Something Interesting

Share this post
The Golden Age of Theft and Fraud
www.somethinginteresting.news

The Golden Age of Theft and Fraud

What exploits in Coinbase, OpenSea, BitFinex and TheDAO have in common

KF
Feb 23
Comment
Share

In this issue:

  • The Gold Rush happened in the Wild West

  • You (eventually) get what you pay for

  • The blockchain never forgets

  • Podcast: Bitcoin, NFTs and good money


The Gold Rush happened in the Wild West

There have been lots of stories about hacks, scams and exploits in the cryptocurrency news cycle recently (this particular post is no exception). While it is important to examine and learn from these failures I want to also take a step back and remember that failures do not define the space.

The reason there is so much opportunity for scammers and thieves in crypto is because crypto creates opportunity for everyone. A thriving economy means there is lots of wealth available to exploit. The existence of bank robberies is a reminder that the world is full of thieves but it is also a reminder that the world is full of banks. You find the most predators where prey are flourishing.

Twitter avatar for @TaschaLabsTascha @TaschaLabs
People ask why so many hacks in crypto. For an immature system that handles lots of money, what else do you expect? In early 20th century bank robberies were common. Nowadays much less as bank securities improve. That's why no more Bonnie & Clyde movies. Web3 will see similar.
Image

February 6th 2022

108 Retweets648 Likes

You (eventually) get what you pay for

On Friday afternoon before the Super Bowl whitehat hacker @Tree_of_Alpha posted an ominous message warning of a "market-nuking" vulnerability in Coinbase:

Twitter avatar for @Tree_of_AlphaTree of Alpha @Tree_of_Alpha
Anyone here can get me a direct line with someone at @coinbase , preferably management or dev team, possibly @brian_armstrong himself? I'm submitting a hacker1 report but I'm afraid this can't wait. Can't say more either, this is potentially market-nuking. DMs open.

February 11th 2022

444 Retweets4,627 Likes

Two hours later Coinbase had disabled their new Advanced Trading product. It turns out @Tree_of_Alpha had uncovered a way for users to sell arbitrary amounts of any trading pair that Coinbase supported. The full details of the exploit are here, but the basic idea was that you could take your balance in a cheap token (@Tree_of_Alpha used SHIB) and sell it as though it was a valuable token like BTC or ETH.

Fortunately (especially for Coinbase) @Tree_of_Alpha elected to report this vulnerability rather than exploit it. A less ethical hacker could have elected to take short positions in all the major currencies on non-Coinbase exchanges and then used their newfound powers to create infinite imaginary sell pressure on every token at once. Coinbase is the largest and most liquid exchange for most of the major tokens so it tends to lead the price — the market would likely have followed.

A sudden exogenous shock downwards would have had knock-on effects. Leverage traders would be liquidated, momentum traders would sell off their positions, DeFi vaults would be bankrupted, new investors would panic sell. Every token would be collapsing at once, meaning the only safe haven would be to exit crypto. All of this would be happening in the middle of Super Bowl weekend. @Tree_of_Alpha was absolutely right to describe the exploit as 'market-nuking.'

Coinbase awarded @Tree_of_Alpha $250k as a bug-bounty for his efforts, which to be honest is a shockingly small amount relative to the size of the exploit. Earlier this month a DeFi dev was given a $2M bounty for discovering an exploit in Optimism (an L2 built on Ethereum). The OlympusDAO project (which runs OHM) has a bug bounty program ranging from $333k-$3.3M, meaning this award was actually less than their minimum bounty. Wormhole (victim of the (for now) largest ever DeFi exploit) has a bug bounty that goes up to $10M.

Twitter avatar for @DarrenlautfDarren Lau (Lau, Lau) 👘 @Darrenlautf
@Tree_of_Alpha man saved an entire industry worth 2 trillion but only got 250k f

February 19th 2022

28 Retweets1,639 Likes

By comparison Coinbase spent ~$14M on the floating QR code Super Bowl ad and that only crashed their website, not the market.1 To be fair, this attack was probably not as devastating in practice as it appears from the outside. Coinbase’s disclosure post refers to "mitigating factors that would have limited the impact of this flaw had it been exploited at scale."

Still, I think this reward was drastically underpriced. The point of bug bounties is to convince people who discover exploits to sell them to Coinbase instead of to someone else — but that only works if Coinbase is paying a rate comparable to what the market would have paid. Underpaying people who responsibly disclose vulnerabilities is just leaving your security up to the charity of others.

Pay the man for his work, Coinbase. You can afford it.


Twitter avatar for @laurashinLaura Shin @laurashin
EXCLUSIVE: With the publication of my book today, I can finally announce: in the course of writing my book, my sources and I believe we uncovered the identity of the Ethereum's 2016 DAO hacker.

February 22nd 2022

873 Retweets4,835 Likes

The blockchain never forgets

In 2016 around ~14% of all Ethereum were invested in one of the first DAOs (known unhelpfully as The DAO). In 2016 The DAO was hacked and drained of all funds, kicking off a sequence of events that ultimately ended in Ethereum forking into Ethereum (ETH) and Ethereum Classic (ETC). The full story is interesting and controversial and if you are interested I recommend checking out my 2-part history of the ICO, a brief history of greed and excess. The hacker responsible for the attack was never found.

