That’s less than 1/4 of the stolen funds. Is everyone getting a 1/4 haircut on their money? Or are they going to try to continue operating as if nothing has happened and hope that no more than 1/4 of users withdraw their money?
I wonder how much they had to give up to take that much investment money that wouldn’t even get them back to being whole.
> The new round, combined with Sky Mavis and Axie balance sheet funds, will ensure that all users are reimbursed.
It sounds like they're putting in a bunch of their own money as well to reimburse people. I guess we'll only find out when they actually do that though if they are doing a full reimbursement.
"The round combined with Sky Mavis balance sheet funds, will be used to ensure that all users affected by the Ronin Validator Hack will be reimbursed. "
Yes, a 'reimbursement' is a direction of a payment (in my understanding). A payment can be in full, or partial so yes you can have a partial reimbursement.
It's definitely written in a way that all users could be partially refunded, and still be truthful. It's quite likely that Sky Mavis doesn't manage to come up with the money to make all their users whole, and as such it would be risky to promise to fully reimburse all users.
>all users get some refund, or all users get all funds refunded? ambiguity like that doesn't come cheap or easy
No, it's unambiguous. "All of our users' lost funds" doesn't imply "But not all of the funds". Nor can it mean "But not all of the users".
The meaning of their statement is clear, unless they're going ridiculous and disputing definitions, such as: What are "funds", or Who is a "user"
But whether it's possible for them to honor that promise? Seems doubtful.
I find it very hard to believe that they can promptly conjure up over half a billion dollars to refund their users. Firstly because I'd ask: what were they doing with that excess capital before?
edit: Although "committed to" does not mean "anytime soon"! Perhaps they plan to issue a token of some kind, and pray they can keep going and gradually make the users whole?
As long as insiders control 75% of the coins over time, through their fees or through the control, they can reimburse users fully (minus fees paid to Sky Mavis).
Remember, if you scam or charge $700M from your casino game users, you can accept $625M lost to theft and still make a profit.
But the announcement says "if this isn't enough to stabilize the coin, we'll take a treasury vote" presumably either to raise more funds or to default on their (non-legal) obligations to users.
Code is law. Radical decentralization. Users should not expect to get any money back from Sky Mavis (or any other cryptocurrency system). That's what they signed up for.
> The 56,000 ETH compromised from the Axie DAO treasury will remain undercollateralized as Sky Mavis works with law enforcement to recover the funds. If the funds are not fully recovered within two years, the Axie DAO will vote on next steps for the treasury.
It's not fraud if they got robbed, unless going forward they claim to be fully collateralize.
Obviously their legal creditors in the real financial system (not the suckers buying coins) would prefer repayment to default, so it's in their interest to negotiate a new collateralization agreement to extract more money from "game" players (speculators) before shutting down and writing off the loss.
> Sky Mavis will increase the validator group to 21 validators within the next three months, which will be a split between various stakeholders including partners, community members, and long-term allies.
The blockchain network nodes that assure a transaction by rolling the transactions into a block, transactions are an interaction the contract (code), which is executed by the validators.
Think of it like a "voter" in elections on any decision about the network. Once you control the majority of these validators you can do absolutely anything you want with the money the network controls.
Does anyone have an article on this that require a little less background knowledge? The more I dig up about what Axie Infinity is, this hack and the (apparently) ETH backed currency it uses the more questions I have.
Axie infinity is a pokemon-like game where you collect creatures and use them in turn based battles.
It is one of the most popular of these blockchain games, and like most of them it operates as sort of a pyramid/ponzi. Winning battles with your axies rewards blockchain tokens which can be used to breed more axies which may be sold for real money to new players who are joining the game. There is also a lending system where the rich axie holders can lease axies to people in developing countries that can't afford to buy them outright, in exchange for a cut of the rewards. As usual, the whole thing doesn't make a lot of economic sense, so don't try to look for some economic justification that isn't there.
As for the hack, originally all the transactions and axie trading happened directly on ETH blockchain but that was too expensive because each ETH transaction is dozens of dollars. So Sky Mavis created a side chain for the game. You can deposit your ETH in the Sky Mavis account / smart contract. Then you can trade axies with other players using this account balance. Later, redeem the account balance for real eth to cash out. What the hackers did was steal the private keys for the sky mavis account and ran away with all the funds. We don't know if it was an external hacker or an inside job. Basically it's similar to the various cryptocurrency exchange hacks such as MtGox, Bitfinex, etc.
