[HN Gopher] $625M worth of ETH drained on Axie Infinity's Ronin ...
___________________________________________________________________
$625M worth of ETH drained on Axie Infinity's Ronin Network
Author : colesantiago
Score : 428 points
Date : 2022-03-29 16:05 UTC (6 hours ago)
(HTM) web link (roninblockchain.substack.com)
(TXT) w3m dump (roninblockchain.substack.com)
| atty wrote:
| > make sure all funds are recovered or reimbursed
|
| Does anyone know if they have the liquidity to actually reimburse
| over half a billion?
| newuser33441890 wrote:
| rvz wrote:
| So close to April (greater) fools day. Who on earth is going to
| fill that $600M black hole? (No one.)
|
| Or is someone going to reverse the Ethereum blockchain this time?
| (No one. Not even Vitalik this time.)
|
| So I don't think there is anything going to save them from this
| hack.
| kache_ wrote:
| Working as intended! God I love crypto, it's the fuckin wild west
| out there
|
| If you don't want the government in your business, you're going
| to have to dispense with all the advantages that big daddy
| affords you
| mistrial9 wrote:
| yes, a deal between the parties, with all the risk and reward
| that goes with it.. really eye-opening to see all the comments
| wishing for an all-powerful referee to check every outcome and
| action in private affairs
| JumpCrisscross wrote:
| > _eye-opening to see all the comments wishing for an all-
| powerful referee to check every outcome and action in private
| affairs_
|
| News flash: this is a part of why we have banking and
| securities regulations. Because when the people clamouring
| for an out lose money, 90% of them turn it into everyone
| else's problem. (This is true in traditional finance. It's
| true in crypto. It's true when the three-year old screams
| about not being allowed the hot sauce and then screams when
| they taste it.)
|
| $625mm from Axie Infinity is tolerable to the system. But
| when Tether busts, do you really think it won't become our
| elected governments' problem?
| mistrial9 wrote:
| I have St Louis Federal Reserve reports right here on my
| desk showing the ballooning USD money supply. "News Flash"
| means the person you are talking at, has never heard of
| this.. so News Flash elsewhere
|
| This article has nothing to do with "Tether" .. a soapbox
| somewhere is lonely
| kache_ wrote:
| I'm actually not wishing for a powerful referee - I'm _happy_
| this hack happened. It means that cryptocurrency as an
| experiment succeeded in completely removing centralized
| control, and we're now closer to my libertarian utopia
| enabled through technology
| AlexandrB wrote:
| Well, at least this is ideologically consistent. However my
| guess is crypto will eventually end up with the worst of
| both worlds: the technological inefficiency of a
| decentralized blockchain and the bureaucratic inefficiency
| of regulation. People don't like having half a billion
| stolen on the regular and will want someone to "do
| something".
| jazzyjackson wrote:
| it's true, I would choose modern civilization over the wild
| west
| outside1234 wrote:
| Including actually having the money in your wallet!
| kache_ wrote:
| not your keys, not your crypto :) your crypto won't get
| stolen if you have good opsec
| MrMan wrote:
| ha ha opsec sounds so cool
|
| but its actually the opposite of civilization lol not your
| kek not your jejeje
| kache_ wrote:
| Usually I'm on /g/ threads pretending to be hacker news,
| but this time the script got flipped :D
| yunohn wrote:
| Well, in this particular case, the keys got stolen. Which
| is a massive crypto UX issue.
| imtringued wrote:
| If its a UX issue then are you implying that wallets
| should have certain security levels that limit their
| maximum account balance? I mean mandatory multi sig for
| anything above $1 million.
|
| Because I don't see how else you are going to solve this
| problem other than by refusing to accept that much money.
| acdha wrote:
| There are other options too but, yes, if you want normal
| people to use cryptocurrency it needs to be as safe as
| the traditional banking system. Large transactions at a
| bank will get multiple identity verifications, time
| delays, trusted third parties handling multistage
| transactions where physical goods change hands or
| independent processes complete, etc. need to be tested
| and on by default because many people won't think about
| it until it's too late, as evidenced by all of the
| inadvertent 100M USD bug bounties by cryptocurrency
| companies.
| ceva wrote:
| Nothing new .. more pls
| mdoms wrote:
| > We are working with law enforcement officials, forensic
| cryptographers, and our investors to make sure all funds are
| recovered or reimbursed. All of the AXS, RON, and SLP on Ronin
| are safe right now.
|
| In which crypto bros once again discover that centralised
| authorities are not entirely redundant.
| 3np wrote:
| > The validator key scheme is set up to be decentralized so that
| it limits an attack vector such as this
|
| Even now, when it's obvious to everyone that only two parties
| needed to be compromised for this to happen (4/5 compromised
| nodes were effectively under one party it seems), they keep
| calling it "decentralized". Apart from the lack of gifs, memes
| and emojis in the post, I have a hard time coming up with a worse
| response.
| almalkemqq wrote:
| intrasight wrote:
| It's all "decentralized" except where it counts.
| outsb wrote:
| Over half a billion in assets and..
|
| > We discovered the attack this morning after a report from a
| user
|
| Fuck me.
| Barrin92 wrote:
| is there no point at which these companies become subject to
| securities or financial laws? How on earth can a random game
| studio just casually hold half a billion dollars worth of
| assets apparently without any idea what to do with it?
| tornato7 wrote:
| Many crypto companies are subject to RIA compliance laws or
| are considered "qualified custodians"
| [deleted]
| zaroth wrote:
| Seriously. That was really really hard to read.
|
| So basically $600mm in a hot wallet and no one even watching
| it. Just wow.
|
| They didn't even hack the smart contract, they just compromised
| 4 systems holding the private keys, and there was an RPC
| signing function giving free access to the 5th. Good god.
| matt_s wrote:
| Sounds like if they had a checking account with their bank
| credentials stored in ENV variables and someone got access to
| that server it would be the same outcome.
|
| The details of it being on a crypto-currency are interesting
| but when password/passphrase/private key security is poor it
| doesn't really matter the medium holding the money.
| openasocket wrote:
| Aren't there methods of rolling back transactions in the
| traditional banking system though? And additional
| validations on larger volume transactions?
| mplewis wrote:
| That's right. None of these protections exist in their
| sidechain.
| mrits wrote:
| It would be much different outcome that would probably lead
| to recovering the money.
| gamblor956 wrote:
| Transferring $650 million out of a corporate bank account
| would usually require in-person approval by a C-level
| officer, or at the very least, prior notice to the bank of
| the transaction.
| mtoner23 wrote:
| Yeah, banks dont let you move this money without multiple
| levels of identity verification by both parties.
| arthurcolle wrote:
| Not always true:
| https://www.vice.com/en/article/ne8p9b/offshore-bank-
| targete...
| oefrha wrote:
| No, $625M transfer out of a single bank account would raise
| tons of eyebrows. No way it's authorized by some env vars.
| matt_s wrote:
| If the hackers are sophisticated, I would think they
| would start wiring in much smaller amounts and thru
| accounts so tracing is harder. Much like what they are
| going to have to do with the funds in that wallet.
|
| If they setup some plausible 3rd party company the game
| studio could use and started transfers of $10k a pop it
| might be some time before anyone catches it.
| manquer wrote:
| That is slow anything over 10,000 in bank transfers will
| reviewed, and there will be a dedicated account manager
| for a 600m account.
|
| They are going to review and flag it. You might loose few
| hundred thousands but not all 625m.
| no-dr-onboard wrote:
| Maybe, but 30d ago it would have been "No way someone
| would store $625M USD in a game dev bank account".
| henriquecm8 wrote:
| > they just compromised 4 systems holding the private keys,
| and there was an RPC signing function giving free access to
| the 5th.
|
| This seems like the plot of a 90's hacker movie.
| [deleted]
| bayesianbot wrote:
| Which was 6 days after the original transfers. Unbelievable.
| jandrese wrote:
| Wait, no, it's totally believable because this is the same
| story that happens over and over again with blockchains. It
| turns out that all of those pain in the ass compliance laws
| on traditional finance are there for a reason, and when you
| ignore the past you end up repeating it.
| tornato7 wrote:
| Most hacks are discovered within minutes or hours, not
| having the systems in place to know within seconds if your
| wallet is being drained is unbelievably bad for someone
| custodying half a billion.
| acdha wrote:
| > Most hacks are discovered within minutes or hours
|
| Really? The figures I've seen have typically put it in
| days to weeks unless you're talking only about the most
| obvious things like DoS attacks or defacing someone's
| homepage.
| RL_Quine wrote:
| No monitoring whatsoever over $600M of funds stored in your
| system is crazy negligent.
| UncleMeat wrote:
| It isn't like monitoring would have done anything. Once the
| transaction goes out it is gone. The core problem here is the
| massive private-key bounty being created by a ton of
| organizations that don't have world-class security teams.
| parkingrift wrote:
| True, but you would think they'd notice $650,000,000
| missing before a user reported an issue withdrawing $5,000
| (edit - 5k ETH). It's honestly so impossible to believe
| that I'd wager the real story is they knew and were
| actively trying to recover the funds.
| zkldi wrote:
| just a poke: it was 5K Eth ($16,924,050), not 5K USD, but
| i agree with your wager.
| parkingrift wrote:
| Ah right you are. Misread the article.
| mrep wrote:
| God damn, 17 million stolen forever from 1 person and
| there is nothing they can do about it.
| cowvin wrote:
| Even more shocking, is why someone would hand 17 million
| dollars worth of assets to a random company that has no
| security apparently.
| weare138 wrote:
| But the attacker used 2 transactions. The first one should
| have been flagged immediately. Plus the servers themselves
| were compromised. Four of them. The attacker was able to
| take control of 4 different servers without even being
| noticed. This is just one massive secops fail.
| hotpotamus wrote:
| Yeah, I'm just picturing a Graphana chart going from $625M
| to $0. And then admins sitting around like, OK, now what?
| tomatowurst wrote:
| Or malicious...similar to the DAO hack from 2017 suspected of
| being an inside job (with evidence pointing to the insider
| who lawyered up to refute it with _code-is-law_ argument),
| somebody was accountable for security and they deemed it not
| worth it to secure it.
|
| Axie Infinity was already struggling, and this happens a day
| or two away from scheduled distribution of rewards & update
| release.
|
| _Cui bono_? Who could 've known they were carrying funds in
| a hot wallet other than the people directly involved with the
| project? Unless there was a way to discover this from the
| outside?
|
| Somebody at Axie Infinity could have been asking whether they
| want to get paid 0.025% of that hot wallet yearly or have it
| all up front, _today_. After all it isn 't cash sitting at a
| bank they have to rob.
| jazzyjackson wrote:
| Agreed, the system was designed to say "oops, we lost all
| of your money, how could this have happened"
| [deleted]
| ozten wrote:
| "We are working with law enforcement officials..."
|
| If the promise of ETH contracts is that code is law and to
| eliminate needing trust, then how and why would law enforcement
| get involved?
|
| Did the attackers break down the door and steal the money? Or did
| the provide a widget that met the contract and which just
| happened to have the unfortunate side-effect of siphoning off
| tokens, a bug which will be fixed in the next revision of the
| contract...
|
| I 100% agree this behavior is immoral, but as web3 coders become
| essentially lawyers, is it illegal? The further we go from fiat
| currency, are we burdening a specific countries tax-funded
| investigation and enforcement?
|
| Fascinating stuff!
| renewiltord wrote:
| It's in the article. Keys were stolen.
| ozten wrote:
| Thank you, I missed that detail. I do think the larger
| question of DAOs replacing trust with code/law is worth
| further discussion.
