> Recommendation: Validate that the input of the function is not empty
> The Nomad team responded that "We consider it to be effectively impossible to find the preimage of the empty leaf".
> We believe the Nomad team has misunderstood the issue. It is not related to finding the pre-image of the empty bytes. Instead, it is about being able to prove that empty bytes are included in the tree (empty bytes are the default nodes of a sparse Merkle tree). Therefore, anyone can call the function with an empty leaf and update the status to be proven.
It seems like it was (at least arguably) impossible to exploit until they introduced a second issue:
>It turns out that during a routine upgrade, the Nomad team initialized the trusted root to be 0x00. To be clear, using zero values as initialization values is a common practice. Unfortunately, in this case it had a tiny side effect of auto-proving every message
EDIT:
Reading and noodling I'm 99% sure these are separate issues. The vulnerability talks about passing in an empty leaf to the prove function. But that's not what the exploit is.
The exploit is using an unproven message. So they are passing in an actual leaf to prove. The problem is that unproven messages have 0x00 as root and some jabroni set 0x00 as the trusted root. So every message was treated as proven by default when it should be the opposite.
Anyone who's studied NTSB reports knows this is almost always how they go; a single failure that is no problem becomes one because of some other issue that doesn't normally happen, or couldn't happen because normally a third thing is always done ...
And when it becomes organisationally normalised that one layer of safety isn't working and the remaining ones are relied upon, then that's more like the subject of Normal Accidents [1]
I'm not completely sure the mechanics of this exploit, but I've recently adopted the personal guideline of "all enums and integer IDs start at 1", and 0 is simply an invalid value.
Not a hard and fast rule, and not something that will catch tons of problems, but now and again it does help me catch an uninitialized value.
then whoever takes over maintenance from you and wants to make improvements says "hey, we can add this new v2 feature through the 0x0 which is available for future enhancements"
Unlikely. The way it works is you define your enums like this:
enum class Color {
Invalid, // Not a valid value.
Red,
Orange,
Yellow,
Green,
};
I think if someone's crazy enough to reclaim a 0 value in an enum or integer ID, then they're probably going to do a lot of damage to the code no matter what you do.
Yeah, pretty much every integer enum I write has `UNKNOWN` or `INVALID` as the zero value. It adds either a `case` or a `default` to every switch and a clause or a `_` to every `match`, but it saves my ass even in non-security-sensitive settings.
That wouldn’t work in situations like this unfortunately. In the ethereum ecosystem the 0x0 address has a special meaning because it is used as the origin of things on chain when they are newly created (they are transferred from 0x0) and often also the destination of things when you want to destroy them (you “burn” something by transferring it to 0x0).
Fun part is as far as I understand this is just a convention and there is nothing intrinsic to 0x0 that makes it different from any other destination address. If someone was to find the private key for which 0x0 is the public half they would have access to a vast amount of stuff that has been transferred there over time. Finding this key is computationally unfeasible however.
If this legacy enum value had been handled later in the code, there would not have been a vulnerability.
(This isn't to say that the developers were bad. The person who wrote the code was extremely knowledgeable. It's just really hard to be perfect every time. )
Even excellent devs make security mistakes. That's why good teams build out processes like auditing, fuzzing, heuristics checkers, and require internal peer review.
This "you must be perfect" mentality is detrimental to building a security culture, IMO — no one is perfect, and the most excellent dev will slip up. Seeing the people involved in that commit, I believe that's what happened here.
Hoping we learn more in the post-mortem, and they revise their practices to catch this mistake in the future.
Lmao, people make mistake dude. Because they're human. What is seen here is a failure of multiple people, an organisation.
I remember AWS S3 went down in 2017 or so and the key point I took away from their article about it was that they didn't blame the junior dev that caused it, because it shouldn't have been able to happen in the first place.
Ah here we are: https://aws.amazon.com/message/41926/
"We are making several changes as a result of this operational event..." basically boiling down to "the employee in question is not at fault because our tools should not have let him do that".
That's common misinformation. The issue discussed in the review has no connection to what happened, and the narrative that it is the same issue, but it became exploitable after the update is incorrect too. It affects different part of smart-contract logic. Yes, it's pretty close at a glance—because you have zero-by-default problem somewhere close to Merkle tree.
>Messages popping up in public Discord servers of random people grabbing $3K-$20K from the Nomad bridge - all one had to do was copy the first hacker's transaction and change the address, then hit send through Etherscan. In true crypto fashion - the first decentralized robbery.
There are advantages to centralization. One may reasonably ask if trad-fi centralization is at the optimal level. This is just one way to spend money to see if the optimal level is below that. Lobbying for regulation is a mechanism to spend money to see if the optimal level is above that.
How is one supposed to know who can and cannot take money from the smart contract, if not by consulting the contract? If my sign says "Apples $0.00" and you take an apple, can I sue you (or have you arrested) on the grounds that you should've known the sign was wrong and the apples weren't free?
Yes. Systems in the real world are supposed to have common sense. That's why we have judges to decide if it was clearly an error, and people taking advantage of $0.00 should have known this, and therefore acted with malice.
Only cryptocurrencies are trying to have it both ways. They boast that big bad governments can't touch their money scheme, until someone finds a loophole in the code-is-law. Then suddenly law is law again.
Yes but the argument would (perhaps) be that they didn't actually agree to the implementation (including bugs) but rather to the intended/advertised functionality
The old mantra of possession is 9/10ths of the law is and always has been false. If i have something i own it. That is the one fundamental truth. Now someone can come and try and take it back from me by force (Person, Court System, Rebels, Corporations) if they can exert more violence on 'me' than i can exert on 'Them'.
The problem with crypto is the 'keys' are what crypto is. No nationstate can come and take that away from me. They can kill/imprison/fine me, but then neither of us will have it. You would have to hack/fork the chain for that to happen (Which has happened) or find some social way around it (If i have it on a centralized exchange, if i have a hackable hard drive, found my keys on AWS, etc etc.) Additionally, with things like Monero, and tornado swap good luck trying to find them.
But it's not as simple as a robbery, like they forced their way in, or gained access to a key that its owner attempted to keep private.
If you offer a sheep for 100 lb of apples, and someone accepts and gives you the 100 lb of apples, you owe them a sheep, even if you later think that deal was a bad use of that sheep.
If you say "currency is to move and out of my bank/warehouse according to these rules, conducted by this robot", and someone finds a profitable way to transact with that robot according to those rules, you have arguably signed away those profits to that someone, and they are then entitled to keep what the rule-implementing robot gave them.
This doesn't mean "code is law" actually works as a defense in court -- there are are all kinds of reason why that promise might be unenforceable -- but you can't casually asset that this is a robbery without examining the specifics of how the transfer happened.
Even if you can prove ‘robbery’ in the courts, the courts have no ability to follow up on their threats like they would in the normal financial system. That’s my point.
People have been prosecuted for this sort of stuff over the past few years.
'Code is law' is just a reddit meme at this point, that has no basis in reality. 'Smart contracts' are just regular contracts, but with more opportunities for theft.
The international obfuscated c contest has taught me that programmers can make small mistakes on purpose and its almost impossible to identify legit mistakes from malfeasance.
If we have a situation where:
* Its hard to tell, after the fact, 'a mistake' was a bad actor.
* The programmers are, by and large, anonymous.
* The benefit of making 'a mistake' could be hundreds of millions of dollars that are not easily traced.
This situation seems rife for abuse and bad actors. Not saying it happened in this case. . . but how would you know?
> In Solidity, the order of evaluation of sub-expressions is unspecified. This means that in f(g(), h()), g() might get evaluated before h() or h() might get evaluated before g(). Practically, this order is predictable, but Solidity code shouldn’t depend on that behavior between compiler versions. In most circumstances g() is evaluated before h() (left-to-right order), which is also the behavior that most languages specify in their standards. However, in the case of emitting an event with indexed arguments, the arguments are evaluated right-to-left.
