue about how things work and have zero real-life experience.

Right now I'm questioning how much you understand about what money is and how it works.

> Who is determining our monetary policy then? Who is setting interest rates? Where does the money for a trillion dollar stimulus package come from?

I don't know... does the answer to any of these questions suggest to you that the issuance of currency is a government monopoly? If that's the case, you should probably start here: https://en.wikipedia.org/wiki/Monopoly

Because there are people in the world who can wake up and have lost all money they had deposited in a bank. There are people who have to pay 20% transfer fees to move money overseas. There are people who don't have the ability to open a bank account. There are people who can lose all their banked money if their government doesn't like them.

The first world doesn't have these problems.

Crypto is a bigger play than 'get rich quick'

Where in the world is it common to lose all money deposited in a bank? And, why not just create better banks?
> Where in the world is it common to lose all money deposited in a bank?

The last round of deposit haircuts were in Europe [1]. OP may be talking about having a bank account frozen by a corrupt government. Though if crypto became widespread, those same governments wouldn’t have trouble coercing people into giving up their keys.

[1] https://en.wikipedia.org/wiki/Bank_failure

Entire world in late 1920s, Iceland in 2008,Russia currently.

Of course my examples are a bit tongue in cheek, much more nuanced and not as "Bank bad" as I paint them to be. But It's entirely possible for a bank run/economic downturn to wipe out a currency overnight.

Does that mean crypto is the solution? It sure doesn't seem to be given cases like this (NFT/ETH being rugpulled from/by videogame devs). But I think that creating "better banks" can only mean "more government oversight", which leads right back to the original problem IE; economic/political factors having too much control.

I of course keep all my money in the form of expired New Hampshire State Highway toll tokens.

Currency takes on the value in which people believe it holds. Bitcoin is no different, and would instantly crash in the scenario of a worldwide financial system collapse.

It’s juvenile to believe otherwise, and reaffirms the believe that Crypto is just a 21st century pyramid scheme.

> I think that creating "better banks" can only mean "more government oversight"

I mean, a bank is just a financial business. Why wouldn't it be possible to improve "banks" but it would be possible to improve cryptocurrency companies (also financial businesses). What is the quality that gives you optimism that these new entities will be able to avoid the problems that you are worried about?

Like, I get that the technology is decentralized and it's impractical to track down every node, but if the plan is to run an illegal business that's hard to shut down...you do not need blockchain to do that? And if the business can be legal that seems like it's about laws - not the tech.

I suppose the other commenter doesn't really leave out the argument that "better cryptocurrencies" can only mean "more government oversight."

I'm not really sure what a secure, generalized zero-trust system really looks like, from an algorithmic standpoint or a political standpoint. ETH is arguably the first large-scale attempt to answer that question, but so far it has unequivocally failed to do that.

> but if the plan is to run an illegal business that's hard to shut down...you do not need blockchain to do that?

It sure as hell makes it easier. Think about NFTs for a moment - they have the perfect recipe for money laundering:

1. Subjective market value (examples: paintings, pokemon cards)

2. High market value.

3. Relatively-unregulated bookkeeping system (examples: other cryptos, any transaction in a tax haven)

4. Trivial mechanisms for layering as a result of (3).

5. Easy (not necessarily cheap) liquidation (examples: casinos)

I personally keep all my money in Culver's Scoopie Tokens. They're basically just forward contracts written by Culver's on behalf of the dairy industry. Highly liquid, as well.
I'm not a supporter of cryptos.

But most really corrupt countries.

So about half the world, if not more. A large part of Africa, a large part of Asia, a good part of south America, some eastern European countries.

If you want to create better banks, you'd have to pay bribes, millions/billions of dollars of bribes. So you're back to square one because you can't operate without charging huge fees or doing dodgy things.

Venezuela, Greece, Russia, Argentina, Mexico. All of these had government bank withdrawal locks at some point to prevent "bank runs".

The general population who had their money in the corresponding currency got f*ed because they could not exchange from their local currency to something better.

In Argentina, in 2002, they took everyone's dollars denominated accounts at the Argentinian banks, converted them to Pesos and devalued the peso by 75%. Everyone in the country now had 1/3 of the money they previously had. The country is arguably still recovering from that theft.

Currently, people who left Ukraine are finding out that their Ukrainian credit cards no longer work. Some people who have bitcoin are still able to use that.

