Something Interesting

Share this post
The Golden Age of Theft and Fraud
www.somethinginteresting.news

The Golden Age of Theft and Fraud

What exploits in Coinbase, OpenSea, BitFinex and TheDAO have in common

KF
Feb 23, 2022
2
Share this post
The Golden Age of Theft and Fraud
www.somethinginteresting.news

In this issue:

  • The Gold Rush happened in the Wild West

  • You (eventually) get what you pay for

  • The blockchain never forgets

  • Podcast: Bitcoin, NFTs and good money


The Gold Rush happened in the Wild West

There have been lots of stories about hacks, scams and exploits in the cryptocurrency news cycle recently (this particular post is no exception). While it is important to examine and learn from these failures I want to also take a step back and remember that failures do not define the space.

The reason there is so much opportunity for scammers and thieves in crypto is because crypto creates opportunity for everyone. A thriving economy means there is lots of wealth available to exploit. The existence of bank robberies is a reminder that the world is full of thieves but it is also a reminder that the world is full of banks. You find the most predators where prey are flourishing.

Twitter avatar for @TaschaLabs
Tascha @TaschaLabs
People ask why so many hacks in crypto. For an immature system that handles lots of money, what else do you expect? In early 20th century bank robberies were common. Nowadays much less as bank securities improve. That's why no more Bonnie & Clyde movies. Web3 will see similar.
Image
5:49 PM ∙ Feb 6, 2022
648Likes108Retweets

You (eventually) get what you pay for

On Friday afternoon before the Super Bowl whitehat hacker @Tree_of_Alpha posted an ominous message warning of a "market-nuking" vulnerability in Coinbase:

Twitter avatar for @Tree_of_Alpha
Tree of Alpha @Tree_of_Alpha
Anyone here can get me a direct line with someone at @coinbase , preferably management or dev team, possibly @brian_armstrong himself? I'm submitting a hacker1 report but I'm afraid this can't wait. Can't say more either, this is potentially market-nuking. DMs open.
6:16 PM ∙ Feb 11, 2022
4,627Likes444Retweets

Two hours later Coinbase had disabled their new Advanced Trading product. It turns out @Tree_of_Alpha had uncovered a way for users to sell arbitrary amounts of any trading pair that Coinbase supported. The full details of the exploit are here, but the basic idea was that you could take your balance in a cheap token (@Tree_of_Alpha used SHIB) and sell it as though it was a valuable token like BTC or ETH.

Fortunately (especially for Coinbase) @Tree_of_Alpha elected to report this vulnerability rather than exploit it. A less ethical hacker could have elected to take short positions in all the major currencies on non-Coinbase exchanges and then used their newfound powers to create infinite imaginary sell pressure on every token at once. Coinbase is the largest and most liquid exchange for most of the major tokens so it tends to lead the price — the market would likely have followed.

A sudden exogenous shock downwards would have had knock-on effects. Leverage traders would be liquidated, momentum traders would sell off their positions, DeFi vaults would be bankrupted, new investors would panic sell. Every token would be collapsing at once, meaning the only safe haven would be to exit crypto. All of this would be happening in the middle of Super Bowl weekend. @Tree_of_Alpha was absolutely right to describe the exploit as 'market-nuking.'

Coinbase awarded @Tree_of_Alpha $250k as a bug-bounty for his efforts, which to be honest is a shockingly small amount relative to the size of the exploit. Earlier this month a DeFi dev was given a $2M bounty for discovering an exploit in Optimism (an L2 built on Ethereum). The OlympusDAO project (which runs OHM) has a bug bounty program ranging from $333k-$3.3M, meaning this award was actually less than their minimum bounty. Wormhole (victim of the (for now) largest ever DeFi exploit) has a bug bounty that goes up to $10M.

Twitter avatar for @Darrenlautf
Darren Lau (Lau, Lau) 👘 @Darrenlautf
@Tree_of_Alpha man saved an entire industry worth 2 trillion but only got 250k f
1:22 PM ∙ Feb 19, 2022
1,639Likes28Retweets

By comparison Coinbase spent ~$14M on the floating QR code Super Bowl ad and that only crashed their website, not the market.

1
To be fair, this attack was probably not as devastating in practice as it appears from the outside. Coinbase’s disclosure post refers to "mitigating factors that would have limited the impact of this flaw had it been exploited at scale."

Still, I think this reward was drastically underpriced. The point of bug bounties is to convince people who discover exploits to sell them to Coinbase instead of to someone else — but that only works if Coinbase is paying a rate comparable to what the market would have paid. Underpaying people who responsibly disclose vulnerabilities is just leaving your security up to the charity of others.

Pay the man for his work, Coinbase. You can afford it.


Twitter avatar for @laurashin
Laura Shin @laurashin
EXCLUSIVE: With the publication of my book today, I can finally announce: in the course of writing my book, my sources and I believe we uncovered the identity of the Ethereum's 2016 DAO hacker.
11:39 AM ∙ Feb 22, 2022
4,835Likes873Retweets

The blockchain never forgets

In 2016 around ~14% of all Ethereum were invested in one of the first DAOs (known unhelpfully as The DAO). In 2016 The DAO was hacked and drained of all funds, kicking off a sequence of events that ultimately ended in Ethereum forking into Ethereum (ETH) and Ethereum Classic (ETC). The full story is interesting and controversial and if you are interested I recommend checking out my 2-part history of the ICO, a brief history of greed and excess. The hacker responsible for the attack was never found.