| tcgv wrote:
| After following the DeFi space for over a year now I've
| come to the conclusiong that "code is law" is a fallacy. If
| you come to the possession of funds that were not intended
| to be in your possession by exployting bugs or
| vulnerabilities, and other parties are significantly harmed
| in this process, then you will be in a position to face
| criminal charges... Well that is unless one can maintain
| anonymity indefinitely. Once anonymity is lost law
| enforcement may come for you.
|
| The best thing you can do (and the moral thing to do) is to
| submit for a bug bounty in case you find a crictical bug in
| a blockchain/protocol.
| jazzyjackson wrote:
| Funny that it's kind of the same paradox as robbing a
| bank the old fashioned away. Congrats, you have millions
| of dollars of cash, good luck spending it without anyone
| asking "hey where'd you get all this money" / bragging to
| a friend
| paulpauper wrote:
| the odd are not good for recovering the $. of all the dozens of
| hacks, there has been no arrests (except a kid in Canada) and
| no $ recovered.
| bigmattystyles wrote:
| I recently stumbled on this and it illustrates the situation
| perfectly. https://www.youtube.com/watch?v=DrbDWq64BNg
| manquer wrote:
| Under the code is law philosophy, if the there was a bug in the
| contract someone exploited that should be fair play.
|
| However hacking into your systems and stealing your keys is
| still theft. Same as using a $5 wrench to get your private key.
| cechmaster wrote:
| People pay a lot of taxes for their crypto trades.
| dave84 wrote:
| I'm so far outside the cryptocurrency scene that this reads like
| science fiction to me.
| red_admiral wrote:
| Echoes of Mt Gox: when something meant to be a much smaller
| operation (such as a place to trade Magic:The Gathering cards)
| suddenly finds itself playing a much bigger game.
|
| It's like you agreed to temporarily store the Fort Knox gold
| reserves in your spare room, but still have the same ordinary
| lock on the front door.
| mhitza wrote:
| > Fort Knox gold reserves in your spare room
|
| What do you mean a wooden safe isn't good enough?!
|
| Joke aside. This is the reality we live in. Almost makes heist
| movies pale in comparison. The failed Die Hard heist was
| planned in order to steal $640M.
|
| I wonder how long until Hollywood will start making movies
| about these hacks.
| babyshake wrote:
| > I wonder how long until Hollywood will start making movies
| about these hacks.
|
| I'm guessing they would portray it as being in the
| "metaverse" so they get to actually show a physical heist
| happening. And yes, of course that's not even remotely how
| any of this works but that's never stopped Hollywood before.
| rchaud wrote:
| There is a whole genre of teen thriller movies that play out
| entirely in the medium of messages sent back and forth on
| phone screens. It's exactly as exciting as you can imagine.
| imtringued wrote:
| Probably about as exciting as stacking icons on ingame
| maps.
|
| https://youtu.be/W12zKDvHsQI
| rchaud wrote:
| There is a whole genre of teen thriller movies that play out
| entirely in the medium of messages sent back and forth on
| phone screens. It's exactly as exciting as it sounds.
| bombcar wrote:
| These hacks are _boring_ , it's just code - the closest to
| making code look cool was perhaps the Matrix.
|
| Oceans 11 is interesting because what they're doing is
| explainable and interesting, running various commands in a
| console window isn't.
| sincerely wrote:
| Mt Gox was a place to buy MTGO cards, but had been closed for
| years before the owner reused the domain name to host the
| bitcoin exchange.
| ericjang wrote:
| Supposing the hacker gets away with stealing such large
| quantities of stolen ETH without getting caught and their ETH is
| now sitting in a brand new wallet that everyone knows about. Is
| the next move to convert it into a privacy-preserving coin like
| Monero, then back to "clean" ETH?
|
| source: https://ethereum.stackexchange.com/questions/2699/is-
| there-a...
| kache_ wrote:
| Or you just keep it in monero indefinitely :)
| arthurcolle wrote:
| tornado.cash
| anchpop wrote:
| what kind of volume does tornado.cash process? If it normally
| processes e.g. $1M/day, it'd take a while to use it as a
| mixer right?
| colinmhayes wrote:
| What's the rush?
| xur17 wrote:
| > Is the next move to convert it into a privacy-preserving coin
| like Monero, then back to "clean" ETH?
|
| I'm not sure there is enough liquidity in the Monero / ETH
| trading pairs to do something like that without being really
| obvious.
| newuser33441890 wrote:
| lordnacho wrote:
| So how did they get the private keys? Wouldn't you make some sort
| of airgap system if you were securing most of a billion bucks?
| sonnyblarney wrote:
| nipponese wrote:
| Is this attack still happening?? atm, I see a pending incoming
| transaction to the attacker's address.
|
| https://etherscan.io/address/0x098b716b8aaf21512996dc57eb061...
| qeternity wrote:
| > incoming transaction
|
| You answered your own question
| lykahb wrote:
| Aaand it's gone.
| danso wrote:
| I'm not well read up on how sidechains work, but they're
| effectively as public and transparent as the main blockchains
| themselves, right? So anyone, particularly Axie themselves,
| could/should have a live dashboard reporting out their holdings.
| And the fact that it took 6 days for this to be noticed (and even
| then, only by accident) means they didn't bother having this
| metric be readily visible?
|
| (nevermind not having triggers to go off when a lot of funds are
| suddenly withdrawn for any reason)
| gen220 wrote:
| Question for the legal-minded folk here. Is this "theft" illegal
| in the criminal sense?
|
| It's exploiting an unintended hole in software, but it's
| technically following the smart contract faithfully, albeit
| against the better intentions of its author(s).
|
| Has a smart contract case like this been litigated before?
|
| It brings to mind comparable things that have happened in the
| financial services world, where one party insists on following a
| poorly-composed contract to the letter, to the detriment of their
| counter-party. Their actions were deemed unethical, but not
| criminally illegal.
| Miner49er wrote:
| This isn't a case where there was a flaw in a smart contract.
| This is a case where they straight up hacked servers and stole
| keys from them.
| babyshake wrote:
| Even exploiting a flaw in a smart contract is theft as long
| as it is clearly an exploit.
| Miner49er wrote:
| As far as I know, this hasn't been tested in court. Even if
| true, this goes completely against the idea of "the code is
| law."
| somebodythere wrote:
| It probably depends on the jurisdiction, and if they
| interpret the smart contract as a computer program, and
| have hacking laws they can apply, or as an actual
| autonomous contract that is legally valid. Both seem like
| plausible interpretations, but I think the former is more
| natural/likely for the typical judge.
| leifg wrote:
| If code is law this is perfectly legal.
|
| I suppose in the real world intent would matter a lot.
|
| That is exactly the reason why "code is law" is such an absurd
| concept. A piece of code alone will never be able to tell you
| what its initial intention was.
| chockchocschoir wrote:
| One could make the same argument of any computer system where
| the security wasn't as tight as one could hope.
|
| "But judge, they never patched their $software to the latest
| version, so technically the software allowed me to dump the
| contents of the IMAP server"
|
| Intents matter. If you commit a crime ("Stealing" is a crime),
| it doesn't matter if you did so via software, contracts, smart
| contracts, blockchain or else. A crime is a crime is a crime.
| paulpauper wrote:
| intent means a lot. the intent is clear: to deprive ownership
| of something.
| acdha wrote:
| Real world analogues can be useful for thinking about these
| situations: would the mob be able to steal your money and avoid
| charges because they got five of their guys hired by your bank
| to approve the deal? (Or redirected a phone line, faked
| letters, etc.?)
|
| The answer is no because there's a clear victim, and this
| wasn't taking advantage of a mistake like e.g. a casino game
| which didn't have the right formula but rather clearly
| subverting the safeguards built into the system. In the real
| world, no judge is going to look at that and say "well, that's
| what the code did. Nothing we can do about it even though
| everyone knows it's theft!" and a jury isn't going to believe
| you "accidentally" broke separate safeguards on multiple
| systems.
|
| That's just the basic stuff which would have been true a
| century ago. In this case you'd also want to think about the
| relevant laws wherever they are based -- for example, the U.S.
| CFAA bans use of a computer contrary to how the owner intends
| you to use it. Even if this wasn't so clear cut, I'd expect
| them to successfully argue that knowingly subverting an oracle
| would meet that threshold since you clearly knew how the system
| was intended to work.
| rafale wrote:
| In traditional courts? Yep, it's a crime because there is clear
| damage being done to the victims. As simple as that.
| shock-value wrote:
| I'm not a lawyer. It appears that part of this heist involved
| hacked keys. That aspect would be straightforwardly illegal I
| would imagine.
| phphphphp wrote:
| this wasn't a smart contract exploit, it was a stolen keys
| exploit. Very different, flat out theft rather than exploiting
| "code is law" (and almost certainly an inside job).
| manquer wrote:
| Legally CFAA criminalizes unauthorised access of systems _even
| if they were available and unauthenticated_.
|
| If you are not supposed to have access and you accessed it is a
| crime. This is why whitehat work is also dangerous legally
| unless you have been invited in.
|
| Here obviously the attackers accessed a private environment and
| stole the keys so yes it is a crime
| elif wrote:
| The attacker gained control of 5 validator nodes. This is as
| clearcut as hacking and theft charges can get.
| Jabbles wrote:
| I don't believe this has been tested in the courts.
|
| But I don't see much difficulty in convincing a court that this
| fits the definition of theft in some jurisdictions.
|
| In the UK: "Theft is defined by section 1 of the 1968 Act as
| dishonestly appropriating property belonging to another with
| the intention of permanently depriving the other of it."
|
| A brief explanation of each of those terms is given, and I
| don't see any particular problems related to this being
| cryptocurrency. The point that "smart contracts allow what the
| code says and nothing else matters" does not fit with the
| dishonesty interpretation that "The owner would agree to their
| taking it if they knew about it".
|
| https://www.cps.gov.uk/legal-guidance/theft-act-offences
| hinkley wrote:
| Something tells me that if indeed cryptocurrency sticks around
| it's going to sprout rules and regulations that are a mix of
| banking and securities regulations, and that will suck most of
| the "fun" out of it.
|
| We pause the stock market on a 5% drop and stoop it on 10%.
| Moving that much crypto in a day is probably never on purpose.
|
| Though in a distributed consensus system I don't know how you'd
| enforce such a thing.
| babyshake wrote:
| > We pause the stock market on a 5% drop and stoop it on 10%.
|
| Crypto: Hold my cascading liquidity.
| munificent wrote:
| Anyone who knows anything about human systems knows that that's
| the end point: We'll be right back to banking as it is today,
| except with less efficiency and a ton of wasted time and
| technology that could have been spent making the current
| systems better.
| babyshake wrote:
| There's an analogy to be made with the internet and WWW. In
| some ways everything did revert from the early wild west days
| of the web to a small number of curated and censored walled
| gardens (Facebook, etc.) but it's not accurate at all to say
| that things reverted to a pre-internet status quo.
| [deleted]
| rafale wrote:
| If I were the hacker, I would be waiting for an offer to return
| the money. Which Sky Mavis haven't done. I think 1% is
| reasonable.
| manquer wrote:
| Why won't they directly ask themselves? All these random ware
| hackers do.
| Stevvo wrote:
| A 51% attack on a blockchain with a grand total of 9 nodes... why
| would be people trust such an obviously insecure chain with such
| large value?
| peterweyand0 wrote:
| So, if someone could explain this to me, I don't understand all
| the particulars.