Sounds like they were operating as a kind of central bank using a gold standard and somebody ran away with part of the gold? If so then I at least vaguely understand what happened.
But it has to be crypto-woo that makes people think this is somehow a better thing to invest time and money in that just regular in-game money because as a way of investing money it makes 0 sense.
Guess it'll be a fun wakeup call for people that securities backed by goods are very different from the actual goods.
Most of their players are in the Philippines, and based on reading the subreddit and twitter replies are pretty technically unsophisticated. I think a lot of them just don't yet realize that they may not be able to cash out, since they're still playing.
> The 56,000 ETH compromised from the Axie DAO treasury will remain undercollateralized
The investors are handing over cash to invest in the company. The currency will run without backing from now on. That means any big users trying to withdraw at the same time won't be able to. And if that happens, the investors money won't be used to fill the gap.
I don't get how they can openly operate like that. Won't this cause an instant "bank run" and stop any sane person from moving ETH in the opposite direction?
Nah, the plan is that users have been suckered in a game where they either accept their massive loss, or are forced to stay for years and slowly claw back their Eth while Sky Grifters and Griftance continue printing money
Now all those poor Filipinos they talk about "helping" will now keep playing-to-earn a currency they can't buy anything with, like they could before (with the requisite crypto hoop-jumping)
They wanted us to think that crypto represents a new financial system that fixes the mistakes of the current one and yet here they are asking for a bailout of helicopter money to cover for their own incompetence.
Is there a detailed technical description of this attack somewhere? The "official" page is very light on details (they got 5 validator private keys, no biggie, but something..something...rpc whitelist and oh wow now they got all the money).
Since 4 of the 5 compromised keys were under the control of one organization, it seems reasonable to wonder about an inside job.
Hmm...thanks, but reading those I don't see any more details. There is some good background information on side chains and bridges but I'm already familiar with the security risks in the typical trusted bridge design.
For clarity: I'm interested in answers to questions such as : how exactly did the attacker gain control of 5 validator private keys? The validators were running a vulnerable version of the Linux kernel, and the private keys were sitting in the filesystem, for example, could be an answer. And: what exactly is the mumble about RPC about? Did they build some sort of master key into the bridge contract, then left that key sitting on a machine with no root password?
Valid questions but they’re answers we will likely never know, because either the hack was an inside job and disclosure is bad for them or because they’re too incompetent to ever identify the real cause. Disclosure beyond “we were hacked” is not common in web3.
They're pretty important questions imho because if you can just compromise 2/3 the validators in a BFT network "like that" then the whole idea of BFT-based chains is broken.
>4 of the 5 compromised keys were under the control of one organization,
And it appears the final key was also under the control of the same organization temporarily.
I don't have more details because I don't think they've released any, but fundamentally, that appears to be the critical vulnerability which made this hack almost inevitable.
They began with a system that was extremely carefully designed to be decentralized (multiple signers) and then they centralized it.
Subsequently, the hacker only had to attack one organization, instead of five
- The bridge was controlled by a 5 of 9 validator set (ie. 5 of the 9 nodes needed to agree to withdrawals and deposits between Ethereum and Ronin)
- 4 of these nodes were run by Sky Mavis themselves (a bad idea), those were compromised because their internal infra was compromised in some traditional social engineering attack (ie. not blockchain related, just a normal cloud infra compromise)
- 1 of the nodes was run by the community-operated Axie DAO. However, that node had whitelisted Sky Mavis' cloud infrastructure a while back to allow them to run transactions through Axie DAO's node in order to use Axie DAO treasury funds to pay gas on user's behalf (to help with onboarding into Ronin).
This was discontinued, but they forgot to remove the whitelist (another critical mistake), so the hackers were able to use that Axie DAO node for the final 5th verification needed to steal bridge funds (because they had compromised the whitelisted Sky Mavis cloud infra).
TLDR: A traditional cloud infra compromise via unspecified social engineering attack, compounded by an insufficiently decentralized validator set allowing the bridge funds to be "withdrawn" to hacker's wallets by forging fake signatures. This is why decentralization is important in blockchain infra, and they learned the hardest way possible.