I feel that order-of-evaluation dependence is a special case of the general conflict between expression-oriented (functional-style) programming, and impure operations requiring sequential reasoning. Another case of this conflict is temporary values (expressions) with side-effectful destructors (sequential reasoning), for example https://fasterthanli.me/articles/a-rust-match-made-in-hell#w....
At this point, is it good practice to avoid using side-effectful procedure calls as parameters to other expressions (especially those with multiple inputs), but instead first assign to a temporary value to make order of operations explicit?
I've always enjoyed the underhanded C contest, but I don't think it's active anymore. Thanks for this. The 2022 entry that I saw was very much in the same spirit.
i can totally get why a lot of folks are anti crypto but from a dev perspective it is REALLY a fun place. It is possible to have fun and make money AND not be a piece of shit in crypto dev.
I don't like the industry and I believe that, in general, its existence currently is a net negative for humanity.
Currently, I believe that most 'web3' and 'crypto applications' exist to drive fear of missing out leading to monetary investments in crypto by people who don't understand the risks leading to the story here (150 million lost or stolen). I think of my grandmother or uncle investing in crypto and losing their retirement savings. I personally know family members who have lost low 5 digits. Why? Because they wanted to invest because it was the future, web 3, fomo.
I actually believe the world is a worst place because of crypto.
Can that change in the future? 100%
Does this mean that you and people who work in the industry are bad? Not at all. I've worked in industries when I was younger that - now - I think were a net negative for the world. I'd be a hypocrite to throw stones at people just trying to live...
Maybe governmental regulations of this will change my view.
I think the mistake here is seeing cryptocurrency as an investment. That's not what it's for. It's a currency used to pay for goods and services. The rise in its value comes directly with the freedom to use it to pay for goods and services that avoid government/corporate malfeasance and liberate commerce.
For example, I can get a drug that I have a legitimate RX for through the (regulatory) captured corrupt American healthcare system at 100x markup, or I can buy high quality generics on a darknet market for pennies per pill.
Another example: Monero is a privacy coin that is designed to be untraceable, and Mullvad (VPN) "Privacy is a universal right" offers a 10% discount for Monero, Bitcoin and Bitcoin cash. Fantastic utility for people looking to break out of oppressive government firewalls and spying.
I think cryptocurrency is a massive boon for humanity. And treating it like an investment is foolhardy. It's a currency. If you don't have a plan to spend it, why would you mine or buy it?
I saw all this coming when Bitcoin first came out and I remember thinking it was expensive at $6/BTC. If I'd kept half of what I bought back then I'd be a multimillionaire today, but if I'd kept it, it might not have become as valuable as it is today either. The value of a currency comes from using it, not hoarding it.
>Maybe governmental regulations of this will change my view.
Government regulations spurred on by the regulatory capture and oligarchy designed to squash the little guy are the a huge problem.
"It's a currency used to pay for goods and services. "
No. They're magic trading cards.
Saying 'Crypto Is Currency' is saying 'Baseball Cards are Currency - just nobody uses it them as currency, yet!'.
Crypto is neither a very good store of value and it's not a currency.
I possibly could be both (different variations) but likely not better than regular money in most cases.
"I think cryptocurrency is a massive boon for humanity"
Where are these 'boon' things?
Buying 'generics' on the Black market - basically evading the law is a good thing? What about 'hiring hit men'? Maybe it would be better to just have the laws changed. I don't see where Crypto provides the 'boon'.
"Government regulations spurred on by the regulatory capture and oligarchy designed to squash the little guy are the a huge problem. "
Yeah, not with currency though.
Like you say - currency and investment are different things.
If you don't like USDs, then just don't hold onto a lot of them.
It's a great currency, just not a very good store of value.
Crypto hasn't yet demonstrated it's benefits, and a lot of the terrible things about Crypto are still on going.
totally understand your POV. I am pro crypto because I think banks and VC and hedge funds and market makers and all of these shadow/mystery shits that go down in the real markets are scammy and evil. while its possible to obfuscate things on a chain ledger, its impossible to really hide. blockchain tech puts everything in the open which i think would prevent a lot of crime that exists today and goes completely unchecked.
i prob didnt say all that super well but i hope you get the spirit of my argument. i totally respect your opinion here though because you are not wrong :)
Problem with arguments like these is you put all of crypto/web3 into one category.
Yes there are scams out there. Lot more than other fields. But just take 2 or 3 solid examples - Uniswap, DyDx, etc -> These are much more open and decentralized and transparent than their TradFi counterparts.
If you think Uniswap is a scam, you haven't looked into it yet. Yes the tokens that get listed on it can be scams but that's up to to the buyer to assume the risk. As a tool, it's so much more transparent than anything that existed before it.
Yes, but the parent comment also put all banks and hedge funds into a single category.
> If you think Uniswap is a scam, you haven't looked into it yet. Yes the tokens that get listed on it can be scams but that's up to to the buyer to assume the risk.
I never said anything about Uniswap personally, but using a company that can list scams as an example about how non-scammy crypto can be is a little strange to me.
So you wish to change a system where tens of thousands people regulate currencies, and significant number of them are scammers or evil, for the system where tens of people regulate currencies and half of them were actually convicted for scams, sometimes multiple times, and who live in the non-extradition offshores. Great idea, awesome.
PS: this what I actually hate a lot about tokenbros - they say that there is a problem in the economy with unaccountability of the world elites (ok, true at at least somewhat), and then want to supplant it with an even worse system, even more centralized, even more unequal, even more dangerous to common people, even less secure, and even less accountable for the elites in charge. The sheer audacity of their lies is mind boggling and induces literal rage.
This is actually my big issue with the Austrian school of economics.
Get rid of state extortion and then what? Get extorted by local oligarchs or warlords doing the same thing? If the world changed into their utopia, we would end up with some form of feudalism again and we would have to fight our way back to democracy.
It is easy to argue that X>0 extortion is unjust and hence this pillar of society ought to be demolished, but that is the fallacy of composition. That pillar might not be the best or prettiest but it certainly is important and without it a lot of things would go wrong. What is ignored is that the pillar protects you from Y extortion where Y > X.
when i wanted to learn Solidity, at the time, I was really into yield farming. I forked the sushiswap masterchef contract and just played around with tweaking it. you can do this for (basically) free on a chain like BSC or Arbitrum or you can play around with forking a network using Ganache or hardhat (or Foundry if you are a Rust nerd).
Crypto Zombies is a very good interactive intro to Solidity, despite being REALLY outdated at this point (last i checked it was using Sol 0.5 or 0.4).
my best advice is find some popular crypto concept you vibe with and just start messing around. Vyper is also growing in popularity so that might be worth checking out too!
> hundreds of millions of dollars that are not easily traced
If they keep it in blockchains only, it's hard to connect to a real identity. But if they cross the line (which is everybody's goal eventually) to the real world, they can get caught as easy or even easier than in traditional financial system.
I don't how anyone would commit anything more than pocket change to a scheme where an insider could deliberately introduce a weakness and then exploit that weakness to walk off with all the funds committed.
Slipping an exploit into an npm package doesn't let you easily run away with tens/hundreds of millions of dollars in the same way web3 projects do.
That said, I personally doubt this happens much if at all, because if you want to scam on web3 you can just do a good old-fashioned pump&dump and nobody seems to be receiving any legal/criminal consequences as of yet.
Somebody who directly invested the majority of their money in an experimental bridge protocol that raised its seed round 3 months ago is by definition not a normie.
The main point still stands. The crypto world sees "the code is the law" and non-repudiable/non-reversible transactions as a feature. The rest of the world (correctly in my view) sees it as a bug.
No wall street banker was running around telling everyone how awesome MBSes are.
However, morons spamming TikTok, Twitter, Facebook and every social network to find a sucker to invest in their super 20% profit moon monkey future currency can be found in a minute, reaching hundreds of thousands. Plenty of normies lose their money in this.
The 2008 financial crisis decimated many regular people's portfolios and was largely set in motion by ubiquitous MBS speculation.
My retort was half-baked because two wrongs don't make a right. But it is ironic to see that many normies here don't see how MBS caused massive wealth loss across all investors worldwide without them directly speculating in that asset class. While, so far, this hack hasn't caused a crash in crypto assets.