Okay, now think about what would happen if Argentinians used Bitcoin. The same government would use the same powers to make the same request. Any business which accepted or made transactions in unapproved currencies would be punished. Any person keeping their money in a local exchange - as almost all Bitcoin users do given how expensive it is to do it solo - would have the seizure done automatically. The blockchain would be monitored by the government to identify non-compliant users — better hope you have perfect opsec and everyone have or will use it with does too! – and anyone whose lifestyle is incompatible with their declared income is going to be at risk, too.

There just isn’t a technical fix for a political problem. If you live under the jurisdiction of a government there’s such a wide range of mechanisms available for enforcement.

Everyone who had overseas bank accounts in 2002 Argentina did just fine. Bitcoin on a foreign exchange or in a self-custody wallet would also be just fine. Getting a foreign bank account is too expensive for your average Argentinian because you have to show up in person to set it up, but a self-custody wallet can be had on any minimal smart phone.
People who wanted self-custody could also keep their money under the mattress. The reason why most cryptocurrency users do not do that is because there are many failure modes which result in your money being gone forever.

You also left out the other part of the overseas bank accounts: you have to be rich enough not to need to touch the money — otherwise you'll run into the various restrictions on transfers. The same would be true of Bitcoin for the vast majority of people because very few people receive a paycheck in Bitcoin or can use it to pay their bills. Those meatspace connections are not easy to bypass as long as the government in question is willing to make an effort.

You vastly overestimate the effectiveness of the Argentinian government in enforcing currency controls and so forth.

Keeping money under the mattress is done in Argentina, but is not that common for large amounts since getting your hands on physical dollar bills in quantity in Argentina is extremely difficult. It's also difficult to determine if the bills are counterfeit, but Bitcoin does not have this problem.

I have heard stories of people paying their living expenses in Bitcoin and the people who receive it love that because the Argentinian peso is constantly devaluing. The person they pay spends all their money on the person paying them bitcoin because the currency devalues like crazy anyway, so it's much better to pay Pesos and save in Bitcoin.

My point is simply that usually when Bitcoin is highly successful at avoiding controls it's because usage has been too small-scale for the authorities to put effort into it. If it becomes large enough scale to be significant, I'd expect that to look a lot more like what we've seen so far in other countries where monitoring or even outright bans very quickly become effective.
We had something like that in the early 90s: in an attempt to combat hyperinflation, the government froze all the money above a certain small threshold on everyone's bank accounts (known as the "confisco da poupança", see the first bullet at https://pt.wikipedia.org/w/index.php?title=Plano_Collor&oldi... for a bit more detail). Even today, rumors of something like that happening again are enough to make old people take money from the banks, even though the country's constitution was later patched to specifically forbid that kind of measure (constitutional amendment 32 which changed/added article 62 paragraph 1 item II, see http://www.planalto.gov.br/ccivil_03/constituicao/emendas/em... for the full text).
Brazil circa 92 when president Collor froze everyone's account in an attempt to stop inflation.
> And, why not just create better banks?

If someone is in a position to “create a better bank,” they aren’t one of those who needs it.

> The first world doesn't have these problems.

… but a lot of first-world guys are trying to get rich by selling systems which costs too much even for first-world users and doesn't solve those problems. If you live somewhere where your government will seize your assets, cryptocurrency won't help your physical assets and will only help anything else to the extent that you aren't worried about jail or worse for you or your family. You can't fix that class of problems with technology and it seems rather heartless to use those people's plight as a marketing tactic for a system primarily used by affluent people for speculation & money laundering.

> There's nothing but more risks with zero benefits.

Risk has upside. That is the benefit.

I think this is where insurance companies generally pop up as a solution. I.e. the same solution as with regular bank accounts. Layering humans on top of algorithms makes sense.

We already have SWIFT and networks layered under humans in the fiat system, so now we're just pushing more complex algorithms. In the case of block chains, I'd say the concept of asymmetric cryptography is an improvement over mutual trust in secure backoffice communication channels.

I'm not into crypto (still thinking it's a solution waiting for a problem), but arguing that banks can do reversals isn't fair. Someone moving fiat quickly between banks will make it hard to reverse as well. I can't imagine a bank is going to just say "I guess they stole it from you, transferred it to us, but then withdrew from us. Let me go ahead and reimburse you anyway." That smells like a insurance case, no matter the underlying algorithms.

I'll actually try to add and defend crypto a little bit here:

> I think this is where insurance companies generally pop up as a solution.

Real legitimate DeFi protocols are now often supported by DeFi insurance as well. I know nothing about Axie Infinity and have no idea if this applies for them at all.