On Tuesday morning cryptocurrency journalist Laura Shin announced that she had uncovered evidence of the identity of the 2016 DAO hacker.

2
The hacker had taken their stolen currency and sold it for Bitcoin, which they then obscured by mixing the coins using a tool called Wasabi wallet. At the time that tactic was enough to shut investigators down — but eventually a company named Chainanalysis developed a technique to 'unmix' Wasabi transactions. They were able to follow the trail of Bitcoin through the mixer and to the exchanges where the hacker eventually sold them.

It is still fairly common for people to suggest that Bitcoin is only good for crime, but actually in practice Bitcoin is terrible for crime. The same kind of blockchain analysis is what eventually took down the rapper/hacker duo responsible for the 2019 Bitfinex hack. Leaving evidence of a crime on a blockchain is like leaving DNA evidence at a crime scene — investigators might not understand it at first but once they do it is irrefutable proof of your guilt. The blockchain never forgets.


Twitter avatar for @dejno
Dejno @dejno
We are back with our second season of the Techonomics podcast! 🎉 For our first episode this year, @knifefight joined Arun and I to discuss Bitcoin, NFTs, and what makes good money. techonomics.news/20-bitcoin-nft…
techonomics.news💰 #20 Bitcoin, NFTs & Good MoneyFor our first episode of the season, Tyler Odean (or Knifefight as his internet pseudonym goes) joined us to talk Bitcoin, NFTs, and what makes good money.
4:18 PM ∙ Feb 22, 2022

Podcast: Bitcoin, NFTs and good money

I joined Jake and Arun of the Techonomics podcast for a wide-ranging and very entertaining conversation about cryptocurrency, NFTs, ethics and political theory. Check it out if you are into podcasts or just curious what my voice sounds like. Also make sure you check out the first season of Techonomics! Lots of great content.


Other things happening right now:

  • A detailed implementation of a proposed new Bitcoin privacy/scaling technology known as CoinPool has just been released. CoinPool is similar to the payment channels of the Lightning Network but allows for many-to-many connections instead of only connecting two users at a time. The implementation relies on new OP codes that are not yet implemented in Bitcoin and would require a soft-fork to add, so the practical impact of CoinPool is still years away — but now we know specifically how we could build CoinPool and what we would need to do it. Useful progress.

  • A very sophisticated attack on OpenSea users unfolded this week where the attacker tricked victims into signing an open-ended transaction that allowed the hacker to take every NFT the victim owned (details here). This was a phishing attack that tricked users, not an OpenSea exploit — but everyone is still cross with OpenSea about the old listings incident, so most people just blamed them anyway. The attacker was able to steal ~$1.7M worth of NFTs from ~17 users.

    3
    They were also pretty quickly identified. Blockchains are terrible for crime!

  • We talked back in December of 2021 about Melania Trump’s NFT collection. If you were wondering who would bother to buy an official Melania Trump NFT, the answer appears to be Melania Trump. Personally, I would be embarrassed if I had just been caught faking wash-sales of my own art. Melania on the other hand launched another NFT collection the next day. Good for her! Grift like no one is watching.

Twitter avatar for @crypto
Bloomberg Crypto @crypto
The source of funds for the winning bid in Melania Trump’s first NFT auction appears to be the creators of the project themselves
trib.alBloomberg - Are you a robot?
7:32 PM ∙ Feb 16, 2022
5,567Likes2,468Retweets
  • Presented without comment:

Twitter avatar for @Cokedupoptions
John W. Rich (Fake Tech Exec) @Cokedupoptions
Ukraine just needs to record ownership of the country on the Blockchain so that Putin can't steal it
11:52 PM ∙ Feb 21, 2022
6,568Likes719Retweets
1

On an unrelated but still amusing note, here is a Coinbase CEO Brian Armstrong doing a victory lap about how 'no ad agency would have done this ad' and here is the CEO of an ad agency they worked with reminding him that an ad agency actually did:

Twitter avatar for @brian_armstrong
Brian Armstrong - barmstrong.eth @brian_armstrong
10/ I guess if there is a lesson here it is that constraints breed creativity, and that as founders you can empower your team to break the rules on marketing because you're not trying to impress your peers at AdWeek or wherever. No ad agency would have done this ad.
5:49 AM ∙ Feb 21, 2022
1,201Likes92Retweets
Twitter avatar for @Cavallokristen
Kristen Cavallo @Cavallokristen
@brian_armstrong It was actually inspired by presentations our agency showed your team on 8/18 (pages 19-24) and 10/7 (pages 11-18) with ad concepts for the Super Bowl with floating QR codes on a blank screen.
5:23 PM ∙ Feb 21, 2022
9,857Likes692Retweets
2

I am going to hold off on actually naming her suspect here for now, although it is relatively easy to find them. The DAO hacker has many enemies and a great deal of wealth — accusing anyone of being that person is putting them in a great deal of danger whether or not it is true. I think it is better to share knowledge of a crime discreetly with law enforcement than to release a book about it.

3

One of the 17 affected users was an OpenSea engineer, which has to have been pretty embarrassing in the breakroom the next day.

Share this post
The Golden Age of Theft and Fraud
www.somethinginteresting.news
Comments
TopNewCommunity

No posts

Ready for more?

© 2023 KF
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great writing