‘Normies’ didn’t lose all of their money selling credit default options and swaps on mortgage-backed bonds. They wouldn’t have access to the markets for those instruments or the capital to do so, and if they had access or capital, they weren’t a normie.
Bad analogy. This explanation has actually been done pretty reasonably by a few people. Further than that - after such explanations, it's clear even to normal people who's to blame, whereas software and cryptography are much more esoteric in that department.
Of course there is no justice in either case, but at least normal people can see who is most appropriate to behead in the case of the traditional financial catastrophes, in the purely theoretical revolution.
If you got burned by mortgage backed derivatives and lost your life savings, it's ultimately because you were (knowingly or not) speculating on the value of real estate assets and making an assumption about future values of said assets.
In the case of Nomad, it's that you put yourself at risk by using their service you could've lost everything you put in.
I'm sorry, but they were selling shitty sub-prime mortgages as AAA investments, my friend.
They claimed high-risk mortgages would turn AAA by the magic of financial and statistical shenanigans. That's not far from "zero initialized vector" shenanigans.
Investing in AAA securities is not speculation, by financial standards, by the way.
They're not. Just as "everyone" was saying that those particular real estate assets were incredibly risky, so too is "everyone" saying that all crypto assets are incredibly risky.
>Challenge: explain to a normie that their life savings is gone forever because of a zero initialization vector.
You mistook a currency for an investment opportunity, and gambled your life savings on one thing. Currencies have always and will always fluctuate against each other. Diversify your investments.
I don't think that helps. Saying "5% of your money is gone because a developer fucked up, and you have no recourse." isn't going to go down well with anyone.
I mean, saying "5% of your money is gone because a company in your index fund went bankrupt, and you have no recourse" is no different. And things happen like that all the time. It's why all normal financial investments come with very explicit upfront warnings that they're not guaranteed.
The issue is treating a currency as an investment is just...foolhardy from the get got. Just don't do that. It's silly. People saw the value of it go up - or start to have any in the first place really - and saw a "get rich quick scheme" where there wasn't one. It was the brith of a digital currency, nothing more.
If a currency crashes, not only does that 'really matter' for most regular people who will have some material savings in that currency, it also creates really terrible problems for everyone using the currency.
The value of a currency is in it's integrity over time.
It doesn't have to maintain perfect pricing parity etc. however, it must not just vanish and fall apart.
We can see this with USD and Seigneurage with the Petrollar.
People hold USDs not because they think 'it'll be worth more' but rather, they'll be valuable in the future, because USA won't crash and fall apart.
This crypto stuff is mostly stupidity with bad economics all the way down.
I'm confused about why anyone is comparing the security of a defi token swapping platform to that of a fiat savings account.
If you want an apple to apples comparison you should be comparing the security of a savings account to that of a cold wallet. Those are much more alike in their function.
I don't think we classify people who engage in cross network token swapping as "normies". That's like classifying algorithmic day traders as an "average joe investor".
They’re not. The vast majority of early liquidity in this and most DeFi protocols is raised from institutions, VCs, and trading firms.
This is especially the case for protocols like Nomad that don’t yet have a native token. They’ll get liquidity commitments through over-the-counter SAFT agreements that give the VCs a percent of the future tokens.
The reason this happened is that Nomad's contract was "upgradable". This is a pattern where the source code of a contract is able to be replaced by a privileged developer account. This was not how Ethereum was intended to work and it actually needs some pretty convoluted stuff to make it work (see the UpgradeBeacon related code here: https://etherscan.io/address/0x88a69b4e698a4b090df6cf5bd7b2d...)
The reason developers make their contracts "upgradable" is simple greed- they want to be able to launch more quickly than other projects without needing to ensure their code will stand the test of time. This may be OK for a social networking app MVP, but it's not OK for a smart contract which a user ideally should be able to audit and understand (or at least rely on the audit of someone else). "Upgradable" smart contracts can always be changed after the fact, as happened here, which means that any audit is meaningless.
Top tier projects still do use simple un-upgradable smart contracts. Uniswap first wrote v1, then improved it and launched v2, then v3. The Uniswap v1 and v2 contracts are still running and usable, and will be for as long as Ethereum is around. Their security properties will always be the same as they were the day they launched.
"Upgradable" contracts mean that you are trusting your money to some anonymous fat fingered (or at worst, criminal) dev, and it could disappear at any minute. They defeat the entire purpose of even using a blockchain.
Yes - but not having them upgradeable means that if your contract is dealing with a lot of money and a small bug was discovered, you are unable to patch it after the fact, even if people are actively abusing that bug
It’s not really about greed. Deploying a program and having it unchangeable forever comes with risks, and more often when dealing with very complex applications, those aren’t worth it
People should NEVER touch any upgradable contract. It is literally centralized, and defeats the whole purpose of DeFi.
Yes, writing perfect code is very hard. But smart contracts are an example of code that must be extremely thoroughly tested, formally verified and so on.
But that doesn't go well with being first to market, move fast break things, etc.
Are you kidding me? They lost 150 million dollars and the only penalty is to write up the bug on twitter? These children are playing with peoples lives. There’s a body count to losing that much money
This is a really severe heist, but the latter part of your comment seems rather dramatic. Crypto is still generally not a medium of exchange, and most users are still speculative investors. Most of these investors have a hedge (or are using crypto as their hedge), except for the foolish.
There a monetary value you can attach to a human's life, as much as that seems to be taboo.
Depending on how you measure, that value is (in the US and Europe) typically in the order of 1..5 Mio USD.
So it's not outrageous to assume that losing 150m comes with a body count, even if the funds wouldn't have bee used to directly save or improve lives otherwise.
But when someone wisely observes that crypto is useless for anything except scams, some cryptoenthusiast answers, but no, it is useful as a medium of exchange for people in third world countries with difficult foreign exchange restrictions.
People are often in a prisoner’s dilemma, where they are relying on the developers/team to spearhead the investigation including the judicial investigation against the perpetrators with the chance of their being a financial remedy
and so therefore nobody is trying to kill or impair the developers/team
if you were referring to people committing suicide or being suicided by the people they borrowed money from, thats not everyone’s problem and people in those circumstances should re-evaluate to avoid that risk or accept that risk
It is important that users come to better understand the different risk profiles between:
1. Owning ETH with a non-custodial wallet.
2. Owning ETH on a CEX.
3. Depositing ETH into a smart contract to receive a wrapped asset. This includes rollups and L2s.
The majority of major crypto hacks[1] are in the 3rd group, and almost all of these hacks are related to protocol updates and governance. Either: the developers update their code, and accidentally push a bug, or one address or a group of addresses are allow-listed some privileged actions in the contract and that can become a weak point.
Proxying and governance isn't the only way to design contracts. Two examples counter to this that are more robust are WETH ($6B) [2] and ETH2 Deposit ($20B) [3] which cannot be attacked in this way. If users wanted a new feature from the WETH contract, they would have to manually migrate over to the new address. Eventually we might see this kind of design be applied to bridges and rollups.
Anyone who unironically believes "code is law" or "code is the contact" should be taking a hard look at this and realizing how terrible those ideas are.
Really? Even with all the data showing how biased Human judges are?
At my day job, I automate everything because humans can't reliably perform basic tasks.
I'm not a believer in web3 or crypto but believe computers to be more impartial and would rather see them eventually take over certain aspects of legal work.
Judges are there to provide judgement. It's literally in the name. Judges are deliberately put in positions to make nuanced decisions. Yes, bias exists, but the solution isn't dogmatic and inflexible application of law.
Kids used to call the act of editing Facebook posts via the element inspector and taking a screenshot "hacking". Considering the triviality of most web3 exploits, I think the descriptor still applies.
With a bug that's trivial to exploit, you've got hundreds of people exploiting it; with a bug that's hard to exploit, you've got maybe only yourself or your agent exploiting it.