|
| From the article -
|
| The attacker used hacked private keys in order to forge fake
| withdrawals.
|
| The validator key scheme is set up to be decentralized so that it
| limits an attack vector, similar to this one, but the attacker
| found a backdoor through our gas-free RPC node, which they abused
| to get the signature for the Axie DAO validator.
|
| Can someone explain what happened here? How were they storing the
| keys in such a way that they were accessible from the internet?
| Namely, is this a problem with how crypto is designed itself, did
| they mishandle their architecture (so presumably if they
| organized their containers in another way then a hacker wouldn't
| have access), or did they just put the keys in a file that said
| KEYS.pem with open access?
|
| Does this have implications for blockchain as a whole or was this
| company just dumb? Ideally, you shouldn't hold 650 million in one
| wallet, but if the promise of crypto is supposed to be secure
| then it shouldn't matter.
|
| PS:
|
| If anyone would loan me 650 million dollars I promise not to lose
| it and would take only a small percentage of the total to pay
| rent and continue to exist.
| Sargos wrote:
| >Does this have implications for blockchain as a whole or was
| this company just dumb?
|
| They were just dumb. The Ronin bridge where this money was
| stolen from wasn't decentralized at all and wouldn't even be
| recognized as a blockchain by even moderately experienced user.
| It was just a 5 of 9 multi-sig where the security was very poor
| and susceptible to social engineering. This was akin to a
| company keeping 100 gold bars in the closet by the bathroom and
| doesn't say anything about technology or things like DeFi or
| smart contracts.
| paxys wrote:
| > How were they storing the keys in such a way that they were
| accessible from the internet
|
| It's almost always either phishing or insider help.
| modeless wrote:
| And they didn't notice for 6 days!
| [deleted]
| JaimeThompson wrote:
| If only they had used a Web3 based solution this wouldn't have
| happened.
| mdanger007 wrote:
| "Maybe We Were Wrong About Be Wrong About Web3"
| Dig1t wrote:
| So they now have this giant sum of money sitting in their wallet
|
| https://etherscan.io/address/0x098b716b8aaf21512996dc57eb061...
|
| what do they do next? How do criminals even use this money to do
| anything?
| rafale wrote:
| They could use it to pump the price on Uniswap of a low cap
| ERC20 crypto that they own a lot of. That's the safest way to
| launder that money imo.
| quantified wrote:
| It's not money, it's ether.
| leifg wrote:
| I had multiple arguments around situations like this.
|
| There are essentially two camps. The one side says:
|
| - You can sell for cash, use mixers, NFT sales,
| $other_sophisitacted_technology and get away with it
|
| The other side argues:
|
| - You won't be able to ever cash out this sum and law
| enforcement will use sophisticated data mining on the
| blockchain and will eventually bust you
|
| I think in reality it is like any illicit asset worth $650 Mio.
| It's gonna be extremely hard to launder but not impossible.
| manquer wrote:
| The $5b bitcoin recovery recently had the same problem.
|
| Even if you converted 650m to cash it will be hard to move
| that around as well. At large numbers it is easy to flag for
| LEO in the economy crypto or traditional.
|
| This kind of theft requires a mindshift change to be really
| successful, instead of thinking as 650m the hacker should
| think as few hundred thousands in annual income forever.
|
| The amount you can safely move will increase as the market
| volume increases.
| colinmhayes wrote:
| Others have talked about how you can use DeFi swappers, which
| absolutely will allow the hacker to convert a couple million
| per year into clean crypto if done meticulously, but the big
| problem is that they can't explain where the crypto came from.
| I don't think that's a death sentence, as you can still pay
| taxes and what not even if you can't explain where the coins
| came from, but if law enforcement catches onto you you'll have
| a problem. This is where NFTs come in. Since they're non
| fungible it's easy enough to buy a bunch for $1,000 and sell
| them to yourself for $100,000. This has the added bonus of
| pumping the artist you've invested in, so you'll be making
| money off the NFTs you legitimately sell on the market too.
| manquer wrote:
| Traditionally real world art market was a vehicle for illicit
| wealth transfer too. A good chunk of the art today is valued
| so high because of the illegal money that supports it .
| lalaland1125 wrote:
| Generally, they can wash the currency, either through mixers or
| by routing through a privacy focused coin like Monero.
|
| Properly done, there is no direct connection between the new
| washed currency and the stolen assets.
| zaroth wrote:
| They could just burn it - it makes everyone else's ETH more
| valuable.
|
| Or move it through decentralized tumblers. Which is why more
| and more these tokens are becoming non-fungible as addresses
| are blacklisted.
|
| Non-fungible is another way of saying centralized, by the way.
| The whole system is a house of cards. The final straw will be
| when quantum blows it wide open.
| jonathan-adly wrote:
| https://tornado.cash/
|
| Probably can get $3-5m or so a year slowly. (which would take
| ~25 years or so).
| jandrese wrote:
| Which is what that horrible cringe rapper lady was doing when
| she and her boyfriend were busted.
| jonathan-adly wrote:
| No - they had Bitcoin, completely different beast. (due to
| lack of smart contracts, Bitcoin is a lot
| simpler/transparent/harder to hide stuff there).
| ndury wrote:
| > harder to hide stuff there.
|
| AFAIK, there are coinjoin implementations which cannot be
| traced to date.
|
| Do note that exchanges are not too keen on accepting
| coinjoined bitcoin.
| jandrese wrote:
| She was converting her Bitcoin into Monero first before
| laundering it. The weak point is converting the resulting
| crypto coins into fiat money.
| adamhp wrote:
| Transfer to a bunch of USDC?
| https://etherscan.io/address/0x098b716b8aaf21512996dc57eb061...
| adtac wrote:
| This probably sounds like an insanely dumb idea to crypto people,
| but is it absolutely infeasible to reverse transactions when
| there's consensus that it's a hack? The TX fees need not be
| reversed (consider it to be a small price to pay for being
| hacked).
|
| A little bit of centralisation could make the whole network
| safer. Who is that centralised authority to decide what's a hack,
| I hear you ask. I don't know, but the authority could be elected
| and impeachable to make it more democratic.
| paxys wrote:
| Well you can do _anything_ with the ledger if there 's
| consensus. That's how the entire thing works. How are you going
| to convince >50% of the mining pool to agree though?
| qq66 wrote:
| Keep working at it and eventually you will rebuild "tradfi."
| RL_Quine wrote:
| What is your threshold? Who decided what is "not legitimate"
| activity? Clearly in this case the money was spent using the
| keys that were allocated to be able to control the money, what
| process overrides that?
| arcticbull wrote:
| I mean we have an answer to that, it's called the law, and
| its worked since 1750BC. [edit] This guy, Hammurabi - king of
| the First Babylonian Dynasty - faced a similar quandary, so
| there's some prior art.
|
| Disputes under the law are resolved in court.
| xur17 wrote:
| Disputes can still be resolved like that in crypto, it's
| just up to the legal system to track down the key holders
| to revert the transaction. Essentially - solve it at the
| legal layer, don't complicate the protocol.
| quantified wrote:
| Courts and the legal system are centralized authority, not
| sure they are compatible with the crypto vision.
| [deleted]
| SketchySeaBeast wrote:
| Isn't that anathema to the new world order the crypto
| people are espousing?
| fossuser wrote:
| There are lots of us that recognize the new capability
| crypto provides (improved self-custody over assets,
| currency scarcity not controlled by governments) while
| also not claiming a new world order.
|
| Like most things it's not all or nothing and there are
| pros and cons.
| the_gastropod wrote:
| Hitting yourself in the head with a hammer might offer
| some benefits:
|
| - The cool metal might cool your head on a hot summer day
|
| - Might knock yourself unconscious to avoid boredom
| (could be real handy during long flights!)
|
| But these nice features are inseparable from the fact
| that you're hitting yourself in the head with a hammer,
| which has _many_ serious downsides, too.
|
| The "improved self-custody" crypto offers is one side of
| the ledger. The other side is: you lose regulatory
| protection, and can be swindled with virtually zero
| repercussions. Crypto's entire reason for existing is to
| circumvent government control--it's pretty "new world
| order" all the way to the core.
| fossuser wrote:
| This is a comparison dumb enough to basically be in bad
| faith.
|
| Ignoring that and focusing on the substance:
|
| > "The "improved self-custody" crypto offers is one side
| of the ledger. The other side is: you lose regulatory
| protection, and can be swindled with virtually zero
| repercussions."
|
| Yeah I don't disagree with this - the risks are real.
| Some of this can improve with better tools, but some is
| just higher risk that exists with self-custody. You don't
| need to move 100% of your wealth into crypto (and I'd
| argue you shouldn't in nearly all cases).
|
| Crypto provides a new capability to take control in a way
| that other options don't or don't support as well. There
| is value in this capability even though it has associated
| risks.
|
| > "Crypto's entire reason for existing is to circumvent
| government control--it's pretty "new world order" all the
| way to the core."
|
| Not all governments are good and even good governments
| can implement bad policy. Self-custody is a lever against
| the kind of top down CCP like control of entire economies
| and a totally controlled cashless future. It's also a
| hedge against stupid actions from your government (like
| what we're seeing in Russia currently).
|
| New world order suggests replacing the entirety of the
| existing thing. I'm not suggesting that, I'm focusing on
| the fact that it offers a new/improved capability that
| gives individuals more power. I think this is a good
| thing, but good/bad subjectivity aside it's just a true
| feature of crypto.
|
| https://www.lesswrong.com/posts/PeSzc9JTBxhaYRp9b/policy-
| deb...
| the_gastropod wrote:
| > Not all governments are good and even good governments
| can implement bad policy.
|
| Indeed! Many governments are truly awful. And it's a
| deeply complex problem to solve. The strategy of "screw
| it, let's just bypass the laws when I feel like it" is
| deeply troubling. And I think you needn't look further
| than the fact that so many despots have wholly embraced
| Bitcoin: Bukele, Putin, Kim Jong-un, Erdogan, Maduro,
| Assad, etc. Why do you suspect that is? Are they just
| clueless dummies who're getting fleeced by the Bitcoin
| pumper geniuses?
|
| The problems with corrupt governments is the lack of
| accountability via regulation and legal redress. The
| solution is _increasing_ accountability--often a
| difficult problem, no doubt. But advocating for crypto as
| the solution, is advocating for the harms done to people
| to be anonymized, and ultimately made unaccountable. That
| 's a Very Bad Idea(tm).
| fossuser wrote:
| You're arguing a strawman.
| horsawlarway wrote:
| Generally yes.
|
| As someone who has actually purchased real goods with
| bitcoin (silkroad) and has dealt with the blowback of the
| MtGox scandal (still receiving court details to this
| day...)
|
| Those crypto people are snake oil salesmen. Full fucking
| stop. They aren't interested in making anything usable,
| they're interested in wild speculation, gambling, and
| outright scams.
| horsawlarway wrote:
| No one in crypto typically wants to acknowledge this, but
| this is the clear and robust answer.
|
| Your keys your coins is obviously a situation rife for
| unreconcilable fraud, and is not a functional solution for
| anyone who might - ya know, want to spend these things as a
| currency.
| xur17 wrote:
| I disagree. It's definitely a trade-off, and there are
| downsides to it (this security breach being a good
| example), but there are also advantages.
|
| With normal ACH and credit card transactions, the payment
| never really settles, and can be reverted due to fraud
| for months. That means I have to slurp up lots of data
| (privacy?) about my users in order to increase my
| confidence that they won't try to scam me. And even with
| that, I end up losing significant amounts of money due to
| payments with stolen card numbers, etc.