To honest I don't see how this can be anything other than an inside job. No reasonable person would expect someone to have setup the arrangement where a key controlling a kind of faucet would also be a validator key. That's insane and obviously a very bad idea. So whoever pulled off the attack must have known that a very unusual and very stupid arrangement had been created. Ergo they must have been an insider.
I don't think it was an inside job, it's actually pretty hard to wash $600m+ of blockchain funds already (it's highly traceable). Doing it as an insider would be truly insane.
The whitelisting wasn't a secret. Axie DAO is an open community, so it's easy to have known the whitelist existed and was left in. It was a very bad idea, but what can I say, people get cocky and make mistakes. The only difference in crypto is that it has a built-in bug bounty of losing stored funds like this, so you have to take security incredibly seriously, and they didn't.
Why? The concerns (how to steal the money, how to launder/tumble it) seem orthogonal.
Random question: is there a statute of limitations on this type of theft? If so, insiders would be highly incented to steal 600M today and then wait X years before using that one-time, anonymous wallet.
Because any investigative firm would first look at the very small set of insiders first, and it's harder than one would think to truly hide their tracks, especially since this was a traditional infra attack and not just an on-chain smart contract hack.
The fact that the FBI was able to recover the Colonial Pipeline hack funds from the hacker Bitcoin wallet, something that should have been theoretically almost impossible, basically told me that if you steal enough money for the feds to get interested, you better be in a country where they can't get to you.
It's definitely possible it could have been an insider, but I think it probably wasn't this time. In this case, Occam's Razor suggests an outside job. Reasoning:
First, as carlosdp points out, insiders are the first suspect, everyone knows that now, and the FBI has advanced methods of finding them and recovering the funds. There's more deterence factor now.
Second, hacking cloud infrastructure for industrial secrets and the like is so common these days, there are tons of black hat hackers and groups around the world that specialize in that.
Third, the hack was simple once it was realized that the 5th of 9 signing keys was compromised by the whitelist. Combine that bit of information with #2 and it's essentially a guarantee that someone will make an attempt at it.
Fourth, due to war in Ukraine, the world is in an elevated state of cyber warfare now. On top of the usual criminal hackers just looking to steal money, Russian and their allied hackers are seeking ways of stealing money to break sanctions, and/or disrupt financial systems in the West.
All this just increases the odds the attack came from outside the org.
600+mil is a lot. But realistically how hard is it to bridge it over to Monero/Zcash/other privacy preserving coins, then slowly funnelling them back in to ethereum for an exchange?
Unless all swap contracts are updated to somehow keep track of any funds associated with the hackers original address, washing up those funds it's just a matter of time, no?
It's not hard to do, but it is unlikely to provide the privacy protection you want against any sophisticated chain analyzer, like Chainalysis.
Those ZK-pool based mechanisms all depend on the amounts being significantly smaller than the total pool in order to attain reasonable levels of anonymity. Unless you intend to take out incredibly small sums over time (at which point, why take 600m), statistical methods will flag you eventually.
I guess maybe if you wait long enough, in theory those pools could get big enough to allow you to more safely retrieve larger sums. But all the while you are trying to hide this from coworkers and not tell a single soul and live below your means. Easier ways to make a ton of money in crypto right now that don't put you in jeopardy of jail time if/when you screw up.
Just because that was the amount locked in contracts :)
If you have that much money you'll find ways to funnel them out while keeping anonymity. Heck, even selling tokens in real life at half their market value is an option if you're desperate.
>"We believe that Axie will go down in history as the first game to imbue players with true digital property rights and recent events have only strengthened this conviction."
I'll have 6 grams of whatever they're smoking, please.
Paraphrasing something I read elsewhere but is so true: defi systems have a natural bug bounty program where the payout for a critical is the entirety of the funds under management.
Fwiw that's not a new concept, it applies to cryptocurrency in general, not just DeFi, and people have been saying it since the early days. And of course it's true - finality and no clawbacks in decentralized systems means once it's stolen, it's stolen for good.
I don't understand the entire premise of these "play to earn" games.
Where is the money supposed to be coming from? In the real world, jobs pay money because the work is valued by someone who's happy to pay for it (and presumably would earn more from that output than what they're paying for it). If there was a cheaper/free way to get that output, they'd use that or get taken over by someone else who does.