Which of the two do you think will more likely come back to haunt you? The one where any authorities investigating will need to dig up the backgrounds and connections of hundreds of blockchain addresses exploiting the transaction, or the one where only a single address exploits the transaction? Won't their attention be primarily on those idiots who try to withdraw the money in the US, say, vs that one transaction out of hundreds where someone in Barbados had their proceeds deposited into a bank and withdrawn as cash before closing the bank account (that they opened with a false identity, maybe?).
When there's a single account performing the exploit, all of the investigative resources will be applied immediately to that account, making it far more likely that the account in question will be tracked up to the point of withdrawal, and potentially flagged in time to prevent such a withdrawal. With hundreds of others distracting any authorities, it becomes hundreds of times harder track down the original perp.
Think of those heist movies where someone throws a handful of cash up in the air to help avoid pursuit. Same idea.
Seems very unlikely. If it was a deliberate bug, the contract wouldn’t have been slowly drained over hours. The attacker would have known how to exploit well ahead of time, and had transactions/contracts/infra ready to grab the full $190 million inside one or two blocks.
As SomeCallMeTim says in another comment, the other withdrawals make great cover.
I have zero evidence for my "deliberate sabotage" theory. OTOH it seems entirely plausible and in line with the general scamminess of many cryptocurrency systems. OrangeMonkey's comment expounds better on the social and legal aspects that make deliberate fraud such an attractive possibility: https://news.ycombinator.com/item?id=32318939
The sabotage theory requires the saboteur to predict that they can get enough of the gains, and that competition doesn’t cause fees to rise (losing gains to fees).
There was another bug where someone tried to grab the coins without broadcasting the bug into the pool (by using a well designed double transaction), but they made a slight mistake, and other traders immediately took the coins instead by algorithmically detecting the bug (as soon as the example transaction was published on the blockchain) then algorithmically generating transactions.
Fundamentally, smart contracts as a technology are pretty doomed if their function requires the assumption of perfect code with no stop-gap when that assumption inevitably breaks.
We can't expect widespread public adoption of a system like that; even lay people are too familiar with how unreliable software is.
I’m not holistically recommending the currencies they were designed alongside, but I fully believe that there is a right way to build smart contract languages, and that they look a lot more like Pact or Plutus than an EVM compilable dialect.
Both are functional, which means easier to read, and Pact is non-Turing complete and strictly typed, making it even easier, so much so that formal verification tools can assess what a contract is capable of automatically - a much smaller search space than EVM bytecode.
When code is not permanent and backing millions of dollars or more of value, the trade offs may favor more powerful or flexible languages, but the ability to read and understand code and what it can do it so wildly important for smart contracts that I don’t see a world where Pact isn’t moving the right direction contrary to the EVM.
> If developers could make a small mistake that caused this, imagine what could happen when The Merge goes through.
I don't get your comment: Ethereum itself has worked without any issue since it came out, in 2015 (?) or so. Many smart contracts, not built by the core Ethereum devs, have been exploited, but from Ethereum's point of view everything worked flawlessly.
Why would the Ethereum devs, which have create a blockchain working perfectly fine since seven years (including many upgrades), suddenly screw up the merge to PoS badly?
I mean: I don't doubt we'll see many more hacks (and I don't know why so many people are so keen on putting so much money in smart contracts) but the people in charge of Ethereum itself seems to be quite competent and have a track records of several years without any exploit to prove it.
ETH had the benefit of PoW working and proven for years prior to deployment.
Switching to an entirely new consensus model, that has never been done before, is complicated and a big reason why it has taken as long as it has.
Furthermore, there is a giant target (huge sum of money) on ETH's back now. If you had an exploit for PoS, why would you reveal it early?
As the person below also states... they could just fork and fix things, but this time, it will be a lot harder to do so without entirely destroying the value of ETH.
This is a massively risky venture that takes more than just hope and prayers. As we've seen in many many hacks over the last few years, even the most competent developers can miss something crucial.
Ethereum's PoS has been running since December 2020. Right now about 10% of all ETH is deposited on it. What's coming up is the "merge", where the rest of the chain starts looking at the PoS network for choosing blocks, instead of looking at mining difficulty.
> Right now about 10% of all ETH is deposited on it.
Nope. The ETH is just in a rather simple write only deposit contract on ETH1. [1] It is also not 'all' ETH, since there is no hard cap on the total amount of ETH in existence.
It is also a bit more complicated than just looking at the beacon chain. That beacon chain has zero value tied to it. So while it has been running just fine, there hasn't been a reason to attack it. It also hasn't been used to actually do anything really... and now there is a use. There is also a lot more communication going on between nodes that didn't exist before. All of these things become attack surfaces.
That's an...interesting view. Let's skip the semantics and stick to facts, which are these:
- 10% of the current supply of ETH is in the deposit contract, and can't be withdrawn from the deposit contract.
- Every address that deposited ETH into that contract got a corresponding balance of "ETH" on the beacon chain. (I'll call it "ETH" instead of just ETH to avoid arguing over whether it's really ETH.)
- The beacon chain is functioning as designed, and the "ETH" balances of various addresses are getting changed over time. The economic incentives appear to be working. People are keeping their nodes up and running to get rewards, and trying to avoid getting slashed.
- The plan is for stakers to be able to withdraw their balances to the main chain, from the beacon chain. When someone withdraws, an ETH balance will be incremented on the main chain, and the same address will get its "ETH" decremented on the beacon chain.
Right now, the contract is one way and there is no way to withdraw. The code hasn't been developed yet. The ETH or "ETH" or whatever, are secure because there literally cannot be insecurity without some code to break.
Heck, even "The Merge" doesn't enable withdraw... it is scheduled for some time after (still to be decided and coded... more potential security issues) and is of course a slow trickle too (first people who can withdraw win the short market). That 10% is about as secure as you can possibly be in that it is effectively burned at this point and will require yet another hard fork to unburn it.
Let's go back to the premise of my original comment:
PoS is a lot more complicated than PoW and offers a much wider attack surface.
Any large mistake in the code that causes financial loss is going to go down a huge rabbit hole of how to manage consensus around fork choices and will likely have at least a short term devastating effect on the market.
I want to see PoS succeed, but as a 20+ year developer, I'm very skeptical it will go off without a hitch.
There's hundreds of blockchains using Proof of Stake for years. Finally, if exploited, everyone will just agree to rollback again; there's no destruction of ETH.
You can't just generalize all PoS as being the same code and execution. ETH is quite different from the rest. Furthermore, none of the other blockchains have even close to the level of value (not just $ amount, but also fame) tied up in them.
As for rollback... that's what created ETC, but this time, it is different... with PoS, the 'stake' is tied up in the network. It isn't external, like it is with PoW and isn't as easy to just fork. You're effectively now forced to convince everyone to follow another canonical chain, but you don't have an external way to do so. Forking becomes a lot harder. It also becomes a lot more complicated and hasn't even been done before... how much 'testing' has that gotten?
How are exchanges going to agree to rollback after they have already exchanged those tokens with others? Someone has to burden the loss, so it might as well be the original blockchain that got exploited.
Yes! This is exactly the premise of Jeff's essay [1] that I mentioned in comments below.
This gets messy fast when there is an issue and even worse is that there isn't a published plan for how to deal with things when they do come up. Everyone is betting on it all executing perfectly and given the complexity and value at stake here, chances are that at some point now, or in the future, it won't go well.
Before 2018, Ethereum has a similar downtime to Solana
Ethereum is continuously developed to remove bugs.
For example: Until 2017, it was possible to sent a specifically signed transaction (without the correct private key) that resulted in the msg.sender having null sender address. This was fixed in EIP-86
What you are describing is a protocol-level bug, rather than smart contract bug. The merge has already occurred successfully a number of times on test networks, so it seems unlikely at this point. But if a catastrophic failure were to occur on mainnet, clients would just revert or fork to a working state.
The reason you cannot just roll back a smart contract exploit like Nomad's is that it is very hard to build consensus across the entire protocol unless it is something that affects many users. The only time this happened was with the DAO which held something like 15% of all Ethers at the time, and so it affected the entire network. Compare this to Nomad which held something like 0.1% of Eth's total circulating supply.