|
| With crypto, I know that any payment I receive is final,
| and I don't have to build privacy violating systems to
| avoid losing $$$.
|
| Not saying this is necessarily "better", but there are
| advantages to it. As a user, I'd be happy to pay with
| crypto if the merchant passed some of the savings on to
| me.
| horsawlarway wrote:
| What savings?
|
| The savings associated with transactions fees (reasonable
| for very large spends - utterly ridiculous for small
| amounts, even today after the major drops, at more than
| 1.7 USD/tx)?
|
| The savings associated with double spend fraud that
| occurs if you don't delay the transaction for 3 to 6
| blocks even though you say it's final (hint - that's not
| true, and waiting is a large downside for prompt
| processing at a point of sale)
|
| The savings associated with being literally dragged into
| court because it turns out that fraud is still a thing,
| and the legal system still matters, and despite you
| saying that the transaction has settled - the courts can
| and WILL disagree?
|
| I just don't see it. I see a very nice way to send money
| to folks who are working dark markets and understand
| escrow (which re-introduces the risk that your
| transaction isn't actually settled), and a really shitty
| transaction method for basically everything else.
| xur17 wrote:
| > The savings associated with transactions fees
| (reasonable for very large spends - utterly ridiculous
| for small amounts, even today after the major drops, at
| more than 1.7 USD/tx)?
|
| On mainnet ETH, sure, but that arguably shouldn't be used
| for small payments like you are discussing. There are
| second layer networks that can do this for pennies on the
| dollar and make a lot more sense.
|
| And arguably $1.7 USD / tx would compete quite well with
| credit card transactions. 0.17% vs credit card's 2-3%.
|
| > The savings associated with double spend fraud that
| occurs if you don't delay the transaction for 3 to 6
| blocks even though you say it's final (hint - that's not
| true, and waiting is a large downside for prompt
| processing at a point of sale)
|
| Again second layer networks, but even on ETH itself,
| you're talking 10 - 20 seconds for 1-2 blocks, which is
| PLENTY. It's not going to be worth carrying out a double
| spend attack for a few thousand dollar transaction.
|
| I do get that you don't "get" it, but I'll just say - I
| happily send and receive both BTC and ETH, and it is a
| night and day difference from sending using traditional
| bank accounts. I actually feel like I own the money, I
| can send it to anyone I want at any time, and the
| transaction settles in seconds. Last time I sent money
| via ACH, it took a solid 4 days (since I initiated on a
| Friday). I can deposit money into my crypto backed debit
| card in under a minute in the middle of a weekend.
| arcticbull wrote:
| > I do get that you don't "get" it, but I'll just say - I
| happily send and receive both BTC and ETH, and it is a
| night and day difference from sending using traditional
| bank accounts. I actually feel like I own the money, I
| can send it to anyone I want at any time, and the
| transaction settles in seconds. Last time I sent money
| via ACH, it took a solid 4 days (since I initiated on a
| Friday).
|
| This is just a criticism of US banking, not 'TradFi' as a
| whole. Most countries have let you do the exact same
| thing for free or at a low cost out of your existing bank
| account, no overhaul required, for years. The EU has
| SEPA, the UK has FPS, Canada has Interac e-Transfers,
| Australia has NPP. I suspect you'd have a hard time
| finding a country other than America which _doesn 't_
| support this.
|
| ... and the US has RTP for about half the population, and
| is getting FedNow for everyone next year. Not to mention
| Cash App and Venmo and so on.
|
| This is a solved problem.
|
| If you can even call it a problem. The thing is, if it
| were actually a meaningful source of friction instead of
| a talking point, it would have been resolved years ago.
|
| I get it, _moving money_ is boring unless the money is
| also a scratch-off lotto ticket.
|
| > I can deposit money into my crypto backed debit card in
| under a minute in the middle of a weekend.
|
| This is also how Cash App and Venmo support instant
| transfers/deposits to a dollar-denominated bank account
| 24/7. You can do this via unlinked refund or whatever the
| new mechanism is. That's not crypto related, it wasn't
| developed for crypto but rather coopted (not just by
| crypto, but by Venmo and Cash App). That's just how debit
| rails work.
| xur17 wrote:
| > This is just a criticism of US banking, not 'TradFi' as
| a whole. Most countries have let you do the exact same
| thing for free or at a low cost out of your existing bank
| account, no overhaul required, for years. The EU has
| SEPA, the UK has FPS, Canada has Interac e-Transfers,
| Australia has NPP. I suspect you'd have a hard time
| finding a country other than America which doesn't
| support this.
|
| But what these services offer is still fundamentally
| different from what crypto offers. The money shows up in
| your account instantly, but it doesn't actually settle
| for weeks afterwards [0]:
|
| > Unlike cards, SEPA does not have an additional
| authentication layer, such as a CVC check or 3D Secure.
| Consequently it is important to have good risk management
| tools in place to offset the threat of fraud.
|
| > A shopper can perform a chargeback online eight weeks
| after the purchase, with no questions asked.
|
| [0] https://docs.adyen.com/risk-management/chargeback-
| guidelines...
| arcticbull wrote:
| You're conflating two separate things: bank-to-bank
| person-to-person transfers and Adyen, which is a merchant
| acquirer. Merchant acquirers and credit networks operate
| under different terms. Chargebacks exist because there is
| a demand for them. They exist because customers want them
| - and yes, even businesses want them. It gives folks the
| confidence to buy without having to worry about trusting
| the merchant (because they trust the network to resolve a
| dispute). It increases average ticket sizes and payment
| volume. This is a good thing that crypto lacks. Finality
| isn't actually what you want in most cases.
|
| However it's irrelevant to this conversation because it
| also doesn't apply to any of the networks I listed. Adyen
| != FedNow. The systems I listed actually do provide
| instant settlements - as the money hits your account it's
| yours to spend.
|
| If for the bank, settlement isn't instant (and that's an
| _if_ because again for the services I listed I don 't
| believe it to be the case) they can just do what everyone
| else does and borrow against it for basically no cost
| while it settles.
|
| Again, this is a solved problem and broadly not an issue.
|
| [edit] Just as I suspected, FedNow settles instantly. [1]
| I know, I know, how could they achieve this feat without
| the magic of the blockchain? And all for the low, low
| price of $0.045 per payment, and $0.01 per invoice!
| Unlike cards, SEPA does not have an additional
| authentication layer, such as a CVC check or 3D Secure.
| Consequently it is important to have good risk management
| tools in place to offset the threat of fraud.
|
| And this? Literally describes crypto. Because they both
| offer instant settlements.
|
| [1] https://www.moderntreasury.com/learn/what-is-fednow
| gitfan86 wrote:
| Same thing as "code is law". If a restaurant puts their
| ordering process on a smart contract and someone orders
| -1 packets of hot sauce and that rolls over to 2 billion
| packets that means the restaurant has to provide 2
| billion packets of hot sauce to the customer?
|
| Why does that sound like a good situation to anyone?
| zaroth wrote:
| The only way to apply the court's judgement (in the case of
| ETH) is to hark fork, because there is no governance
| contract in place.
|
| A blockchain can in theory support such things, which would
| allow a majority vote to approve the court's judgement, but
| not ETH as it currently stands.
|
| Alternatively if you could get enough miners to just
| collectively agree to replay the blocks without that
| transaction you could let the owners move the funds, but
| it's monumentally difficult as time goes on and the number
| of blocks to rewrite increases.
|
| If it was detected in seconds, an emergency protocol does
| exist between certain large mining pools for this sort of
| thing.
|
| Specifically, if you have contracts holding that kind of
| balance, if a transaction appears on the network which
| touches a percentage of the funds, you get blistering
| alarms ringing and someone can "break glass / pull lever"
| to lock the contract balance into an emergency cold vault.
| It freezes the DEX but better that then lose the funds. You
| partner with mining pools to pre-clear that TX and ensure
| your transaction gets priority in the next block, before
| the attacker's transaction goes thru (making theirs the
| double-spend).
|
| But they weren't even watching. They didn't even know until
| the next DAY.
| jacques_chester wrote:
| > _The only way to apply the court's judgement (in the
| case of ETH) is to hark fork, because there is no
| governance contract in place._
|
| Courts can and do issue orders against any kind of asset
| in order to enforce justice and unlike smart contracts,
| their orders are backed by men and women with dogs and
| guns.
|
| Put another way: a court will not say "gee, gosh, if only
| ETH had a mechanism I could give orders for! I guess I'm
| beaten". They will instead say "you owe $X and I will
| seize all assets you have today, or will ever possess in
| future, in order to pay that debt". And when it turns out
| that people thought they were clever by evading the court
| order by keeping everything in a coin, they will then
| learn that ethereum can't buy top bunk at the federal
| penitentiary if you don't have access to a computer.
| colinmhayes wrote:
| > you owe $X and I will seize all assets you have today
|
| Who owes?
| zaroth wrote:
| We are talking about two different things. I'm talking
| about a decentralized algorithm which runs on your own
| machine and can reach a conclusion about a transaction
| being invalid even though it may have a valid signature.
|
| For example, imagine the thief just burns the ETH. $600mm
| notional value is destroyed in a few bytes of crypto.
| Whether someone goes to jail or not is besides the point.
|
| Can the funds be recovered, and what is the algorithmic
| mechanism to provide for that recovery?
| the_gastropod wrote:
| No no no. Crypto enthusiasts reject the idea of the law,
| and the tyrannical governments that enforce them. Code is
| Law! Therefore, this is perfectly legal.
|
| Conceding that this situation sounds absurd destroys the
| entire raison d'etre of crypto.
| koonsolo wrote:
| Code is not law, consensus is law. Big difference!
|
| And it's not even law, it's consensus has value.
| noasaservice wrote:
| Hammurabi's laws only work when they have a monopoly on
| violence to enforce said laws.
|
| Shitcoins (all of them) remove the potential of violence as
| a means of corrective action. Instead, you have crazy hard
| math stopping you. Can't do the math? Then you're not
| forcing your decision.
| acdha wrote:
| Think about this a bit more: I steal your cryptocurrency.
| When the police show up at my door and I say "you'd have
| to solve an impossible math problem to get it back!" do
| they a) threaten beat me and/or my family (Russia, China,
| etc.), b) shoot my dog and put me in jail where they look
| the other way while other inmates beat me (U.S. version),
| or c) toss me in jail (best-case Scandinavian version)
| until I tell them the key? There isn't any case where
| they say "math is hard, guess you get away with it!"
| arcticbull wrote:
| > Shitcoins (all of them) remove the potential of
| violence as a means of corrective action. Instead, you
| have crazy hard math stopping you. Can't do the math?
| Then you're not forcing your decision.
|
| Oh no they don't. You can still go to prison, and they
| can still smack you around. To pretend otherwise is to
| play emu.
| px43 wrote:
| If you think that's actually a good idea, then do it. Make a
| fork where people can have their money back, and see who
| follows you. There's no need to ask permission. The entire
| crypto-ecosystem thrives on crypto-darwinism. Projects
| experimenting with various forms of governance to see what
| survives, and what sticks.
|
| Axie's Ronin network _was_ a centralized side-chain experiment.
| Unfortunately what got exploited was the bridge back to the
| more decentralized ETH Mainnet. They failed to have proper fail
| safes on the bridge, and they got looted. Maybe their project
| survives this, maybe it doesn 't.
| shakezula wrote:
| You're describing a hard fork - exactly what created Ethereum
| and Ethereum Classic after the DAO hack. Even now it's still
| considered a controversial move.