> (still thinking it's a solution waiting for a problem)

IMO, although this has been said many times the past few years, I think we're starting to get past this. In a very simplified view, DeFi protocols that do lending (e.g. loans based on collaterals), can do this fully automated, and it's because "the money is programmable" thanks to smart contracts and value stored. This type of lending took human work to do in TradFi and has overhead, in both costs and speed. I feel like this is the start of what real solutions/applications look like; it's something that wasn't possible before.

> In a system run by people, the transaction could be reversed, traced, and the culprits eventually brought to justice.

The answer to your question is encoded in the very first block of the very first blockchain.

> The Times 03/Jan/2009 Chancellor on brink of second bailout for banks

https://en.bitcoin.it/wiki/Genesis_block

Some people feel like they weren't being represented by the "justice" you're talking about, so they built their own thing where all the rules are publicly viewable, and consensus is run by the community. It seemed like a weird idea at the time, but the idea got popular, and people who like this new system have moved about two trillion dollars of global wealth into it.

If you like the old way money was managed, by big institutions doing everything they could to extract wealth from the general public with no legal repercussions, then the good news is that the old system still exists. There are just some other options now too.

Also, the idea that all cryptocurrencies are some laissez-faire Randian wet dream is simply not true. An extremely diverse array of crypto governance mechanisms are being experimented with. Many run by humans, all with their own interpretations of "justice", which you can read up on and participate in at will. Governance proposals reclaim funds judged to be unfairly allocated all the time. I doubt that will happen here, because Ethereum governance is generally very harsh on people who suck at testing code, but every person who lost money here knew exactly what they were getting in to when they chose to participate.

Genesis block does absolutely nothing to explain what it’s actual purpose is. Just another hand-wavey answer by a crypto pyramid scheme peddler in response to genuine criticism.
I don't think any of that is changed. If anything this allows that injustice to be amplified by those in power.
>I do not understand why people who have legal intentions would want to be part of the crypto economy. There's nothing but more risks with zero benefits.

You don't get bailed out if you fuck up, but also you aren't on the hook for bailing out other people when they fuck up. If you hold BTC, nobody's going to suddenly take a bunch of it to bail out banks that made shitty loans like during the GFC.

It's like the saying live by the sword, die by the sword.

because it facilitates person to person interactions without oversight. if you want to raise funds for an entity or cause that is controversial, it is useful to have an option that is nigh-impossible to subvert when done correctly.
(comment deleted)
> I do not understand why people who have legal intentions would want to be part of the crypto economy. There's nothing but more risks with zero benefits.

I agree 100% on the risk, and my main problem with it is the avg person getting caught up in it. But at the same time, you see all the "PayPal froze my funds" posts, etc, so obviously the current system is flawed in its own way.

You could imagine a future in which PayPal is a layer on top of Ethereum (or any other L1 chain) and provides reversibility, etc, for a fee, but at the same time the user also has the freedom to eject out of it and take all the funds with them. The maxi "everything must be 100% decentralized" take is a bit naive, so hopefully these accidents help us move in the right direction.

I think long term we might have a lot of the same guard rails we have today, but they'll just be re-built from scratch in a digital-first way, rather than what we currently have.

I agree. The crypto industry has made a lot of progress toward securing private keys, with another 5-10 years of cryptography I think it will be a somewhat 'solved problem', thereby allowing companies like PayPal to offer their own custodial / layer 2 services with minimal risk.

Institutional-quality digital asset custody and signing was basically non-existent until Fireblocks launched just over two years ago, and there is still a lot of progress to be made on cryptography primitives and infrastructure best practices.

You raise legit concerns. Though the practical degree to which recourse is available and the effectiveness and fairness of those reversals really vary depending on where you live and/or transact.

In a headline-grabbing caper like this the advantage seems obvious. But from the less sensational, day-to-day perspective of a small seller, reversals can be a nightmare ripe with fraud (google "chargeback fraud" for anecdotes) infeasible to pursue.

It does put onus back on the buyer / investor to do some diligence on who they buy from or send their money to, and increases the importance of reputation in the space. (I personally feel there's an opportunity right now for a reputation mechanism to complement the crypto economy and believe when that catches up it will help incentivize good seller behavior).

Kind of like when coins were primarily used as a medium of exchange. Coin payments didn't have reversibility, and adjudication stayed within the purview other institutions, i.e. courts, instead of being diluted and delegated to e.g. VISA. A more efficient dispute resolution system - some kind of analogue of the legal system civilization has built up over centuries - is another opportunity I feel is ripe for innovation in connection to the crypto space.