> if a catastrophic failure were to occur on mainnet, clients would just revert or fork to a working state.
Except with PoS, it is different. People keep applying the PoW mentality of a fork to PoS and it just doesn't work that way. Jeff wrote a good blog post [1] on this a while back that took me a long time to come to terms with. It boils down to this paragraph:
Proof-of-stake is inherently self-referential. It is possible to have two perfectly consistent, equally valid chains - perhaps with different stakers. Since “stake” is defined within a blockchain, it cannot be used to pick between two blockchains. Under the right kind of stress, the real, unwritten meta-consensus protocol that determines "which blockchain do we pay attention to?" will be revealed. Exactly what that is will depend on the nature of the fork.
This is untested on ETH PoS and could result in a significant loss in value for ETH holders. Not only that, but it gets even more complicated with stablecoins that are on ETH. What makes all of this quite interesting is the exchanges who get to decide which USDC on ETH they sell to you. Likely a big reason why exchanges, like Coinbase, are some of the largest ETH stakers.
The article is not really presenting any strong arguments aside from literal hand waving the "<complexity>". The same hand waves could be made for PoW. See the last time it made discussion[1].
The article suggests that two chains can simultaneously exist but that would invalidate the protocol, which will always choose one using LMD GHOST. You can read more about it here[2].
Not really. PoW is orders of magnitude simpler than PoS and is vastly easier to reason about. I can explain the concepts around PoW in 5 minutes to someone who doesn't understand it. PoS is a lot closer to a rube goldberg contraption than PoW is. The proof in all of this is the years it has taken to even get to the point we are at today.
> Articles describing the complexity involved
The whole point of my original comment is that this is A LOT more complex than a bridge contract and therefore will be subject to a larger attack surface. Thanks for validating that point.
I agree with your point that PoS is more complex and has a wider attack net than PoW, but I don’t agree that users will not be able to coordinate on a new fork in case of a protocol failure. The worst that may happen is that another hard fork emerges, where the majority of the ecosystem follows a single chain with the bug reverted, and some group of outliers such as disgruntled BTC miners or people who profited immensely from the bug decide to try their luck with a smaller fork. And that is fine... users are free to decide what fork to follow, and they can run client software that chooses a different chain.
By “loss” do you mean that of the exploiters losing tokens because the community decided not to follow the hacked chain?
The goal of all the shadow forks and merge testnets is to find the different edge cases and failure states to answer those questions of “what is the failure plan?” If mainnet merge somehow does not succeed despite these tests and all clients fail to produce blocks, the merge can just be delayed until the bugs are resolved. If mainnet merge succeeds but later a bug emerges, users can coordinate a change to revert the lost funds.
Loss could come in many forms. We can't predict that future yet, but we can be wary of it.
> the merge can just be delayed until the bugs are resolved
This is one of the losses. Every time the merge is delayed, price drops. Price is currently trending higher right now because the merge looks like it is on track.
Delaying the merge also has a loss... for the miners who are currently securing the network. aka: the bomb. The bomb is an embarrassment because every time it gets pushed out, that is essentially the minimum amount of time before the merge can happen.
> users can coordinate a change to revert the lost funds.
How. I want a detailed plan. So far, I haven't seen it.
You are conflating "people losing tokens" with "people losing the USD value of their tokens." It is very likely that the market becomes unpredictable before and after the merge, value of ETH may plummet or skyrocket, and holders of ETH should be prepared for that.
> The bomb is an embarrassment because every time it gets pushed out, that is essentially the minimum amount of time before the merge can happen.
That is not how the bomb works. It is a soft deadline. If the developers feel the merge is ready, they can initiate it before the bomb occurs, and miners will immediately be forced to transition their hardware to other PoW networks. If the developers do not feel the merge is ready, and the bomb is fast approaching, they can delay the bomb by another month or even a year and it will not have an impact on the timing of when they actually decide to initiate the merge.
If the worst that can happen is "embarrassment" for having to delay the merge again to fix a critical bug, I think you are overblowing this. The developers will happily delay the merge until all the bugs are fixed, and the users are happy to have this happen as they would rather wait for a working merge than rush toward a broken one.
> How. I want a detailed plan. So far, I haven't seen it.
Every time the protocol rules change, developers are activating a fork by coming to consensus on the new rules - all client software must coordinate code updates to match the new rules. Eth core developers and client teams have been doing this regularly over the years, and especially during the approach to the merge. They can coordinate a revert or fork, just as they have coordinated the past several forks[1], to fix these issues.
It is fine to imagine a hypothetical failure case for the merge but this does not mean "it cannot be fixed." It might be messy, the value may drop, coordinating the fix may take some hours or days, and it is even possible the chain stops producing blocks for some short while if it is very catastrophic. Users still holding ETH going into the merge should be prepared for these situations, it is probably the most significant development in crypto currency and DLT since the Bitcoin genesis block.
If you want more details you can always read the Gasper paper[1], the spec[2], or client code.
It is complex to somebody not familiar with consensus and blockchain execution, but you might say that about any modern engineering. PoW is undoubtedly simpler but also exponentially more environmentally destructive.
I personally find the ESG argument to be a misnomer. You're trading security and a well defined execution layer, for a significant amount of complexity. If you want to moralize energy use, then you have to apply it at all levels, not just call PoW bad for the environment.
There must be thousands of people scanning contracts and defi protocols for any updates or changes and then trying to exploit it. A single exploit is equal to 1000s of years of income even at a regular tech job. This is happening every few weeks now it seems.
So how come there was 150 million in this? Haven't the people "investing" done their due diligence and reviewed the code? Shouldn't that be the expected behaviour like we all do with transitive dependencies?
Often times the market doesn’t like upgradeable contracts for this reason, ironically the misunderstood idea of smart contracts not being upgradeable is paraded as a bug
All these Web3 companies have a seriously difficult problem to solve -- you want to hire the best and brightest engineers to really lock-down your systems, but how would you prevent a core dev from 'accidentally' enabling some obscure attack and then going home that night and exploiting it? Hackers here are going to clear tens of millions of dollars.. an A++ rockstar engineer maybe makes $1M/year in total comp? How would you ever prevent insider attacks? How can you or the police tell the difference between a coding mistake and an intentional exploit?
As does ours - but they manually review things to give them a 'sense check'. That doesn't scale at all to the crypto world where the concept is permissionless and instant transfers. Said differently, how would you implement multisig in a setup like Nomad and prevent this type of attack?
I've been harping on this part of DeFi for a long time... developers should be writing very good tests. Along with that, security reviews should be followed. This is the review in question [1] where developers ignored the possibility of an issue. This is the commit [2] that likely caused the issue, no tests added. Along with a large chunk of "never brag about your security" hubris [3].
Couldn’t you send this sort of message privately? The post gained a number of replies and the sentiment that “web3 is trash” is about as commmon today as “McKinsey is trash.” I would advocate HN send warnings in private as, respectfully, public warnings look like flamebait IMO to me.
It's vital that such messages be public. Their most important function is to signal to the community what sorts of comments are/aren't ok here, and indeed that the site is moderated at all.
> The post gained a number of replies and the sentiment that “web3 is trash” is about as commmon today as “McKinsey is trash.”
Those are both low-value, ad hominem attacks that don't substantively engage with content, and they are both comments that erode the quality of discussion in our community.
No! We need more "web3 nonsense" like this. This is the closest the internet has felt to the cyberpunk dreams of the 90s. Outlaw Hackers exploiting bugs in automated smart contract to hijack cryptocurrency is the future Gibson promised us.
True, but it's funny how all these hijinks seemed so cool in the books. Jacking in while in a grimy Tokyo nightclub as your friend, the assassin with razorblades, watches your back. But in reality, it's just all so pathetic. Sometimes I feel like a cyberpunk fan in 1988 found a monkey's paw. Made a wish that it would all come true. And it did, but in a much more banal & sad way than the fan would have thought possible.