| hotpotamus wrote:
| So if they fork the chain again, does Ethereum Classic become
| Ethereum Classic Classic?
| fossuser wrote:
| I think the majority sided with the move (which is why
| Ethereum soldiers on and EC is basically useless).
|
| It's a good final social check on bad behavior. I think
| Vitalik as written about this (I'm pretty sure I read about
| it in one of his long form posts).
| stickfigure wrote:
| > I think the majority sided with the move (which is why
| Ethereum soldiers on and EC is basically useless).
|
| This should really be phrased "which is why the fork is
| called Ethereum and the original chain is called Ethereum
| Classic". And the majority (of what?) really had only
| indirect input - the exchanges decided which chain would
| get which ticker, and if they'd kept ETH=the original
| chain, it would still have the name Ethereum.
| Obi_Juan_Kenobi wrote:
| Forking is absolutely central to cryptocurrency. In the
| end, these are just rule schemes for interacting and
| communicating about value. If no one chooses to participate
| in it, it has no value. If a sufficient majority would like
| the rules to change, then they can simply do so.
|
| People focus on the algorithmic aspect of cryptocurrencies,
| but this is simply the weedy details that enable certain
| properties of interaction. Nothing terribly interesting has
| happened here since the initial idea of using proof of work
| to regulate authorship of a blockchain. It is the social
| aspect that has been interesting to follow. Alt coins,
| forks, and the enduring primacy of Bitcoin.
| trompetenaccoun wrote:
| He's also written this, basically warning about something
| like the very situation now happening 2 months ago: reddit.
| com/r/ethereum/comments/rwojtk/ama_we_are_the_efs_research_
| team_pt_7_07_january/hrngyk8
|
| The DAO "hack" was a bit different from this, around 14% of
| all Ether were in that contract. There isn't going to be
| another rollback, especially not for something like the
| here discussed attack. Trusting third parties is risky.
| It's like taking your money out of your bank account and
| sending it to a bank in Nigeria. Things can go wrong, the
| chain can't be rolled back every time someone loses money.
| People have to be more careful.
| fossuser wrote:
| Yeah, this is my take of things too at least as I
| understand it.
|
| There is increased risk moving stuff off chain to third
| parties.
| ohgodplsno wrote:
| >I think the majority sided with the move (which is why
| Ethereum soldiers on and EC is basically useless).
|
| Hahaha, no, the wealthy sided with the move. Of the
| 82,054,716 ETH in existence, only 4,542,416 voted, for a
| total voter turn out of 5.5% of the total supply on 16 July
| 2016; 3,964,516 ETH (87%) voted in favor, 1/4 of which came
| from a single address, and 577,899 ETH (13%) opposed the
| DAO fork.
|
| Vitalik and his friends stood to lose a lot of money, and
| being the biggest players in town with their premined
| shitcoin, voted against them losing money.
| fossuser wrote:
| The vote is only one part of it.
|
| What people continue to use and build on is the other.
| TheDudeMan wrote:
| Or maybe don't lend a valuable asset to a game studio.
| dheera wrote:
| Maybe someone could invent the "FDIC" of crypto in smart
| contract form where everyone pays a periodic premium but if a
| hack occurs and there is consensus they get a payout.
|
| Only problem is everyone would have to use their own wallets
| for it to work, and for most people it's safer to store large
| amounts of crypto on an exchange instead of a wallet for
| personal security reasons.
| itintheory wrote:
| > and for most people it's safer to store large amounts of
| crypto on an exchange instead of a wallet for personal
| security reasons.
|
| This is the opposite of what is usually recommended.
| dheera wrote:
| Yep, I realize that, but having your own wallet means:
|
| - Everyone can track your transactions and personal wealth
| on EtherScan or similar tools, whereas in an exchange it is
| significantly obfuscated by the exchange's own collection
| of wallets and databases.
|
| - You could be robbed at gunpoint for your hardware wallet.
|
| - You could lose your wallet in a fire or other natural
| disaster.
|
| - While you can back up your wallet keys online, most
| people cannot remember the long passphrases, and end up
| writing them down on paper which isn't secure if someone
| were to break into your residence or office.
|
| For _most_ users the combination of these risks far exceed
| the risks of keeping money in an exchange.
|
| But yeah, if you're a billionaire with a 24/7 personal
| security team and personal firefighter team, then yeah, by
| all means, keep your own wallets.
| woodruffw wrote:
| I'm not a cryptocurrency person, but my understanding is that
| that's happened before: ETH effectively rolled back the DAO
| hack[1] in 2016. The end result was the "Ethereum Classic"
| split, which continues to this day. There are all kinds of
| financial ramifications to this kind of split, nearly all of
| which (to the best of my knowledge) remain unsolved.
|
| The problem that you've correctly observed gets to the very
| root of why cryptocurrencies are a farce: if participants need
| the confidence of an ultimate human democratic process, you
| might as well kick the immutable public ledger to the curb,
| skip the tire burning, and use the financial system we already
| have.
|
| [1]: https://en.wikipedia.org/wiki/The_DAO_(organization)
| misiti3780 wrote:
| they hard-forked the DOA, the old fork is still traded as ETH
| Classic no?
| woodruffw wrote:
| Yes, Ethereum Classic is still traded (although I have no
| idea how thinly). That's exactly why it's a problem: every
| account pre-fork now exists on two blockchains, and it's
| not clear what the tax, contractual, legal, etc.
| ramifications are of essentially doubling everybody's
| money. The nature of the blockchain also means that forks
| are destructive against innocent transactions: users doing
| "business as normal" who have the misfortune of being
| included in or after the rollback block have to re-
| coordinate all of their work.
| deweller wrote:
| It was the centralized nature of this bridge (5 private keys
| required) that allowed this hack to happen in the first place.
| holoduke wrote:
| I think begind 95% of all crypto related products. Coins,
| Blockchain products etc is someone or something with only one
| goal. Collecting money and run away. To me the trust level is at
| the lowest ever.
| coolspot wrote:
| Shoutout to A16Z for investment into Axie Infinity.
| [deleted]
| vmception wrote:
| Noticed 6 days later lol
| rottencupcakes wrote:
| tl;dr: in what is supposed to be a decentralized system, 9
| validator machines had the power to approve or deny transactions.
| 4 of these are owned by the same person and shared credentials,
| and 1 of these had its credentials stored on the aforementioned 4
| because user load was bad once, so they just decided to use the
| other machine's resources.
|
| In other words, hacking one validator gave a user full access to
| the system, because that gave them access to 5/9 validators which
| is a majority.
| Animats wrote:
| Suspect an inside job. Axie Infinity is a Ponzi scheme in the
| collapse stage. Looks like they found an exit strategy so they
| can blame someone else.
| oblib wrote:
| I have not dug into the details of how this stuff works because
| every time I've looked for them what I found looked like
| bullshit. They all imply this stuff is so secure no one knows
| who's "money" it really is, and that's supposed to be a feature.
|
| I'm still not regretting not buying into this stuff.
| Loughla wrote:
| >I'm still not regretting not buying into this stuff.
|
| I mean, I am 100% regretting spending 15 bitcoin in college on.
| Um. stuff instead of just sitting on it as a speculative tool.
|
| Other than that, I have had family approach me asking about
| crypto in general and BTC specifically in the last year.
|
| I always tell them - it's like gambling, except on top of maybe
| losing your money, somebody is going to try to steal it from
| you at some point as well, and there's no cops you can call.
| xiphias2 wrote:
| ,, Originally, Sky Mavis chose the five out of nine threshold as
| some nodes didn't catch up with the chain, or were stuck in
| syncing state''
|
| Sounds like a great plan for storing half billion dollars. I'm
| not blaming the developers, as they are incentivized to move fast
| and break things, I'm just sorry for all the people who trust new
| protocols so easily without any knowledge in safe software
| security practices.
|
| Personally I'm a Bitcoin only person, because I respect the
| amount of work that the software authors do to minimize the
| attack surface, but at the end the free market will select the
| winners and losers.
| Slartie wrote:
| "Our software has some sort of race condition, it gets stuck
| every few hours, should we debug it? Could be difficult to
| find."
|
| "No, just write a cron job to restart it every few hours, and
| we'll increase the error tolerances. Nobody wastes time
| debugging stability issues anymore!"
| thegeomaster wrote:
| I _am_ blaming the developers.
|
| Perhaps this is not a popular view, but this "blameless"
| culture is fine and good when it's a random service going down
| for 15 minutes and you're trying to collaborate and prevent it
| from happening again.
|
| There must be limits though. If you're handling that amount of
| money in a bank and you fuck it up like this, your ass is on
| the line, together with the ones who incentivized you to move
| fast and break things. This should be no different.
| xiphias2 wrote:
| I have been to a few crypto meetups and seen people just talk
| about buying and selling tokens/cryptocurrencies without
| knowing more than the name of the currencies.
|
| They are betting on software in alpha phase without knowing
| anything about it, or any detail about the cryptography,
| concensus mechanism or coding practices they use.
|
| There are valid concerns with any asset where people want to
| store their wealth (which is at the same time a basic human
| need), but it's hard to reason with peope who are not
| interested in discussing those concerns.
| WesleyHale wrote:
| I'm not surprised since a large percentage of crypto buyers
| are millennials that grew up during the great meme boom of
| the 2000's.
| manquer wrote:
| Even developers who work on smart contracts don't
| understand the intricacies of the consensus algorithms and
| cryptography.
|
| These are hard subjects your average developers rarely work
| on, and is usually smart enough to know not to roll their
| own.
|
| Everyone in the market just is gambling on what other
| people think. Like playing poker only by guessing what
| everyone else does, knowing the rules.
|
| Stock market is no different the subset who read annual
| reports and make projections or trust people who do are
| limited
| function_seven wrote:
| This is like the contractors working on the Death Star when
| it was blown up.[1] They knew what they were working on. They
| knew the dangers. Can't cry for them when they're blown to
| smithereens.
|
| I've been asked on two separate occasions to work on some
| crypto startup idea. Aside from my skepticism that they were
| even worthwhile projects, I declined because _hell no I 'm
| not writing code that touches other people's money_.
|
| [1] https://youtu.be/iQdDRrcAOjA
| manquer wrote:
| In the real world a lot of army is conscription. Typically
| it not freelance mercenaries it can also be prisoners or
| threatened/coereced labour. Star wars actually highlights
| this in Rogue one.
|
| Also in many economies this is literally only job
| available, same reason why syrian fighters are ready to go
| to Ukraine.
|
| While death star attack wasn't a war crime, they weren't
| civies after all, it wasn't a simple as they knew the
| dangers
| jrm4 wrote:
| "I'm not blaming the developers.."
|
| I mean, I think it's time to put that on the table...
| 58x14 wrote:
| If I was betting, I'd put my money on VC pressure.
| cobrabyte wrote:
| > All of the AXS, RON, and SLP on Ronin are safe right now.
|
| Of course they are. They're worthless.
| Animats wrote:
| Surprisingly, AXS and SLP are only down about 6% on Coinbase.
| So, sell now before it's too late. They've both been going down
| for months, anyway.
| manquer wrote:
| There may not be buyers. Who would buy now ?
| paulsutter wrote:
| Crypto has the biggest bug bounties
| gzer0 wrote:
| The blind leading the blind here in the wild, wild west of
| crypto.
| smoyer wrote:
| With each of these breaches, we're approaching a point where all
| coins will be considered tainted. When that happens do we jump
| into a different crypto-currency?