I do think the missing gaps of reputation and justice will be filled eventually and adopted by users, which would go a long way toward addressing your criticisms. In the meantime existing options of criminal / civil litigation remain available and people sending large sums of money would do well to make sure they know who they're sending it to so they can pursue if things go sideways.

Why are you actitng like theres no corrupt goverment? Your country is not the whole world
Not zero benefits. In your system run by people your money can be frozen or taken away without your consent. Recent example: peaceful protesters in Canada. There are also tons of examples, when scammers would reverse a good transaction after receiving the goods.

Another benefit of some blockchains: incredibly low transaction fees.

Another benefit: smart contracts.

I don't understand why you need to straight up lie.

> Another benefit of some blockchains: incredibly low transaction fees.

Indeed. This was the benefit of Ronin.

> Recent example: peaceful protesters in Canada

As a Canadian, and a former Ottawa resident, I can assure you those were not "peaceful protestors". I had friends and family who had to leave the city to escape the unending noise, the harrassment by the 'protestors'. There were arson attempts, assaults, threats, and general disregard for the law.

I've literally been a peaceful protestor in Ottawa (I was a student there after all). There's a serious difference between a daytime march for a cause and what those people did.

They're criminals, and were treated as such. I'm fully in favor of the government being able to seize the financial assets of criminals.

> Another benefit: smart contracts.

What benefit do such contracts hold over actual legal contracts? The biggest difference is that when legal costs have bugs, courts can resolve them.

BLM/antifa protestors burned hundreds of buildings, murdered at least 26 people, including children, harassed people in the middle of the night, tried to declare their own autonomous zone where they robbed business owners. And many people call them peaceful protesters.

Canadian protesters limited their noise to 10pm, didn't burn anything, didn kill anyone. Noise is what I saw from hours of footage. I didn't see harassment, maybe it happened, but it must have been an exceptionally rare thing.

How do you reconcile this?

because there are benefits for specific use cases to not requiring a human to be involved, mainly things like censorship .. in other words not something most people would need but something few can find zero other solutions for
The ethereum network has been rolled back before, so what you say is not correct.

Hence Ethereum Cassic, which didn't roll back.

Consider yourself lucky. You don't live in places like Russia, China or Canada, where your credit cards and bank account can be frozen or even confiscated without due process. For some living under these regimes, crypto is the only wealth they've been able to retain.
> or Canada

Come on now. You may not like the due process that was followed, but it was still due process (as-in following the letter of existing law). By this logic the US should also be included on your list because of civil asset forfeiture.

They invoked the Emergencies Act to bypass due process.

`When Prime Minister Justin Trudeau decided a week ago to invoke his country’s Emergencies Act for the first time in Canadian history to quell the unrest, it gave the police sweeping new powers to go after the finances of the protesters.`

https://www.nytimes.com/2022/02/22/world/americas/canada-pro...

As for the US, I agree they belong on the list because of civil asset forfeiture.

Same with Russia and China, or Ukraine - they have a process as well.

In the case of Canada, the process was the PM tells the banks to freeze the funds.

> It's just gone.

Funny, that's exactly what happened to nearly everyone in my country some decades ago. Government screws up the economy like always. Runaway inflation destroys the value of currency and our purchasing power. Then president gets desperate or something and just freezes everybody's accounts. Everyone's money at the bank, just gone. Because people trusted the banks and the government, just like you're advising.

Algorithms can be improved until they approach something close to perfectly secure..

People cannot be made to become perfectly incorruptible. Look at what happened in Canada, with the federal government envoking emergency powers to shut down bank accounts without due process. Look at the "haircuts" during financial crises, where states have seized citizens' funds held in bank accounts, to bail out troubled banks.

Look at Hong Kong after the protests, where some of those involved in the protests were prevented from opening bank accounts.

HAHAHAHA. Good. Blockchain is for clowns
I just finished reading The Cryptopians by Laura Shin. I am 100% convinced that this will be the rule of smart contracts (where a certain percentage will always be "hacked").

Structurally, smart contracts are very complex vehicles - and the financial reward to hack them is always higher than being a good player.