Replace the Tokyo nightclub with an air-conditioned military intelligence office in Pyongyang, where crypto is flooding in via ransomware payments and web3 exploits. That's the reality and it would still be quite sensational....as a Tom Clancy novel.
I don't think this one was North Korea. And yes, most aren't.
North Korean cryptocurrency hacks are a bit distinctive. Rather than finding logical bugs in contracts, they tend to use traditional spearphishing / social eng to get targeted people to run malware which they try to pivot to stealing keys / access credentials. Then after a hack, most crypto hackers try to obfuscate and store their stole coins on chain somewhere. North Korea already has a large and practiced money laundering network, so after a hack the money immediately starts going to hundreds of different places in the real world, perhaps to mules or to faked accounts in Southeast Asia.
Where's the connection? Ransomware is the other side of the equation: using things like bitcoin to launder money. That's substantially different from exploiting cryptocurrencies.
I remember how disappointing the duos attack on dyn was several years ago. Science fiction had finally come true, peoples fridges and toasters had been turned into weapons. Become part of a bot net and checks notes took down some websites for a couple hours.
You do realize that much of the 'cyberpunk dream' science fiction of the 90's was actually harshly critical satire and dystopia of what the world would look like when technocrats and technology rule people, right? Like you realize William Gibson books and such aren't just cyberspace opera/Stars Wars in VR... it's showing the real suffering that was possible when you blindly trust technology to rule society. Gibson is honestly a bit of a luddite in his mistrust of technology.
I don't agree that cyberpunk was critical or satirical of technology, any more than film noir detective stories are critical satires of telephones, guns, and automobiles or the gritty parts of town; that's just a setting and some props, they're stories of human nature.
the real fun of "cyberpunk" is supposed to be open source hardware, modular phones, cyber decks, laptops with six folding displays, ipads with gpio pins and its not a step closer to reality. sad. :( instead we get this web3 nonsense. hate it.
Is it really supposed to be open-source? A common cyberpunk trope is that mega corporate conglomerates own verything. Cyberdecks are modified and reverse-engineered, yes. But generally come from a mega corp.
modular phones, cyber decks, laptops with six folding displays, ipads with gpio pins
We have all that, although most of it from smaller Chines manufacturers. More than that we do have truly open source hardware, you can download schematics for almost anything, modify and design your own chips and circuits based on open designs, dream up your own hardware, and if know the right people in Shenzhen you can email it all to them and they'll build it for you.
The reason so few people take advantage of any of this is that it didn't turn out to be that useful.
And this is why we live in a boring, most stupid dystopia with bullshit tech. People exchange the walk in part in the war for a lead role in a cage, and it's rarely a lead role, too. I guess that's what you get if your paperclip optimizer is geared towards manufacturing consumption. It's just very sad to see all the potential just ... wasted.
While you're not entirely wrong, have you seen the stuff people are building with even simple off the shelf components like Arduino's and Raspberry PIs? Even FPGAs are within the price range of individuals, and small companies can easily go full ASIC for a few 100k$ if you want to get really custom. There is nothing stopping you diving head first into this world and designing and building (or having built) basically any hardware you want.
that, and also that this is all incredibly low level stuff. there's not hot swappable modules, but base components. also its very expensive and only makes sense in bulk to get them from China.
The numbers talked about in crypto exploits are in the hundreds of millions, if not billions. I would have thoughts the 'cyberpunks' chasing these would be completely outnumbered by state-backed information warfare groups.
You know, it'd be really funny if the CIA had figured out a way to hack crypto etc to make extra money to finance black ops and had successfully managed to blame it all on North Korea.
I don't remember Gibson but I wonder if we can get to the point that outlaw hackers limit damage to the wealthy and send "refunds" to the exploited. That would be worth celebrating.
Only read voyager letters, but those sums listed point towards people being very wealthy.
I could see point if we were talking of hundreds, but we are talking of sums of over hundred of thousand. Which to me is very wealthy on global scale at least.
Like communism, that idealism fails on the part where the one stealing a lot of money (or appropriating it in communism for the greater good) has to actually give it back to somebody that is not himself
Interesting analogy. Is this exploit a Hindenburg or a steam train wreck?
It is probably both. The model of allowing governance updates from a contract owner on a bridge or rollup is not sustainable and will have to change to mitigate these kinds of risks. Whether that means crypto networks as a whole will inevitably be replaced by a central banking system is harder to agree with.
Crypto for banking is... mildly interesting. Not very many people have this mindset, more should.
It's being sold as revolutionary, literally, being able to overthrow $x in power or to the more susceptible as a way for everyone to get rich.
So people who believe in it think it's some grand revolution of freedom, and people against it just see it as scammers exploiting the foolish.
What it actually is going to be is boring. Regulated like the rest of finance, centralized like the rest of finance, but with a few new features which will end up not revolutionary but "oh I guess that's nice". It will also come with weaknesses that older centralized institutions don't have that will seem ridiculous at times.
It should be about as exciting as a new programming language for bankers. Like sure if you're a banking programmer you might think it's cool, but not the kind of thing that'll get superbowl ads or the topic of your uncle joe's podcast.
Snarky comparisons to the Hindenburg aside, I really think things like this disaster in the long line of disasters that won't end is just another blow to the excitement of crypto which won't disappear completely or dominate but become a mundane method for the exchange of value which to the end user is only slightly different than the old ways.
If you look beyond the most vocal proponents you will see a range of opinions.
I do think it will, over the next 10-20 years, completely revolutionize how we think about digital assets and digital currency. For the average user it might not be any different than paying with Apple Pay. But there will be other novel applications and companies that emerge from this space much like what occurred in the years after the dot com boom.
I really doubt crypto will have anything like the impact of the rise of the Internet in the 90s.
There hasn't yet been a killer application besides money laundering and speculation bubbles. It's been long enough and there has been nothing but toy applications outside of people specifically trying to evade laws in various jurisdictions.
The actual applications are just going to be boring.
Holding on to crypto personally for actually paying for things is awful, and worse than cash. Not only can someone take it from me with violence, they can also take it from me because of inevitable software bugs. If there's a centralized account with an institution, it isn't at all different than an account with a bank with dollars. And it becomes easier to see my entire spending history for anybody that sells me something unless I actively launder my money.
It may never meet the impact of the web but held to that standard, maybe no technology ever will.
The killer application is Ethereum and the ideas it has spawned, including new global financial instruments like stablecoins, decentralized exchanges, NFTs.. and cryptography like zk-STARKs and MPC.
With PoS and privacy enabled rollups this technology can certainly disrupt and compete with today’s popular payment processors in the next few years.
But yes, the most successful consumer applications will probably be boring, like PayPal or Apple or Stripe adding blockchain based mechanisms under the hood.
- stablecoins - this one is thousands years old, because it's essentially IOUs. Nothing new or special, excepts of course Giancarlo's token printer :) .
- DEX - sure, new thing. We all see how it works out. This is what, 5th DEX exploit just this year? And I'm talking only about big exploits.
- NFT - literally useless junk build on lies and insane lies. I dare you to name even one area which NFT can improve.
- cryptography - maybe, I don't know. Though I suspect that those developments can be simply self serving for token industry and not really transferable to other industries.
- BigCorp adding blockchain - why though? What would they get by introducing a private, inefficient, slow and not user friendly (users = employees of those corps) data storage? Private BC completely defeats all its small promises about decentralisation or privacy etc.
- all these protocols are beta software, less than a few years old. Uniswap as one of the oldest is probably also the most secure.
- NFT: ability to hold custody over a digital record without relying on a single private company's servers to uphold that. But I expect you will move the goalposts...
- Cryptography: take a minute to look at developments in ZKP, MPC, new signature schemes. Many uses outside of pure blockchain[1].
- BigCorp: because they can extract value from it. If 5% of Shopify or PayPal users want to use crypto payments, the company can support that method and charge rent on it. Or they can ignore crypto, and let another company absorb the potential revenue. But because they like profit, this is why we see Shopify, Stripe, and PayPal all integrating crypto currency.