|
| It's also interesting that stolen coins are really hard to spend
| - more analysis seems possible as law enforcement learns how
| these systems work. What if a criminal shorted a coin, breached
| the system causing a giant loss and then profited from the short
| sell (and never touched the stolen coins?)
| paxys wrote:
| There are 25 comments on that blog post and half of them are
| links to crypto scams
| dpiers wrote:
| I'm out of the loop and trying to understand - people lent over
| half a billion dollars of their 'real' fake money (ETH) to a game
| studio so they could transact on the studio's sidechain because
| gas fees are prohibitively expensive on ETH, and then the game
| studio got hacked and lost it all?
|
| How was this ever going to end any other way? Imagine how
| preposterous the idea of storing $650mm in USD in a random game
| studio's checking account would be.
| motoboi wrote:
| Yes. People worked hard for electronic dollars to be
| transferred to their electronic wallets.
|
| They tried to use some of that digital money (in another
| electronic format) in a digital game, but the game got hacked
| and now those dollars are someone's else dollars.
|
| The hacker may have some difficulty transforming digital money
| into paper bills, because KYC, but he can launder it like old
| school people used to and have some.
| profmonocle wrote:
| > but he can launder it like old school people used to and
| have some.
|
| Crypto provides exciting new ways to do that, too. First send
| it through a mixer service. Then, invest in some new NFT
| project. Six months later, oh nice, someone bought your NFT
| for 10x what you paid for it. What a great investment.
| gowld wrote:
| Selling NFT for over >$1000 should trigger an investigation
| into provenance of the funds.
| joering2 wrote:
| when it comes to banking, random checking accounts are hacked
| into very rarely. to the point that in USA the FDIC is
| protecting your account up to $250,000. I don't recall last
| time seeing news on someone's bank account being hacked and
| drained, if anything its mostly family fraud.
|
| also there are all sorts of checks when you try to wire or
| withdraw more than $10,000, not to mention wire hundreds of
| millions. Such transaction will manually cross a desk of at
| least 2 different bank managers.
| [deleted]
| cecilpl2 wrote:
| Story time: I also once had my bank account hacked - in a
| manner of speaking.
|
| I tell you this story in the hopes that it helps you
| recognize if you have similar flaws in your own security.
|
| I used to run a VNC server on my home PC (flaw 1). Chinese
| hackers discovered it and spent three weeks brute-forcing the
| password (flaw 2). Once in, they installed TeamViewer to
| allow themselves future access. Then, they logged in at 3am
| and used my browser-saved PayPal credentials (flaw 3) to
| paypal themselves $5k from my linked chequing account (flaw
| 4).
|
| I discovered this several days afterwards when I saw the
| withdrawals hit my bank account. I then found a few further
| pending Paypal transactions, and pieced the rest together
| from VNC and router logs.
|
| Thankfully my credit union believed me that I didn't
| authorize the transactions and reversed them, making me whole
| again.
|
| But damn, it's a scary feeling having someone break into your
| computer, not knowing what they might have looked at or
| accessed. Very similar to having your home broken into.
| rootusrootus wrote:
| > I don't recall last time seeing news on someone's bank
| account being hacked and drained, if anything its mostly
| family fraud.
|
| Anecdote time. My wife and I have a shared checking account
| that got hacked and drained. First her debit card got
| skimmed. Then the perp called USAA a half dozen times
| claiming to be her and asking for account credentials.
| Finally they got a helpful account rep to reset the password,
| disable MFA, and tell them the username. Yep. You heard that
| right. Social engineering works even on bank tellers who
| should know better.
|
| Fortunately it's just a daily use account and I'm paranoid,
| so there was only 5K they could access there. USAA owned up
| to the whole thing and restored the funds, but now they
| punish my wife with a 10-minute interrogation to prove her
| identity if she ever has to get them on the phone for a
| legitimate reason.
| nradov wrote:
| This is one reason to keep at least some accounts with a
| large national bank or credit union. If you need to prove
| your identity or deal with a lost card while traveling you
| can at least walk into a physical branch and talk to a
| manager.
| jnwatson wrote:
| This incident reinforces the rule never to use your debit
| card for credit card transactions.
| nkozyra wrote:
| Absolutely do not use your debit card ... well, anywhere
| if you can help it.
|
| (Apologies, saw the wrong parent comment) How many
| utilities, credit card companies require a checking
| account for autopay? How many times have you thrown out
| an old checkbook that contains routing and account
| numbers on a carbon copy pages?
|
| Bank accounts are not especially secure, we mostly hope
| to limit the risk/reward calculation for hacking them and
| basic security controls.
| rootusrootus wrote:
| > How many utilities, credit card companies require a
| checking account for autopay?
|
| In my experience, this is getting better! I now have all
| but one of my bills being paid by my credit card. Used to
| be that the utility companies made you pay extra and use
| a third party service if you wanted to use your credit
| card.
|
| Not all, though. Verizon, for example, will let you pay
| with a credit card, but they give a substantial discount
| if you use a debit card instead. For obvious reasons. I
| hope that does not become normal. I'm used to Verizon
| being scummy, I hope it doesn't become the default
| behavior for the other utilities I pay for.
| Symbiote wrote:
| The US needs an automatic bill payment system with strong
| guarantees.
|
| In Britain, most people1 pay bills (electricity, water,
| phone, internet, insurance, car loan, credit card etc) by
| "Direct Debit"2. (Most European countries have a similar
| system with similar guarantees, but this one is described
| in English.)
|
| If anything should go wrong, the bank must fix it.
| There's a list of direct debits in the bank's interface,
| and they can be cancelled/suspended with one click (or by
| phoning or going to the bank).
|
| It isn't perfect (see 3 from two weeks ago) but that sort
| of problem is rare enough that it was reported in
| newspapers.
|
| 1 "Direct Debits are used by nine in ten UK consumers to
| pay some or all of their regular bills".
|
| 2 https://www.directdebit.co.uk/DirectDebitExplained/Page
| s/Dir...
|
| 3 https://www.moneysavingexpert.com/news/2022/03/tsb-
| customers...
| Loughla wrote:
| Ever, never, never use your debit card where credit card
| can be used in its place.
|
| The mechanisms for restoring the charge on your credit
| card are much stronger than on your debit card. And a
| credit card is a FUTURE charge, so you have time to fix
| the problem. Whereas a debit card is your CURRENT money,
| so it's just gone unless you get it back.
|
| I do not understand why people use debit cards linked to
| their actual bank account out in the world. Paying bills
| securely through the utility is the only thing we use
| that for.
| stouset wrote:
| 100%. The account linked to my debit card is empty unless
| I want to make an immediate withdrawal at an ATM. This
| being 2022, I can transfer whatever funds are necessary
| into the account in a minute or two using an app on my
| phone. I also have a separate checking account for
| linking to external services like Cash App, Venmo, or
| third-party bill pay systems. Again, the account remains
| permanently empty except for the brief window where I'm
| moving money between these services or paying a bill.
|
| Given how quick and painless it is to transfer money
| between accounts, leaving substantial amounts of money in
| accounts linked with mechanisms that can remove that
| money is insane to me.
| KptMarchewa wrote:
| >I do not understand why people use debit cards linked to
| their actual bank account out in the world.
|
| Because this advice is USA only. All of my credit cards
| (well... two) are linked to the bank account and I don't
| even think there's a way to get a credit card without
| bank connection.
| Ekaros wrote:
| There is, but often it cost extra and we at least don't
| have the whole cashback system to cover those. Though the
| fees for merchants are lower so the prices should be too.
| rootusrootus wrote:
| Agreed. I almost never use my debit card. And now, my
| wife doesn't either. Though her card got skimmed at an
| ATM, not during a debit card transaction, so this advice
| doesn't work. Now she just doesn't ever use ATMs. For
| better or worse, we now keep a few grand in the safe at
| home and pull from that for the occasional cash need.
| When I need to replenish that, I walk into the bank and
| take it out the old fashioned way.
|
| It's not paranoia when they really are out to get you...
| Hackbraten wrote:
| I have stopped using credit cards for two reasons:
|
| 1. My debit cards allow me to directly import
| transactions into my personal accounting software while
| my credit cards don't; and
|
| 2. when I shop online, my debit cards allow me to use
| them as a 2nd factor (using a USB card reader) while my
| credit cards require either an iOS or Android device for
| 2FA.
|
| You're right in that a credit card is a future charge and
| debit isn't. But are debit cards really so much more
| insecure? What threat model do you have in mind?
| Guest19023892 wrote:
| Credit card transactions are much easier to reverse. For
| example, I went to a restaurant and a few days later I
| noticed they double charged the bill. I called the
| restaurant, they wouldn't fix the issue, so I called the
| credit card company and it was quickly reversed. That
| doesn't happen with a debit card.
|
| Credit cards also come with all sorts of benefits. You
| can easily get 1-2% off all purchases through cash-back
| or gift card rewards. You can get free insurance with car
| rentals. Many cards also offer an extra one year warranty
| on most purchases, so if you paid for your laptop or
| phone with your credit card and it dies just outside of
| the manufacturer warranty, you might still be covered.
| Nextgrid wrote:
| > That doesn't happen with a debit card.
|
| Citation needed.
|
| The scenario you described will absolutely fall under
| most card networks' transaction dispute rules. In day-to-
| day spending a debit card is just as safe as a credit
| card when it comes to fraud or malicious merchants.
|
| The only time a credit card will be better is grey areas
| where a card network dispute doesn't succeed, in which
| case the law in most countries forces the credit card
| provider to eat the loss. In some of those cases, the
| reason why a credit card chargeback succeeds is not
| necessarily because you are right (if you were, the
| dispute process would've succeeded anyway) but because
| the amount is too low for the issuer to care so they just
| eat it to not have to investigate and/or litigate the
| issue.
| TylerE wrote:
| If your credit card is compromised, you make a phone call
| and maybe can't use it for a few days.
|
| If your debit card gets compromised, your rent check
| bounces.
|
| Plus, frankly, banks are generally more protective of
| THIER money than YOUR money.
| Hackbraten wrote:
| > If your debit card gets compromised, your rent check
| bounces.
|
| I guess that depends on the bank and the country you live
| in.
| slg wrote:
| I just want to point out that this comment is exactly why
| social engineering is a problem. You have been a victim of
| what happens when a company doesn't put in enough effort to
| verify the identity of the person they have on the phone.
| Yet when that company starts putting in that effort, you
| object and call it a "punishment".
|
| Convenience and security are often in direct competition
| with each other. Almost all of us would expect convenience
| in this situation. You should know better more than most
| the cost of choosing convenience and even you want that
| convenience. Is there any wonder why businesses select
| convenience over security?
| [deleted]
| rootusrootus wrote:
| I call it a punishment because it's over the top. It was
| a lot of money for an individual, not a lot of money for
| the bank. So the security should be proportional. Instead
| of putting in a 10-ton vault door in front of every
| customer interaction, I'd prefer they only escalated to
| that level when someone calls in saying things like "I
| lost my wallet and I'm stuck away from home, give me
| access to 'my' money, and oh by the way I don't even know
| my own login name."
| slg wrote:
| This type of escalating validation is also ripe for
| social engineering. You said this person called 10 times.
| They don't need to do everything in one call. Instead the
| goal for earlier calls can be to gather information. You
| gave the example of the person trying to take over the
| account without knowing the login name. What information
| would someone need to supply to get the account name?
| Does that require escalation? If not, what is the value
| of requiring that as part of the identity validation
| process?
|
| If the company is going to provide some level of support
| to people they haven't verified, that support will be
| abused as a means of passing the verification.