I love how crypto brodudes are all like "fuck the government, we want anonymity and no regulations", and the second their dumb system stops working and they lose all their gambling money, they come running back to the government. Fucking pathetic.
Privatize the profits and socialize the losses. Classic.
It's all "decentralized" except where it counts.
I'm so far outside the cryptocurrency scene that this reads like science fiction to me.
Echoes of Mt Gox: when something meant to be a much smaller operation (such as a place to trade Magic:The Gathering cards) suddenly finds itself playing a much bigger game.

It's like you agreed to temporarily store the Fort Knox gold reserves in your spare room, but still have the same ordinary lock on the front door.

> Fort Knox gold reserves in your spare room

What do you mean a wooden safe isn't good enough?!

Joke aside. This is the reality we live in. Almost makes heist movies pale in comparison. The failed Die Hard heist was planned in order to steal $640M.

I wonder how long until Hollywood will start making movies about these hacks.

> I wonder how long until Hollywood will start making movies about these hacks.

I'm guessing they would portray it as being in the "metaverse" so they get to actually show a physical heist happening. And yes, of course that's not even remotely how any of this works but that's never stopped Hollywood before.

These hacks are boring, it's just code - the closest to making code look cool was perhaps the Matrix.

Oceans 11 is interesting because what they're doing is explainable and interesting, running various commands in a console window isn't.

There is a whole genre of teen thriller movies that play out entirely in the medium of messages sent back and forth on phone screens. It's exactly as exciting as you can imagine.
There is a whole genre of teen thriller movies that play out entirely in the medium of messages sent back and forth on phone screens. It's exactly as exciting as it sounds.
Mt Gox was a place to buy MTGO cards, but had been closed for years before the owner reused the domain name to host the bitcoin exchange.
Supposing the hacker gets away with stealing such large quantities of stolen ETH without getting caught and their ETH is now sitting in a brand new wallet that everyone knows about. Is the next move to convert it into a privacy-preserving coin like Monero, then back to "clean" ETH?

source: https://ethereum.stackexchange.com/questions/2699/is-there-a...

Or you just keep it in monero indefinitely :)
> Is the next move to convert it into a privacy-preserving coin like Monero, then back to "clean" ETH?

I'm not sure there is enough liquidity in the Monero / ETH trading pairs to do something like that without being really obvious.

So how did they get the private keys? Wouldn't you make some sort of airgap system if you were securing most of a billion bucks?
Question for the legal-minded folk here. Is this "theft" illegal in the criminal sense?

It's exploiting an unintended hole in software, but it's technically following the smart contract faithfully, albeit against the better intentions of its author(s).

Has a smart contract case like this been litigated before?

It brings to mind comparable things that have happened in the financial services world, where one party insists on following a poorly-composed contract to the letter, to the detriment of their counter-party. Their actions were deemed unethical, but not criminally illegal.

In traditional courts? Yep, it's a crime because there is clear damage being done to the victims. As simple as that.
I'm not a lawyer. It appears that part of this heist involved hacked keys. That aspect would be straightforwardly illegal I would imagine.
this wasn’t a smart contract exploit, it was a stolen keys exploit. Very different, flat out theft rather than exploiting “code is law” (and almost certainly an inside job).
The attacker gained control of 5 validator nodes. This is as clearcut as hacking and theft charges can get.
I don't believe this has been tested in the courts.

But I don't see much difficulty in convincing a court that this fits the definition of theft in some jurisdictions.

In the UK: "Theft is defined by section 1 of the 1968 Act as dishonestly appropriating property belonging to another with the intention of permanently depriving the other of it."

A brief explanation of each of those terms is given, and I don't see any particular problems related to this being cryptocurrency. The point that "smart contracts allow what the code says and nothing else matters" does not fit with the dishonesty interpretation that "The owner would agree to their taking it if they knew about it".

https://www.cps.gov.uk/legal-guidance/theft-act-offences

If code is law this is perfectly legal.

I suppose in the real world intent would matter a lot.

That is exactly the reason why "code is law" is such an absurd concept. A piece of code alone will never be able to tell you what its initial intention was.

One could make the same argument of any computer system where the security wasn't as tight as one could hope.

"But judge, they never patched their $software to the latest version, so technically the software allowed me to dump the contents of the IMAP server"

Intents matter. If you commit a crime ("Stealing" is a crime), it doesn't matter if you did so via software, contracts, smart contracts, blockchain or else. A crime is a crime is a crime.