On Tuesday morning cryptocurrency journalist Laura Shin announced that she had uncovered evidence of the identity of the 2016 DAO hacker.2 The hacker had taken their stolen currency and sold it for Bitcoin, which they then obscured by mixing the coins using a tool called Wasabi wallet. At the time that tactic was enough to shut investigators down — but eventually a company named Chainanalysis developed a technique to 'unmix' Wasabi transactions. They were able to follow the trail of Bitcoin through the mixer and to the exchanges where the hacker eventually sold them.

It is still fairly common for people to suggest that Bitcoin is only good for crime, but actually in practice Bitcoin is terrible for crime. The same kind of blockchain analysis is what eventually took down the rapper/hacker duo responsible for the 2019 Bitfinex hack. Leaving evidence of a crime on a blockchain is like leaving DNA evidence at a crime scene — investigators might not understand it at first but once they do it is irrefutable proof of your guilt. The blockchain never forgets.


Twitter avatar for @dejnoDejno @dejno
We are back with our second season of the Techonomics podcast! 🎉 For our first episode this year, @knifefight joined Arun and I to discuss Bitcoin, NFTs, and what makes good money.
techonomics.news/20-bitcoin-nft…💰 #20 Bitcoin, NFTs & Good MoneyFor our first episode of the season, Tyler Odean (or Knifefight as his internet pseudonym goes) joined us to talk Bitcoin, NFTs, and what makes good money.techonomics.news

February 22nd 2022

3 Likes

Podcast: Bitcoin, NFTs and good money

I joined Jake and Arun of the Techonomics podcast for a wide-ranging and very entertaining conversation about cryptocurrency, NFTs, ethics and political theory. Check it out if you are into podcasts or just curious what my voice sounds like. Also make sure you check out the first season of Techonomics! Lots of great content.


Other things happening right now:

  • A detailed implementation of a proposed new Bitcoin privacy/scaling technology known as CoinPool has just been released. CoinPool is similar to the payment channels of the Lightning Network but allows for many-to-many connections instead of only connecting two users at a time. The implementation relies on new OP codes that are not yet implemented in Bitcoin and would require a soft-fork to add, so the practical impact of CoinPool is still years away — but now we know specifically how we could build CoinPool and what we would need to do it. Useful progress.

  • A very sophisticated attack on OpenSea users unfolded this week where the attacker tricked victims into signing an open-ended transaction that allowed the hacker to take every NFT the victim owned (details here). This was a phishing attack that tricked users, not an OpenSea exploit — but everyone is still cross with OpenSea about the old listings incident, so most people just blamed them anyway. The attacker was able to steal ~$1.7M worth of NFTs from ~17 users.3 They were also pretty quickly identified. Blockchains are terrible for crime!

  • We talked back in December of 2021 about Melania Trump’s NFT collection. If you were wondering who would bother to buy an official Melania Trump NFT, the answer appears to be Melania Trump. Personally, I would be embarrassed if I had just been caught faking wash-sales of my own art. Melania on the other hand launched another NFT collection the next day. Good for her! Grift like no one is watching.

Twitter avatar for @cryptoBloomberg Crypto @crypto
The source of funds for the winning bid in Melania Trump’s first NFT auction appears to be the creators of the project themselves
Bloomberg - Are you a robot?trib.al

February 16th 2022

2,468 Retweets5,567 Likes
  • Presented without comment:

Twitter avatar for @CokedupoptionsJohn W. Rich (Fake Tech Exec) @Cokedupoptions
Ukraine just needs to record ownership of the country on the Blockchain so that Putin can't steal it

February 21st 2022

719 Retweets6,568 Likes
1

On an unrelated but still amusing note, here is a Coinbase CEO Brian Armstrong doing a victory lap about how 'no ad agency would have done this ad' and here is the CEO of an ad agency they worked with reminding him that an ad agency actually did:

Twitter avatar for @brian_armstrongBrian Armstrong - barmstrong.eth @brian_armstrong
10/ I guess if there is a lesson here it is that constraints breed creativity, and that as founders you can empower your team to break the rules on marketing because you're not trying to impress your peers at AdWeek or wherever. No ad agency would have done this ad.

February 21st 2022

92 Retweets1,201 Likes
Twitter avatar for @CavallokristenKristen Cavallo @Cavallokristen
@brian_armstrong It was actually inspired by presentations our agency showed your team on 8/18 (pages 19-24) and 10/7 (pages 11-18) with ad concepts for the Super Bowl with floating QR codes on a blank screen.

February 21st 2022

692 Retweets9,857 Likes
2

I am going to hold off on actually naming her suspect here for now, although it is relatively easy to find them. The DAO hacker has many enemies and a great deal of wealth — accusing anyone of being that person is putting them in a great deal of danger whether or not it is true. I think it is better to share knowledge of a crime discreetly with law enforcement than to release a book about it.

3

One of the 17 affected users was an OpenSea engineer, which has to have been pretty embarrassing in the breakroom the next day.

CommentComment
ShareShare

Create your profile

0 subscriptions will be displayed on your profile (edit)

Skip for now

Only paid subscribers can comment on this post

Already a paid subscriber? Sign in

Check your email

For your security, we need to re-authenticate you.

Click the link we sent to , or click here to sign in.

TopNewCommunity

No posts

Ready for more?

© 2022 KF
Privacy ∙ Terms ∙ Collection notice
Publish on Substack Get the app
Substack is the home for great writing