In a game, what's the valuable output/resource being produced? The only potential thing I can see is for it is advertising, but there's a reason these services that paid you to browse/install a toolbar that would constantly display ads died out. It's ripe for fraud and even besides the fraud, that kind of advertising rarely converts and is thus worth nothing or less than the overheads of running such a platform. If advertising was a viable way to fund games, we'd already have that instead of lootboxes & microtransactions - and no blockchain required.
So far all the "play to earn" things I've seen are Ponzi schemes - which actually applies to the majority of crypto and all of "web3".
You're eighteen years old and see a Twitch streamer talking about how he's making $4000 / day by earning $SCAM tokens on this game. It doesn't look like a very interesting game, but you're good at games, why shouldn't you do this too?
To start earning by playing, just one small step: you first need to buy a character. They cost about $500 but of course it's a great investment. The only way to buy the character is with the $SCAM tokens, so first you just need to convert your $500, credit cards accepted...
And that is the real-world cashflow that pays the Twitch streamer and the company and the VCs. The tokens you earn in the game are only worth something as long as there's a steady stream of hopeful players bringing real money into the system.
In addition to this the vast majority of the people 'farming' games like axie are in poor countries particularly in south east asia. Just like how WoW offshored gold farming to china. Axie and similar play to earn games basically allow relatively wealthy western players to offshore the grinding to people in poor countries.
One thing I’ve been wondering is why are humans involved. If code is , shouldn’t there be lots of Axie bots directly interacting with the contacts and the blockchain. Cut out the game from the middle and just earn directly?
"We are pleased to reveal that we have raised a $150 million USD funding round led by the world’s largest crypto exchange Binance, with participation from Animoca Brands, a16z, Dialectic, Paradigm and Accel. The round will be used to reimburse user funds affected by the Ronin Validator Hack."
This immediately paints an image of a massive bonfire of cash in my brain.
Maybe this is off topic to your comment but every time I see a16z mentioned anywhere near crypto I have to laugh because I remember how big of a deal the "It's Time To Build" essay was only 2 years ago. Instead of building anything of actual use, they pour money into Ponzi schemes.
I find that with a lot of posts recently. I consider myself a smart, switched-on person and yet I'll read an entire article and not understand a word of it.
92 comments
[ 2.8 ms ] story [ 147 ms ] threadI wonder how much they had to give up to take that much investment money that wouldn’t even get them back to being whole.
It sounds like they're putting in a bunch of their own money as well to reimburse people. I guess we'll only find out when they actually do that though if they are doing a full reimbursement.
"The round combined with Sky Mavis balance sheet funds, will be used to ensure that all users affected by the Ronin Validator Hack will be reimbursed. "
rē″ĭm-bûrs′
transitive verb
To repay (money spent); refund.
To pay back or compensate (another party) for money spent or losses incurred.
To replace in a treasury or purse, as an equivalent for what has been taken, lost, or expended; to refund; to pay back; to restore.
Its unclear if it does according to this definition. I could see it either way.
Maybe they turn around and don’t do it but that sounds like all.
No, it's unambiguous. "All of our users' lost funds" doesn't imply "But not all of the funds". Nor can it mean "But not all of the users".
The meaning of their statement is clear, unless they're going ridiculous and disputing definitions, such as: What are "funds", or Who is a "user"
But whether it's possible for them to honor that promise? Seems doubtful.
I find it very hard to believe that they can promptly conjure up over half a billion dollars to refund their users. Firstly because I'd ask: what were they doing with that excess capital before?
edit: Although "committed to" does not mean "anytime soon"! Perhaps they plan to issue a token of some kind, and pray they can keep going and gradually make the users whole?
Remember, if you scam or charge $700M from your casino game users, you can accept $625M lost to theft and still make a profit.
But the announcement says "if this isn't enough to stabilize the coin, we'll take a treasury vote" presumably either to raise more funds or to default on their (non-legal) obligations to users.
Code is law. Radical decentralization. Users should not expect to get any money back from Sky Mavis (or any other cryptocurrency system). That's what they signed up for.
This sounds like fraud.
Obviously their legal creditors in the real financial system (not the suckers buying coins) would prefer repayment to default, so it's in their interest to negotiate a new collateralization agreement to extract more money from "game" players (speculators) before shutting down and writing off the loss.
If they allow deposits of new ETH, that creates a very real scenario of new suckers losing money.