Accepting external cryptotokens like BTC or ETH is one thing, but it is totally not a "like PayPal or Apple or Stripe adding blockchain based mechanisms under the hood" end quote. Sure, assuming external ecosystem is at least somehow working on it's own, then payment processors can integrate with it. But using blockchain tech internally is dumb and pointless. (unless we are talking about Git, but tokenbros try to pretend that is not a blockchain anyway)
I don't see how digital IOUs is anything novel or invented by tokenbros. Paper or digital, it's the same this essentially.
NFTs... How EXACTLY does NFT "holds custody" of anything? Please describe what do you mean by that.
If you are asking "how does NFT hold custody" of a digital record then I assume you have never looked at how NFTs work at a technical level. If you know code, you can look at the ERC721 spec yourself.
A practical example of an application on top of this is namespace aliases that are held non custodially by the users through an ERC721 contract - see ENS. The user's private key gives them access to a record within a smart contract, allowing them to update some state or transfer ownership of the data object.
Haha, you got me :) . DNS records is actually a valid case. I have no idea if it is also a "better" case, but lets assume so for the sake of argument.
I will clarify my question better now, hopefully. How EXACTLY does NFT "hold custody" of anything not living fully on on the blockchain already? So any physical object, or any digital object outside of cryptotokens and DNS records on the blockchain.
> How EXACTLY does NFT "hold custody" of anything not living fully on on the blockchain already?
I am not suggesting it does. I am suggesting it allows you to hold ownership of an asset on the blockchain. At this point it means ENS, art, collectibles, loans, stablecoin positions, user accounts, and other assets that can be defined digitally and on chain.
At some point in the future, property laws might change to recognize crypto tokens as their own asset class, which would make possible things like having some claim of ownership over a gold bar based on holding a NFT. Many investors today hold gold in their portfolio without it physically being transferred to them. Instead, ownership of the assets is recorded on some ledger, which could be a public ledger.
Mattereum is working in this space, trying to tokenize gold bullion, wine[1], and recently real estate[2] with legal warranty, but I would not put much stock in this idea until there is more clarity from lawmakers.
- loans - as in "loan your NFTs"? Technically yes, but since NFTs are worthless bullshit it is kinda pointless.
- stablecoins positions - please elaborate, never heard this idea before
- use accounts - no
- other on chain assets - yes
- other off chain assets - no
tl;dr - NFTs themselves lack any ability to provide proof of ownership, transfer IP rights, or hold custody simply because it is technically impossible. Any cadaver constructs which allows this are inevitably an additional centralised systems which do all the actual work and actually store digital data. NFTs are fifth leg in a horse - pointless and useless. (DNS records alone of course don't justify NFT existence)
what i dont get is that how can the people who want blockchain adoption not see that their decentralised currency is no good if its in-gates are controlled by a few very centralised companies?
In the current electronic fiat system, a few companies control both the gates and the network. Crypto at the moment decentralizes the control of the network, which is already a step forward.
Crypto can also be used to decentralize control of the gates, such as allowing goods services and taxes to be paid in USDC and DAI, so that there is less need to use a CEX. But there are regulatory and technical barriers that prevent this from happening right now. The people who want blockchain adoption ideally would like to see those barriers to be overcome.
except what stops apple and google from building basically the same features and also having full control over them? and you bet that people would rather use apple <whatever> than shady crypto scam <whatever> if they really want to. the takeaway is that crypto is going to change practically nothing and produces nothing of value anyway.
Nothing stops tech companies from building crypto wallets or services that hold custody over users funds, a lot of them are already doing that. Building a new blockchain where they fully control the network and its features is harder.
look at atm cards. thaeres like 4 major players globally, controlling everything. I'm not talking about big tech building crypto wallets, I'm talking about them building features similar to what blockchains can do- fake DAOs, fake NFTs etc. the point I'm trying to make is that the end result of all these features doesn't inherently need a blockchain if a major player wants to build them
Interesting. So, if someone doesn't like you, a robber goes into your home, threatening you and your family, and this person celebrates in your face, you'd be O.K. with it, right?
Edit: since you've actually been doing that a whole bunch recently, I've banned the account. Can you please not create accounts to break HN's rules with?
There is a reason technology that requires high levels of stability is mired in layers of approval, review, regulation, etc. It doesn't change much if at all once it works, because the probability of introducing a failure mode is so high with software.
There's a point where this level of of negligence should rise to criminal liability, no different than if someone wrote code for a new boeing that was so bad it moves beyond incompetence.
We are at this point, and crypto companies need to be held criminally liable for these hacks. If not at least, should be required to carry insurance and pass stringent security audits no different than other high value systems. This is pathetic, and it's not the first time, second time, or third time it happens. I do hope crypto dies. It's been co-opted by grifters and thieves, and even when it's not, grifters and thieves end up stealing the money anyway through hacks like this. Things like this could be somewhat remedied by teaching people to refuse to deal with coins that do not post several independently verifiable third party security audits but alas people don't care anyway.
This is terrible obviously, but if code is law and someone writes bad code and exploits that is it “illegal”?
The entire basis of even having judges, courts, etc is an acknowledgment that the “code” is imperfect and certain circumstances require human intervention.
If regular law is the ultimate arbiter of the correct location of funds in this system, then we don't need this complex network of energy-hungry computers constantly double-checking each others' work to make a financial system. We can just use regular computers, like before.
Isn't it a consequence? If the entire foundation of your system is irreversibility and finality, then doesn't it effective becomes true? (unless you are big enough to force a network-wide rollback...).
But that's exactly what the decentralized crowd is arguing. You encode transactions and no centralized authority (e.g. a country's judicial system backed by people with guns) can override it. A natural consequence is that no one can override a mistake either.
Legal contracts in the physical world can be poorly drafted as well. But courts don't usually allow ludicrous results arising from honest mistakes.
I have no sympathy for the end of a speculative trade engine that's been almost exclusively used to scam people. Watch the "Line Goes Up" video, it explains it very well. It's not perfect, but provides plenty of background on crypto in general. (Despite the title)
It's horrible technology, born from deeply misguided ideals that will hurt and is hurting a lot of people. I'm not going to celebrate it's repeated, persistent failures but I'm not going to deplore them either.
Was this actually theft? The smart contract basically said “ask and you shall receive”.
I’m trying to think of a banking analogy. Maybe their website has a page that says “enter your checking account number to get $1,000”, but the web service had the authorization code commented out. If someone discovers that and tells their friends, have they stolen from the bank?
Note that I’m thinking of “theft” and “stealing” from a legal point of view. The moral angle may be very different.
Yes, I imagine that would be counted as stealing, if it wasn't intended.
However, if the bank had spent large amounts of time absolutely promising irreversible transactions, and publicly opened itself to attackers, then - no, that's just an intended operation of the system.
This is akin to going to an ATM and finding a bug that lets you withdraw money out using the information from a receipt that someone threw out in the trash bin. It is definitely illegal.
I'm not sure if it's theft but they most certainly have to give the money back. It's just an honest mistake, an equivalent to accidentally dropping a wallet full of cash on the street.
But if you allow the courts to dictate which crypto transactions are legal/illegal and to undo illegal ones, what's the point of all the decentralisation? You can just use the existing systems.
Which country's laws apply? What if one country considers the Ethereum contract binding, but the other doesn't?
It feels like having your cake and eating it too. I met lots of crypto bros, they all talk about how they use it so they can be immune to government censorship/intervention etc. They gloat about using crypto to avoid taxes and laws.
Relying on the same institutions that you are trying to get away from to overcome flaws in your framework seems entirely hypocritical to me.
And therein do you see the almost inevitable doom of the dream of decentralised cryptocurrency, because it’s never going to be able to stand up against the power of governments once they decide they don’t like it and have no vested interest in it surviving. All of this stuff, even up to Bitcoin, is only still around at the sufferance of governments that have not yet decided to clearly make it illegal. Most are currently preferring to regulate it (which does tend to undermine the principles of full decentralisation, as you rightly observe), but a few decide to cut it out like a gangrenous parasite that’s enjoying mixing metaphors too much, and others may at almost any time. Already cryptocurrencies flout things like copyright and privacy law, for they have made it fundamentally impossible to comply with various plausible court orders. And “we have designed it so that it is not possible for us to comply” does not impress courts.