This isn't a case where there was a flaw in a smart contract. This is a case where they straight up hacked servers and stole keys from them.
Even exploiting a flaw in a smart contract is theft as long as it is clearly an exploit.
As far as I know, this hasn't been tested in court. Even if true, this goes completely against the idea of "the code is law."
It probably depends on the jurisdiction, and if they interpret the smart contract as a computer program, and have hacking laws they can apply, or as an actual autonomous contract that is legally valid. Both seem like plausible interpretations, but I think the former is more natural/likely for the typical judge.
intent means a lot. the intent is clear: to deprive ownership of something.
Legally CFAA criminalizes unauthorised access of systems even if they were available and unauthenticated.

If you are not supposed to have access and you accessed it is a crime. This is why whitehat work is also dangerous legally unless you have been invited in.

Here obviously the attackers accessed a private environment and stole the keys so yes it is a crime

Real world analogues can be useful for thinking about these situations: would the mob be able to steal your money and avoid charges because they got five of their guys hired by your bank to approve the deal? (Or redirected a phone line, faked letters, etc.?)

The answer is no because there’s a clear victim, and this wasn’t taking advantage of a mistake like e.g. a casino game which didn’t have the right formula but rather clearly subverting the safeguards built into the system. In the real world, no judge is going to look at that and say “well, that’s what the code did. Nothing we can do about it even though everyone knows it’s theft!” and a jury isn’t going to believe you “accidentally” broke separate safeguards on multiple systems.

That’s just the basic stuff which would have been true a century ago. In this case you’d also want to think about the relevant laws wherever they are based — for example, the U.S. CFAA bans use of a computer contrary to how the owner intends you to use it. Even if this wasn’t so clear cut, I’d expect them to successfully argue that knowingly subverting an oracle would meet that threshold since you clearly knew how the system was intended to work.

Something tells me that if indeed cryptocurrency sticks around it’s going to sprout rules and regulations that are a mix of banking and securities regulations, and that will suck most of the “fun” out of it.

We pause the stock market on a 5% drop and stoop it on 10%. Moving that much crypto in a day is probably never on purpose.

Though in a distributed consensus system I don’t know how you’d enforce such a thing.

Anyone who knows anything about human systems knows that that's the end point: We'll be right back to banking as it is today, except with less efficiency and a ton of wasted time and technology that could have been spent making the current systems better.
There's an analogy to be made with the internet and WWW. In some ways everything did revert from the early wild west days of the web to a small number of curated and censored walled gardens (Facebook, etc.) but it's not accurate at all to say that things reverted to a pre-internet status quo.
I think you can understand a lot about a technology or system by who is hyped about it and when.

Very early in the bitcoin days, cryptocurrencies were pretty interesting because it was nerds playing with a new kind of distributed systems computational tool. "Hey, here's a way to create widely available data without trust! Neat, what can we do with that?"

But for the past several years, it's clear to me that the majority of people in crypto are excited about getting rich. They generally strike me as the exact same kind of people that would be prospecting in the Yukon in the 1800s. They don't care about geology in itself, they care about what they can sell the gold for.

Ultimately, those kinds of people are exploiters and extractors. They may generate wealth and some of it may flow outwards to others, but I personally find that they do produce little that has any real meaning. The wealth they produce might coincidentally get used for something meaningful, but even that's a crapshoot. No one remembers the name of the dude who found the biggest gold ingot and that's likely for good reason.

I don't think the early days of the web were similar. Yes, it was initially nerds and then there was a huge rush of people trying to get rich. But at least the ones trying to get rich were trying to get rich by making something useful to others. It felt less like a gold rush and more like the westward expansion. More farmers than miners. The web was a place to make new things and not simply a direct means to play financial games.

The crypto bros—despite spinning up lots of businesses and coins and pretty websites with fancy logos—ultimately aren't out to make anything that touches anyone's lives. Imagine if one day all of the money disappeared from crypto and all promise of any future money evaporated. You could still do all the same crypto stuff, there was just no hope of making a dime. The whole system would collapse overnight.

That's not true with the web. Sure, a lot of businesses wouldn't be able to afford to keep running, but many of the people making stuff on the web would do their best to keep making their stuff on the web, because it was more about the stuff itself than the money.

Only if the math allows for this to happen. I am not convinced that the CAP theorem tradeoffs in cryptocurrency allow this, since consensus is statistical and nature, not based on any communication to determine authority to make changes.

Pausing or revising history requires a central authority that can be listened to. So either that won't happen, or it will happen when someone defects and creates something that uses the tools of cryptocurrency but with a more authoritarian philosophy.

> We pause the stock market on a 5% drop and stoop it on 10%.

Crypto: Hold my cascading liquidity.