| rootusrootus wrote:
| At the risk of being a software developer that always
| sees everything as a software problem, I feel like this
| could largely be mitigated with very simple improvements
| to the customer service application.
|
| Back when this happened, that was my first question to
| USAA and one for which the security guy didn't have a
| ready answer, though probably it boils down to some
| version of "we are heavily regulated and continue to rely
| on software built for mainframes."
|
| There are so many possible ways to mitigate the risk
| which should be triggered well before a half dozen
| attempts finally gets to a teller credulous enough to
| believe their excuses for ignorance.
| joering2 wrote:
| > but now they punish my wife with a 10-minute
| interrogation to prove her identity if she ever has to get
| them on the phone for a legitimate reason.
|
| How is that punishment? If USAA knows you or your wife were
| a target of somewhat sophisticated attack that ultimately
| broke their security barriers, wouldn't you yourself
| actually want some extra protection? If anything, this is a
| positive sign for USAA, I doubt with my Bank of America
| anyone would care with any sort of extra layers of security
| if my account would ever get hacked in a sophisticated way.
| rootusrootus wrote:
| I call it punishment because I don't think the attack was
| really sophisticated, I think USAA's internal training
| and software was wholly inadequate to defend against a
| persistent unsophisticated attacker. Why were they still
| routing his calls to regular bank tellers after the first
| couple attempts? Why wasn't the security department
| involved at that point as the only allowable contact
| point? Why did they actually _hand out the login name and
| password_ for an account without doing the 10 minute
| deep-dive identity verification they now make my wife do?
| bsagdiyev wrote:
| Weird, USAA froze my cards and funds immediately the only
| time I've had suspicious transactions. I guess the social
| portion is where we diverge though, they definitely tried
| harder to get in to yours. Ours was just a guy in Vancouver
| trying to order Thai food through a delivery app.
| rootusrootus wrote:
| They froze the card, but only after six consecutive
| withdrawals from an ATM in Miami. I was getting
| notifications on my phone about the withdrawals (did I
| mention I'm paranoid) but since I was driving, I didn't
| see them for about half an hour when I arrived at my
| destination. Called USAA immediately and they had already
| frozen the card. But the money had already been
| withdrawn.
|
| I can't explain why it took many consecutive withdrawals
| in a short time, in a city that I've never visited, 3000
| miles away from the most recent use of the card, to
| trigger USAA's protection algorithms.
|
| USAA did finally take care of it. My biggest beefs with
| them are 1) they dragged their feet a couple days on the
| investigation until I called them myself (I'm the
| veteran, my wife is not, and they were _much_ more
| responsive to me), and 2) they really do punish my wife
| for something not her fault. You know those questions you
| get which are sourced from your credit file? What street
| did you live on, what 's your mortgage payment, things
| like that? That's what they ask every time, after asking
| for a secret password and PIN code to be used for phone
| calls.
|
| I'll give them credit though, for actually sharing the
| gory details with me once they were done tracking down
| everything, and admitting that one of their own employees
| had broken their rules and handed over the credentials to
| my wife's account.
| Consultant32452 wrote:
| Wire fraud results in billions of dollars in losses per year
| from checking accounts. Here's one article from 2019:
|
| https://www.cnbc.com/2019/09/11/email-wire-fraud-
| cost-26-bil...
|
| We talk about eth/btc as if they're _just_ covering the
| function of the checking account, but it 's also covering the
| function of the checks, wire transfers, ACH transfers, etc.
| So for a real comparison you'd have to count up all the
| related fraud from legacy checking accounts and their various
| mechanisms to move money between them.
| thirdwhrldPzz wrote:
| clpm4j wrote:
| This article is about people being fooled into wiring money
| to fraudulent actors, not about hacking.
| the_svd_doctor wrote:
| FDIC protects against bank failures (like the bank goes
| bankrupts and looses all the deposited money). It has nothing
| to do with unauthorized transactions as far as I know.
| treis wrote:
| Depends on the transaction type. Checks and debit cards are
| pretty well protected. Wire transfers aren't protected at
| all.
| radicaldreamer wrote:
| The chance of $650 million being drained from a game studio's
| bank account is significantly less than it being drained from
| their ETH wallets, at least as of now.
| dylan604 wrote:
| Depends on if the studio's bank account has security
| questions like "mother's maiden name", "first concert", etc
| type stuff and an employee with those answers that like to
| take quizzes on facebook. Otherwise, it could be quite simple
| to drain the account
| rchaud wrote:
| It could, yet it doesn't.
|
| For one thing, most business accounts do not hold 9 figures
| in cash.
|
| Inflows and outflows are likely to be predictable, so you
| can set flags for certain thresholds.
|
| A 9 figure transaction would absolutely be noticed, and
| possibly flagged before it was permitted to continue.
| mardifoufs wrote:
| What do you mean not common? Bank account fraud is
| extremely common here in montreal, it even has a slang
| name "peter des guichets". It's probably much more common
| than crypto fraud here, and up until a couple of years
| ago it was so easy that your average person with no real
| technical knowledge could do it. Reversing an interac
| transfert here is just very very hard to do too
| rnk wrote:
| Just like SMS access to 'mfa' your bank account also
| provides an attack vector if they steal your number, stupid
| (aka all find-able) security questions don't help protect,
| they are another attack vector. I thought everyone puts
| fake answers and keeps them in a separate location. Then of
| course someone can come in an steal them too!
|
| Since 16 year olds can hack into auth providers like okta
| and then hack into microsoft and steal source code, and
| this crypto stealing endless happens, there's just not good
| electronic security. But what is good is I can go to my
| bank in person and fix things. It would be so much harder
| for someone to get fake id. I actually have a personal
| relationship with my advisor at my 401k. Those things do
| give me some additional security, at least I think so.
| granzymes wrote:
| And if it was drained from a bank account, you have recourses
| to get it back.
| ddkwool wrote:
| Not true in the EU, we got scammed into making a bank
| transfer from Germany to Belgium for a bicycle that never
| arrived. We contacted the police and bank with all the
| details, and had to pay our bank about 40 euros to ask the
| scammer if they would refund the money, they said no and
| that was it. EU banking laws protected them. On the plus
| side the website appears to be gone now.
| gowld wrote:
| That's because you didn't use an escrow service between
| your account and the seller. If you did, the escrow
| service would provide some measure of legally-supported
| reversibility.
| reaperducer wrote:
| EUR40 is not the same thing. If you got scammed out of
| EUR650 million, you would have gotten better attention.
| That's the point being made here.
| basisword wrote:
| Voluntarily transferring money is very different from
| having it stolen. The bank should protect your money
| while holding it from theft. They can't protect you from
| your own decisions on how to use your money.
| MereInterest wrote:
| They voluntarily accepted a contract wherein they would
| transfer money in exchange for receiving a bicycle. No
| bicycle was received, so this voluntary decision does not
| mean that the money transfer was voluntary. They did not
| accept a contract wherein they would transfer money in
| exchange for nothing. Since they did not accept this
| contract, this does not make the money transfer be
| voluntary.
|
| Being a victim of fraud is not "voluntary" in any
| meaningful way.
| basisword wrote:
| That's got absolutely nothing to do with the bank. It's
| between you and the 'merchant'.
| JumpCrisscross wrote:
| > _this voluntary decision does not mean that the money
| transfer was voluntary_
|
| Voluntary or not is a red herring. The word this
| discussion is looking for is authorized.
|
| The transfer was authorized by the account holder. They
| were defrauded. But when they made the transfer, then
| intended to do so. (The situation is murkier with credit
| card transactions, at least in America, because they
| chose to accept a role in dispute resolution.)
|
| The $625mm drained out of Axie's account wasn't
| authorized by Sky Mavis. That's a different type of fraud
| than being ripped off.
| brazzy wrote:
| Banks won't reverse transfers depiberately initiated by
| the account holder. You would have had to go through the
| legal system to get your money back.
|
| But that's a different case than money being "drained"
| from an account by someone else.
| Symbiote wrote:
| They sometimes do reverse these transactions, but the
| amount of money involved here (1 bicycle worth) is
| probably easy for the scammer to put out-of-reach of the
| bank very quickly -- withdrawing cash, buying gift cards
| etc.
| Ekaros wrote:
| Yeah, just like they won't reverse cash transaction. Pay
| someone on street for something, they take the money and
| don't give you what you wanted. Go to police, and they
| won't get your original cash back...
| tormock wrote:
| You aren't insured for $650M in a bank account
| HWR_14 wrote:
| The FDIC insurance of $250,000 is by the government in
| case the bank becomes insolvent. The FDIC can easily
| cover $650 MM in a single bank that has 3,000+ customers.
| Or really even fewer than that with multiple account
| types.
|
| But even then, if you store $650 MM in a Bank of America
| account, that money is protected against being stolen by
| BOA's anti-fraud software, laws, the trillions of dollars
| of assets BOA has.
| Thrymr wrote:
| This isn't a single user, FDIC insurance is for $250k per
| user per bank. The point is that for regulated banks that
| number is clear and if you exceed it you will be aware of
| it, and if you haven't exceeded it you have a federal
| guarantee to recover your money. What assurance does
| anyone have in this case?
| granzymes wrote:
| You have a legal system available, and banks that have to
| rigorously comply with that system.
| icelancer wrote:
| This is true about cryptocurrency as well.
| ChrisLomont wrote:
| What percent of BTC has been stolen? What percent of USD
| has been stolen?
|
| And that shows the difference in how each is protected.
| rossjudson wrote:
| Interesting thought. Bitcoin circulates, and you have to
| wonder how much of it has passed through a fraudulent
| transaction -- at any time in the past. Someday when it
| becomes straightforward to walk the entire life of
| bitcoin backwards, there may be people who want their
| bitcoin back...because it's stolen property.
|
| If A has a TV, B steals the TV and sells it to C, who
| sells it to D...then the TV is still returned to A, and D
| is out of luck.
| sfe22 wrote:
| But bitcoin can be mixed, how do you decide which of the
| next transactions contain your part of stolen bitcoins?
| gowld wrote:
| Where will Federal Marshals deliver the summons to the
| owner of wallet address 0x8723aa67f823dbe785dc923 ?
| gitfan86 wrote:
| At least with a checking account you may be able to have the
| transfer reversed.
|
| The idea of buying game credits and trading them in game makes
| sense, but you would want the game publisher to have root on
| the ledger so that if there was a hack they could reverse it.
| CartyBoston wrote:
| that sounds like a bank
| lolinder wrote:
| > but you would want the game publisher to have root on the
| ledger so that if there was a hack they could reverse it.
|
| In other words, you'd want the game publisher to run their
| game on a centralized database, like MMOs have been doing for
| decades.
| sonnyblarney wrote:
| rinze wrote:
| > Imagine how preposterous the idea of storing $650mm in USD in
| a random game studio's checking account would be.
|
| But it's decentralized.
|
| (Do the same hand movement as if saying "It's got
| electrolytes")
| moralestapia wrote:
| Let's just call the bank and see if ...
|
| * It's decentralized *
|
| Oh, crap.
| rchaud wrote:
| Customer support answers for most things crypto is of the
| "the fault is yours alone" variety.
|
| Reminds me of the line in 30 Rock:
|
| "Gentlemen, we have moved our customer support offices to a
| part of India that has no telephone service. We're now
| providing the same quality of service at zero the cost".
| Melatonic wrote:
| Its got what the internet craves!
| anm89 wrote:
| This seems to be literally true.
| unmole wrote:
| > Do the same hand movement as if saying "It's got
| electrolytes"
|
| I'm stealing this.