And in your musings about which countries’ laws—therein also do you see the perennial mutterings of discontent at international policy, and globalisation shambling towards collapse. It may be averted. It may not.
When the executives of cryptocurrency firms start getting jailed for contempt of court (when they fail to comply with a legitimate court order), the industry will collapse, which will take the value of cryptocurrency with it, which will return cryptocurrency to niche status, even if the governments in question don’t just decide to make it illegal.
This may not be the way things unfold, but it’s legally completely plausible.
Is it theft? If you go by the whole "code is law" (is that still a popular catch phrase? I don't keep up with crypto much anymore), then this is not theft. The contract let this happen, so it's legal.
Edit: heh, I see a lot of HN had the exact same thought process and we all commented at the same time. I'll leave this up anyway.
Oh cry me a river. This is criminals applying the codified "law" against each-other for their temporary enrichment and the entertainment of the spectators.
Welcome to HN, where crypto is the devil and must be eradicated at all costs. Anyone who thinks otherwise here is either perceived to be an idiot or a grifter.
It should, perhaps, tell you something that a community with one of the most highly concentrated populations of technically literate people on the internet are so vehemently against a technology.
Crypto is just a paperclip maximizer for silicon and electrons that does what traditional companies have been doing for at least 60 years. Only 100000x less efficiently.
> This community is nowhere near consensus on this matter. A small minority of loud naysayers is
There's an information bubble. It's not the crypto skeptics. There's a reason when governments around the world have moved to ban crypto there's been little to no popular resistance beyond angry 4channers.
> more governments have invested time, money, and regulatory effort into the crypto ecosystem than have banned it
Lots of chatting. Looking at actual dollars and laws, we're weighing the elephants of China, India and increasingly the EU against...Singapore, El Salvador and Malta?
Outside young men, disproportionately minorities, crypto has a limited beachhead [1]. It was an easy money phenomena with historic comparison. We're now seeing the regulatory mood shifting decisively against it with limited competent pushback.
> a16z is a large investor in the space and proponent
They're notable for where they're prominent and where they're not. Aggressive fundraising followed by SoftBank/Tiger style deployment. Tweets and blog posts galore. Yet middling returns, even on an internal basis, and absolutely zero presence worth mentioning in D.C.
I'm no greybeard. But I've worked in finance long enough to see the game they're playing.
Yes, but you still need, say, one computer to run what Bitcoin does (without the PoW hashing - just checking and recording 5 transactions per second). BTC uses around 15 GW currently, a computer say 15 to 150 W, so we are talking a factor of 1e9 (Giga) to 1e10.
Im starting to get the feeling that security by obscurity is a good thing. There's a reason why banks don't open source their infra, or why Google/Facebook/Twitter don't open source their algorithms. No matter how smart your engineers are, they are going to make mistakes, and if the incentive is high enough then people will find and exploit those mistakes. It's honestly amazing that L1 blockchains (like bitcoin, ethereum, monero) have lasted this long at all
The funniest part of all these stories is the part where they announce that they've "notified law enforcement". Yeah, this space is all, "woohoo, we're free from the Man! Code is law!", until an exploit is found and then they have to call on the State to enforce that "no, no, we need the people with guns to undo this transaction because it's not what we meant." It's like a living demonstration of why libertarianism fails.
There is an entertaining documentary series on HBO Max right now called The Anarchists which has the same types of scenarios. In fact in one scene a guy says, "we're anarchists, we can't call the cops!". It has some crossover with crypto as well.
This might be surprising, but not every crypto user is a pure libertarian, or believes that code is law. A significant amount of funds extracted from this exploit were from whitehat hackers who took the funds and plan to return them, to avoid them being taken by malicious actors.
How can Nomad afford to lose $150M and go on like nothing happened? Same for other exchanges which have lost hundreds of millions. It seems really weird. Any real-world company which would lose $150M would have a lot of pressure on it, investigations, dismissals, etc.
How does this much money get 'lost' without heads rolling?
I understand that some of the deposits are from retail 'investors' who are poorly organized more interested in token appreciation or yield than the safety of their funds. But even getting to $150m would take forever if it came from individuals.
Surely there are large investors that provided the bulk of the capital. Shouldn't they intervene in some way? Or do these whales have so much to waste that they throw money into each of these projects knowing that they'll never see a cent back from 50% of them?
> tl;dr a routine upgrade marked the zero hash as a valid root, which had the effect of allowing messages to be spoofed on Nomad. Attackers abused this to copy/paste transactions and quickly drained the bridge in a frenzied free-for-all
From this explainer:
> It’s [Nomad is] built to address security first The Nomad team has been building secure bridges as a team for 4+ years and has studied the pitfalls of multi-sig and validator-based bridges.
Assuming this is true, and assuming the team is not incompetent or composed of the typical grifters, perhaps it's time to draw the inevitable conclusion. No amount of experience is sufficient to safeguard an Ethereum protocol of any interesting complexity.
It's a reasonable question to ask, WTF is Nomad for? After all, isn't Ethereum supposed to be the World Computer, Turing complete and ready for any task? Nope. Never was.
I think a good chunk of the answer can be found on the home page:
> Nomad reduces gas fees by a factor of 10x relative to traditional header relay systems, while remaining decentralized.
That world computer is choked to the gills with accumulated waste. The proliferation of chains is the response. Each one is less secure than its forebear. Gobbledygook like Nomad is the "connective tissue" to get the various organs of this science project talking to each other.
Dive deeply enough down and you find the root of it all: everybody wants to make the next Bitcoin, Ethereum, Cardano, Polkadot, and so on. With each turn of the crank a new crop of Barnums springs up to take the money of an unending supply of digital rubes.
Everytime I see a story like this I wonder if the exploit was left intentionally for the founders and developers to exploit one way or another. Even if they themselves do not take the money it would be trivial to sell the exploit for some form of delayed (and more easy to launder) payment.
alot of the exploit wallets are doxxed, e.g. they have an initial deposit into wallet from a centralized crypto exchange like coinbase or FTX that investigators can request info from. its actually pretty hard to get a "clean" wallet, and even if you have one, mixing the crypto back out to fiat is tricky as well. what's worse, all transactions are permanently on the blockchain so if they don't catch you now they can always catch you later.
I know next to nothing about crypto, but I do know this is not the first time I've heard of a huge crypto hack involving security flaws in something called a "bridge".
Apart from blockchain, nft, crypto, web3 - is Solidity, the language, worth exploring - can it be used (for fun) outside it's main purpose? Just curious...
Thanks - I took a brief look, but as soon as I saw certain crypto/eth specific things into decided not to go further (at least for now). Personally I'm very skeptical of everything crypto, but with time it may get to some better goals. It's not the technology really that detracts me, but it's use.
The failure of these undo steps is that what if transactions downstream have already happened. Possibly with physical goods or real money. Unroll those too? And on whose cost?
the areas being bridged to often do have an undo transaction and is a real threat to a heist, which is why people try to get funds across the bridge as fast as possible, or only exploit the other side of the bridge
Or Moonbeam? Replica? WBTC? acceptableRoot()? I don’t get any of this. If I get it correctly, Web3 would use crypto technology to let you buy a digital costume that get to wear both while playing fortnite and on Facebook when chilling online with your real friends, that is unless fb switches to building a tiktok clone because it is easier money than the “metaverse”.
> QSP-19 Proving With An Empty Leaf
> Recommendation: Validate that the input of the function is not empty
> The Nomad team responded that "We consider it to be effectively impossible to find the preimage of the empty leaf".
> We believe the Nomad team has misunderstood the issue. It is not related to finding the pre-image of the empty bytes. Instead, it is about being able to prove that empty bytes are included in the tree (empty bytes are the default nodes of a sparse Merkle tree). Therefore, anyone can call the function with an empty leaf and update the status to be proven.