Not surprising, the whole Axie Infinity game is a house of cards. Not exactly a Ponzi, but something very close.
My issue with Axie is its not decentralized, you can't even use a Ronin wallet without connecting it to their website first.
https://www.companies.sg/business/201913227N/SKY-MAVIS-PTE-L...
One of the more popular sites: https://tuoitrenews.vn/search?q=axie
Past: https://cpj.org/2018/07/vietnam-suspends-local-news-website-...
What is a validator?
Typical use cases include scamming retail investors and evading taxes.
So instead of having a centralized db, Axie (and other blockchain tech) farms out this work and storage out to 9 computers?
It is one of the most popular of these blockchain games, and like most of them it operates as sort of a pyramid/ponzi. Winning battles with your axies rewards blockchain tokens which can be used to breed more axies which may be sold for real money to new players who are joining the game. There is also a lending system where the rich axie holders can lease axies to people in developing countries that can't afford to buy them outright, in exchange for a cut of the rewards. As usual, the whole thing doesn't make a lot of economic sense, so don't try to look for some economic justification that isn't there.
As for the hack, originally all the transactions and axie trading happened directly on ETH blockchain but that was too expensive because each ETH transaction is dozens of dollars. So Sky Mavis created a side chain for the game. You can deposit your ETH in the Sky Mavis account / smart contract. Then you can trade axies with other players using this account balance. Later, redeem the account balance for real eth to cash out. What the hackers did was steal the private keys for the sky mavis account and ran away with all the funds. We don't know if it was an external hacker or an inside job. Basically it's similar to the various cryptocurrency exchange hacks such as MtGox, Bitfinex, etc.
But it has to be crypto-woo that makes people think this is somehow a better thing to invest time and money in that just regular in-game money because as a way of investing money it makes 0 sense.
Guess it'll be a fun wakeup call for people that securities backed by goods are very different from the actual goods.
> The 56,000 ETH compromised from the Axie DAO treasury will remain undercollateralized
The investors are handing over cash to invest in the company. The currency will run without backing from now on. That means any big users trying to withdraw at the same time won't be able to. And if that happens, the investors money won't be used to fill the gap.
Since 4 of the 5 compromised keys were under the control of one organization, it seems reasonable to wonder about an inside job.
There's good commentary on Axie Infinity (the Sky Mavis game which got hacked) and links to more detailed explanations here.
https://web3isgoinggreat.com/?id=2022-03-29-0
(particularly by Molly White the owner of the web3isgoinggreat https://blog.mollywhite.net/axie-hack/ )
For clarity: I'm interested in answers to questions such as : how exactly did the attacker gain control of 5 validator private keys? The validators were running a vulnerable version of the Linux kernel, and the private keys were sitting in the filesystem, for example, could be an answer. And: what exactly is the mumble about RPC about? Did they build some sort of master key into the bridge contract, then left that key sitting on a machine with no root password?
And it appears the final key was also under the control of the same organization temporarily.
I don't have more details because I don't think they've released any, but fundamentally, that appears to be the critical vulnerability which made this hack almost inevitable.
They began with a system that was extremely carefully designed to be decentralized (multiple signers) and then they centralized it.
Subsequently, the hacker only had to attack one organization, instead of five
Incompetence? Inside job? Or why not both?
- The bridge was controlled by a 5 of 9 validator set (ie. 5 of the 9 nodes needed to agree to withdrawals and deposits between Ethereum and Ronin)
- 4 of these nodes were run by Sky Mavis themselves (a bad idea), those were compromised because their internal infra was compromised in some traditional social engineering attack (ie. not blockchain related, just a normal cloud infra compromise)
- 1 of the nodes was run by the community-operated Axie DAO. However, that node had whitelisted Sky Mavis' cloud infrastructure a while back to allow them to run transactions through Axie DAO's node in order to use Axie DAO treasury funds to pay gas on user's behalf (to help with onboarding into Ronin).
This was discontinued, but they forgot to remove the whitelist (another critical mistake), so the hackers were able to use that Axie DAO node for the final 5th verification needed to steal bridge funds (because they had compromised the whitelisted Sky Mavis cloud infra).
TLDR: A traditional cloud infra compromise via unspecified social engineering attack, compounded by an insufficiently decentralized validator set allowing the bridge funds to be "withdrawn" to hacker's wallets by forging fake signatures. This is why decentralization is important in blockchain infra, and they learned the hardest way possible.
