The Golden Age of Theft and Fraud
What exploits in Coinbase, OpenSea, BitFinex and TheDAO have in common
In this issue:
The Gold Rush happened in the Wild West
You (eventually) get what you pay for
The blockchain never forgets
Podcast: Bitcoin, NFTs and good money
The Gold Rush happened in the Wild West
There have been lots of stories about hacks, scams and exploits in the cryptocurrency news cycle recently (this particular post is no exception). While it is important to examine and learn from these failures I want to also take a step back and remember that failures do not define the space.
The reason there is so much opportunity for scammers and thieves in crypto is because crypto creates opportunity for everyone. A thriving economy means there is lots of wealth available to exploit. The existence of bank robberies is a reminder that the world is full of thieves but it is also a reminder that the world is full of banks. You find the most predators where prey are flourishing.
You (eventually) get what you pay for
On Friday afternoon before the Super Bowl whitehat hacker @Tree_of_Alpha posted an ominous message warning of a "market-nuking" vulnerability in Coinbase:
Two hours later Coinbase had disabled their new Advanced Trading product. It turns out @Tree_of_Alpha had uncovered a way for users to sell arbitrary amounts of any trading pair that Coinbase supported. The full details of the exploit are here, but the basic idea was that you could take your balance in a cheap token (@Tree_of_Alpha used SHIB) and sell it as though it was a valuable token like BTC or ETH.
Fortunately (especially for Coinbase) @Tree_of_Alpha elected to report this vulnerability rather than exploit it. A less ethical hacker could have elected to take short positions in all the major currencies on non-Coinbase exchanges and then used their newfound powers to create infinite imaginary sell pressure on every token at once. Coinbase is the largest and most liquid exchange for most of the major tokens so it tends to lead the price — the market would likely have followed.
A sudden exogenous shock downwards would have had knock-on effects. Leverage traders would be liquidated, momentum traders would sell off their positions, DeFi vaults would be bankrupted, new investors would panic sell. Every token would be collapsing at once, meaning the only safe haven would be to exit crypto. All of this would be happening in the middle of Super Bowl weekend. @Tree_of_Alpha was absolutely right to describe the exploit as 'market-nuking.'
Coinbase awarded @Tree_of_Alpha $250k as a bug-bounty for his efforts, which to be honest is a shockingly small amount relative to the size of the exploit. Earlier this month a DeFi dev was given a $2M bounty for discovering an exploit in Optimism (an L2 built on Ethereum). The OlympusDAO project (which runs OHM) has a bug bounty program ranging from $333k-$3.3M, meaning this award was actually less than their minimum bounty. Wormhole (victim of the (for now) largest ever DeFi exploit) has a bug bounty that goes up to $10M.
By comparison Coinbase spent ~$14M on the floating QR code Super Bowl ad and that only crashed their website, not the market.1 To be fair, this attack was probably not as devastating in practice as it appears from the outside. Coinbase’s disclosure post refers to "mitigating factors that would have limited the impact of this flaw had it been exploited at scale."
Still, I think this reward was drastically underpriced. The point of bug bounties is to convince people who discover exploits to sell them to Coinbase instead of to someone else — but that only works if Coinbase is paying a rate comparable to what the market would have paid. Underpaying people who responsibly disclose vulnerabilities is just leaving your security up to the charity of others.
Pay the man for his work, Coinbase. You can afford it.
The blockchain never forgets
In 2016 around ~14% of all Ethereum were invested in one of the first DAOs (known unhelpfully as The DAO). In 2016 The DAO was hacked and drained of all funds, kicking off a sequence of events that ultimately ended in Ethereum forking into Ethereum (ETH) and Ethereum Classic (ETC). The full story is interesting and controversial and if you are interested I recommend checking out my 2-part history of the ICO, a brief history of greed and excess. The hacker responsible for the attack was never found.
On Tuesday morning cryptocurrency journalist Laura Shin announced that she had uncovered evidence of the identity of the 2016 DAO hacker.2 The hacker had taken their stolen currency and sold it for Bitcoin, which they then obscured by mixing the coins using a tool called Wasabi wallet. At the time that tactic was enough to shut investigators down — but eventually a company named Chainanalysis developed a technique to 'unmix' Wasabi transactions. They were able to follow the trail of Bitcoin through the mixer and to the exchanges where the hacker eventually sold them.
It is still fairly common for people to suggest that Bitcoin is only good for crime, but actually in practice Bitcoin is terrible for crime. The same kind of blockchain analysis is what eventually took down the rapper/hacker duo responsible for the 2019 Bitfinex hack. Leaving evidence of a crime on a blockchain is like leaving DNA evidence at a crime scene — investigators might not understand it at first but once they do it is irrefutable proof of your guilt. The blockchain never forgets.
Podcast: Bitcoin, NFTs and good money
I joined Jake and Arun of the Techonomics podcast for a wide-ranging and very entertaining conversation about cryptocurrency, NFTs, ethics and political theory. Check it out if you are into podcasts or just curious what my voice sounds like. Also make sure you check out the first season of Techonomics! Lots of great content.
Other things happening right now:
A detailed implementation of a proposed new Bitcoin privacy/scaling technology known as CoinPool has just been released. CoinPool is similar to the payment channels of the Lightning Network but allows for many-to-many connections instead of only connecting two users at a time. The implementation relies on new OP codes that are not yet implemented in Bitcoin and would require a soft-fork to add, so the practical impact of CoinPool is still years away — but now we know specifically how we could build CoinPool and what we would need to do it. Useful progress.
A very sophisticated attack on OpenSea users unfolded this week where the attacker tricked victims into signing an open-ended transaction that allowed the hacker to take every NFT the victim owned (details here). This was a phishing attack that tricked users, not an OpenSea exploit — but everyone is still cross with OpenSea about the old listings incident, so most people just blamed them anyway. The attacker was able to steal ~$1.7M worth of NFTs from ~17 users.3 They were also pretty quickly identified. Blockchains are terrible for crime!
We talked back in December of 2021 about Melania Trump’s NFT collection. If you were wondering who would bother to buy an official Melania Trump NFT, the answer appears to be Melania Trump. Personally, I would be embarrassed if I had just been caught faking wash-sales of my own art. Melania on the other hand launched another NFT collection the next day. Good for her! Grift like no one is watching.
Presented without comment:
On an unrelated but still amusing note, here is a Coinbase CEO Brian Armstrong doing a victory lap about how 'no ad agency would have done this ad' and here is the CEO of an ad agency they worked with reminding him that an ad agency actually did:
I am going to hold off on actually naming her suspect here for now, although it is relatively easy to find them. The DAO hacker has many enemies and a great deal of wealth — accusing anyone of being that person is putting them in a great deal of danger whether or not it is true. I think it is better to share knowledge of a crime discreetly with law enforcement than to release a book about it.
One of the 17 affected users was an OpenSea engineer, which has to have been pretty embarrassing in the breakroom the next day.