Hope that helps!
The whitelisting wasn't a secret. Axie DAO is an open community, so it's easy to have known the whitelist existed and was left in. It was a very bad idea, but what can I say, people get cocky and make mistakes. The only difference in crypto is that it has a built-in bug bounty of losing stored funds like this, so you have to take security incredibly seriously, and they didn't.
Why? The concerns (how to steal the money, how to launder/tumble it) seem orthogonal.
Random question: is there a statute of limitations on this type of theft? If so, insiders would be highly incented to steal 600M today and then wait X years before using that one-time, anonymous wallet.
The fact that the FBI was able to recover the Colonial Pipeline hack funds from the hacker Bitcoin wallet, something that should have been theoretically almost impossible, basically told me that if you steal enough money for the feds to get interested, you better be in a country where they can't get to you.
First, as carlosdp points out, insiders are the first suspect, everyone knows that now, and the FBI has advanced methods of finding them and recovering the funds. There's more deterence factor now.
Second, hacking cloud infrastructure for industrial secrets and the like is so common these days, there are tons of black hat hackers and groups around the world that specialize in that.
Third, the hack was simple once it was realized that the 5th of 9 signing keys was compromised by the whitelist. Combine that bit of information with #2 and it's essentially a guarantee that someone will make an attempt at it.
Fourth, due to war in Ukraine, the world is in an elevated state of cyber warfare now. On top of the usual criminal hackers just looking to steal money, Russian and their allied hackers are seeking ways of stealing money to break sanctions, and/or disrupt financial systems in the West.
All this just increases the odds the attack came from outside the org.
Unless all swap contracts are updated to somehow keep track of any funds associated with the hackers original address, washing up those funds it's just a matter of time, no?
Those ZK-pool based mechanisms all depend on the amounts being significantly smaller than the total pool in order to attain reasonable levels of anonymity. Unless you intend to take out incredibly small sums over time (at which point, why take 600m), statistical methods will flag you eventually.
I guess maybe if you wait long enough, in theory those pools could get big enough to allow you to more safely retrieve larger sums. But all the while you are trying to hide this from coworkers and not tell a single soul and live below your means. Easier ways to make a ton of money in crypto right now that don't put you in jeopardy of jail time if/when you screw up.
Just because that was the amount locked in contracts :)
If you have that much money you'll find ways to funnel them out while keeping anonymity. Heck, even selling tokens in real life at half their market value is an option if you're desperate.
I'll have 6 grams of whatever they're smoking, please.
Single serving.
Except when there are, like the Ethereum fork to recover the DAO hack.
Where is the money supposed to be coming from? In the real world, jobs pay money because the work is valued by someone who's happy to pay for it (and presumably would earn more from that output than what they're paying for it). If there was a cheaper/free way to get that output, they'd use that or get taken over by someone else who does.
In a game, what's the valuable output/resource being produced? The only potential thing I can see is for it is advertising, but there's a reason these services that paid you to browse/install a toolbar that would constantly display ads died out. It's ripe for fraud and even besides the fraud, that kind of advertising rarely converts and is thus worth nothing or less than the overheads of running such a platform. If advertising was a viable way to fund games, we'd already have that instead of lootboxes & microtransactions - and no blockchain required.
So far all the "play to earn" things I've seen are Ponzi schemes - which actually applies to the majority of crypto and all of "web3".
You're eighteen years old and see a Twitch streamer talking about how he's making $4000 / day by earning $SCAM tokens on this game. It doesn't look like a very interesting game, but you're good at games, why shouldn't you do this too?
To start earning by playing, just one small step: you first need to buy a character. They cost about $500 but of course it's a great investment. The only way to buy the character is with the $SCAM tokens, so first you just need to convert your $500, credit cards accepted...
And that is the real-world cashflow that pays the Twitch streamer and the company and the VCs. The tokens you earn in the game are only worth something as long as there's a steady stream of hopeful players bringing real money into the system.
This immediately paints an image of a massive bonfire of cash in my brain.
It's also not as if there is one A16Z fund...they have many many funds.
The story of Renee L'Esperance, the model who was chosen to portray Mavis, is interesting:
https://sea.mashable.com/social-good/17831/she-taught-a-gene...