| glitcher wrote:
| Just in case you're not familiar with the reference, it's
| from the movie Idiocracy.
| bastardoperator wrote:
| Apparently plants crave it though...
| wpasc wrote:
| Mutilate your thirst
| anm89 wrote:
| Mutilate your financial security.
| bytelines wrote:
| If you don't smoke Tarrlytons...f** you!
| SilasX wrote:
| Someone actually made a gif of that scene with those words at
| that point, during the bitcoin scaling debate (where some
| wanted the block size to increase and decentralization was
| being ridiculed as a spurious defense of the small size).
|
| I'll see if I can find it.
| rinze wrote:
| Made one myself, because I think it'll be handy in the
| future: https://imgur.com/gallery/32t4yRc
| SilasX wrote:
| Right but the one I have in mind is that whole scene,
| translated into the scaling debate.
| ComradePhil wrote:
| For context: https://www.youtube.com/watch?v=kAqIJZeeXEc
| mypalmike wrote:
| It's got Decentralytes!
| timemct wrote:
| Decentralytes is perfect, thank you.
| [deleted]
| mwattsun wrote:
| My favorite is the supposed "special properties" of copper. I
| once knew someone who swore by the healing properties of
| copper.
| nradov wrote:
| Copper is legitimately effective as an antimicrobial.
| (Obviously it doesn't have any magic healing properties.)
|
| https://www.smithsonianmag.com/science-nature/copper-
| virus-k...
| paxys wrote:
| Giving $650mm in USD to a random company is still infinitely
| safer than doing so with crypto. If a regulated bank claims
| they got hacked and lost that amount, there are a slew of
| federal and state laws and agencies in place to investigate it.
| With crypto, it could very well be in the wallet of the CEO or
| IT guy and no one would know.
| whatshisface wrote:
| Cryptocurrency theft is illegal and the US government does
| investigate and prosecute it.
|
| [0] https://www.theguardian.com/law/2022/feb/14/us-bitcoin-
| case-...
| MereInterest wrote:
| Sounds like a non-sequitur. Theft of cryptocurrency being
| illegal does not mean that it is safe, and doesn't offer
| any evidence at all against the parent's post that it is
| "safer" to use banking systems than to use blockchain.
| ChrisLomont wrote:
| Not to anywhere near the extent as they'd investigate and
| prosecute for $625M stolen from a normal bank.....
| tornato7 wrote:
| Do you have any sources to support that claim? You can
| see in the link above that a task force worked for years
| to catch that Bitcoin heist couple.
| d3nj4l wrote:
| Nice, so it's just money with extra steps.
| asdfasgasdgasdg wrote:
| Yes, but it's an open question how successfully and how
| frequently they catch the bad guys.
| px43 wrote:
| It's only an open question to people who haven't actually
| looked into it. Yeah, criminals get caught trying to move
| around stolen cryptocurrencies all the time.
| asdfasgasdgasdg wrote:
| Out of, say, the last ten big DeFi hacks, in what
| fraction have the perpetrators been caught?
|
| https://decrypt.co/93874/11-biggest-defi-hacks-heists
|
| I looked up the first six (#11-#6) projects on this list
| and I didn't see that in any of those cases the
| perpetrators have been caught nor the funds returned. I
| could be missing something though.
| colinmhayes wrote:
| And how many don't get caught?
| lolinder wrote:
| That's all well and good when the thieves are in the US or
| a country that will extradite them. What happens when the
| thieves are operating out of a country without an
| extradition treaty?
|
| In the regular financial world you can at least reverse the
| transaction. With crypto, is there _anything_ you can do?
| xyzzyz wrote:
| You can't always reverse the transaction in regular
| financial world. It is typically possible if all parties
| involved act in good faith, and often possible in other
| cases too, if you act fast, or the bad faith actor is
| less than competent. However, this is not always the
| case.
|
| Imagine the following scenario: bank A sends $100M to
| bank B, which then sends it to bank C. By "reversing" the
| A->B transaction, all you're doing is making bank B on
| the hook for the $100M. Bank B will obviously not be very
| happy about this, and if you try to force it through some
| legal means, this will effectively amount to stealing
| $100M from bank B and its customers.
|
| Reversing erroneous transactions is a useful feature of
| regular financial system, and lack of it in blockchains
| often poses huge and avoidable practical problems. At the
| same time, this in no way should be seen as panacea for
| restoring stolen money, neither in real financial
| systems, nor in blockchain.
| Animats wrote:
| _Reversing erroneous transactions is a useful feature of
| regular financial system._
|
| Yes. A friend of mine is a branch manager for a major
| bank. She's one of the people who has to deal with
| unhappy customers victimized by scams. Recently, she had
| a customer who wanted to send a significant amount of
| money to a country in Southeast Asia. That's not unusual
| for a California bank. Then the customer showed up at the
| branch in tears. It turned out the customer was being
| victimized by a "relative in trouble" scam. Fortunately,
| the receiving bank had flagged the account at their end
| as suspicious, and hadn't yet let the recipient withdraw
| the funds. This allowed the transaction to be clawed
| back. It took phone calls, messages, management signoffs,
| and work by people in multiple banks to unwind the
| transaction, but the money was back in the customer's
| account in the US in a week.
|
| Reversing a fraud transaction in the banking system is a
| rare event, and not easy, but it is often possible for a
| few days after the event.
| ethbr0 wrote:
| I'd imagine "customer suddenly initiates an international
| wire transfer for a large amount, with no previous
| history of doing so" is a pretty reliable signal.
|
| I've certainly had banks call me and explain the nature
| of wires, in an attempt to prevent me from financially
| foot-gunning.
| thawaya3113 wrote:
| The shifting of the goalposts is incredible.
|
| Yes, there are flaws in the real world financial system
| as well.
|
| Yet, we've heard of more of these scams in years of
| crypto than in decades and centuries of banking.
|
| And no one has still provided an explanation of why
| crypto is better than the established working system
| other than "it's decentralized" except as we find
| repeatedly, it's not decentralized.
| neffy wrote:
| I wouldn't go with "centuries" of banking on that one.
| Truth to tell the early days of banking, which is most of
| the 19th century for the US, were replete with exactly
| the kinds of frauds and cons that crypto is now replete
| with. Which is what has led to the regulation and
| supervision that crypto is in de facto rebellion against.
|
| Of course, the best way to find out why something is not
| done a certain way, is to try doing it that way.
| makomk wrote:
| It's not really goalpost shifting - thieves in countries
| without extradition treaties and with justice systems
| that don't care are a serious ongoing problem with the
| existing banking system, and those transactions are not
| in general reversable. Hell, someone managed to steal a
| substantial sum of money from Bangladesh's central bank
| and almost none of it could be recovered. The only reason
| they didn't manage to rob all 1 billion dollars of the
| central bank's reserves was a random false positiver in
| some AML check.
| pchristensen wrote:
| Patio11's recent article dives into this more -
| https://bam.kalzumeus.com/archive/no-payments-are-final/
| MereInterest wrote:
| Isn't the obvious solution to also reverse the transfer
| from Bank B to Bank C? If multi-hop transfers are treated
| as irreversible, then it creates an incentive for
| fraudulent sellers to collect all payments through
| multiple hops. If instead fraudulent transactions may be
| reversed at the first payment processor, the payment
| processor then has a financial incentive to make sure
| that they only pass through valid transactions.
|
| In an analogous situation, suppose I go to a physical
| store and buy a TV, only to find that it doesn't turn on.
| I have the right to return it to the same store that I
| bought it from, and to receive a full refund. Nobody at
| that store manufactured or designed the TV, so why should
| they take the financial hit for a broken TV? Except that
| without that financial incentive, the store has little
| reason to bargain with their suppliers about defective
| merchandise, and the supplier has little incentive to fix
| a defective product.
| [deleted]
| xyzzyz wrote:
| > If instead fraudulent transactions may be reversed at
| the first payment processor, the payment processor then
| has a financial incentive to make sure that they only
| pass through valid transactions.
|
| Yes, but it's only one of the incentives they're facing.
| Another one is to provide useful and convenient service
| to its customers.
|
| Try to think more about the example I provided. The
| account in bank A is victim's, while accounts in banks B
| and C are owned by the fraudster. The transfer from A to
| B is fraudulent, but the transfer from B to C is
| perfectly legitimate as far as B bank knows: the name on
| the destination account in bank C might even be exactly
| the same as in bank B, so why would bank B have any
| suspicions? At best, it could reject incoming transfer
| from bank A if it had suspicions (which, by the way, why
| would it have?). Would you want to be a customer of a
| bank that can just reject incoming transfers, so that you
| have trouble getting paid?
|
| Finally, consider that bank C might then allow the
| fraudster to withdraw the proceeds in cash. Bank C might
| be foreign, and B communicates with it through SWIFT, and
| might simply refuse reversing the transaction, or again
| might already have sent the funds to bank D in yet
| another country. The point is that you cannot treat
| regular financial transactions as reversible either. They
| _might_ be reversible sometimes, especially if everyone
| involved acts in good faith, but there is no guarantee.
|
| > In an analogous situation, suppose I go to a physical
| store and buy a TV, only to find that it doesn't turn on.
| I have the right to return it to the same store that I
| bought it from, and to receive a full refund.
|
| That's not really an analogous situation. Here's what
| would be closer: imagine you order a specialty TV online
| from China. The retailer A orders a company B that
| manages it warehouse to pack it on a truck of company C
| that specializes in LTL, which then ships it to company D
| which coalesces LTL freight into packed containers, then
| puts on containers owned by a shipping company E, which
| ships them across the Pacific to port authority F, then
| we have a shipping company in G in states, another truck
| company H to ship it to train yard H that gets it to LTL
| company I's warehouse, which then is passed on to courier
| company J, an independent subcontractor K of which
| finally gets it to your front door. Then your TV doesn't
| work, and you want to return it.
|
| Will you try to unravel the chain back the same way it
| arrived? Are you going to find the subcontractor K, and
| have him ship it back to courier company J, to send it
| back to the LTL company K etc? No, you'll go straight for
| the original retailer. Similarly, with financial fraud,
| you'd need to go straight for the fraudster.
| chippiewill wrote:
| In principle if you had enough desire among world
| governments you could plausibly try and legally force a
| blockchain fork.
| lolinder wrote:
| And do that every time a hack occurs? What would the
| threshold be for when that would be worth it?
|
| Could I recover $100k that got stolen? What about $10k?
| $1k?
| nightpool wrote:
| Sure, why not? You could even automate it, using a SWIFT-
| like messaging pipeline that all mining companies have to
| subscribe to. Blockchains are fundamentally a social
| construct, and governments have the ability to regulate
| the individuals who are creating the blockchain. If there
| was enough political will for it, you could absolutely
| bolt a "reversal" mechanism onto any existing blockchain.
| Unless you're doing your mining operation entirely on the
| black market, you're going to rely on the government for
| enforcement of your colo rent agreements, your
| electricity agreements, etc, so there's lots of incentive
| to comply.
| lolinder wrote:
| What you have when you're done with the process you've
| described is a centralized banking system managed by
| world governments, which is what we _already_ have. It 's
| not perfect, but it works, and lots of people are
| actively working on improving it in ways that _don 't_
| involve the contradiction inherent in centralized
| decentralization.
| nightpool wrote:
| Yes? That's the point of my comment? I'm confused about
| what you're saying. I'm trying to answer your question
| "And do that every time a hack occurs?". The answer is
| yes, it's completely feasible and within the powers of a
| government or inter-government treaty organization to do
| this every time a hack occurs, because they _already do_.
| I 'm not trying to say that such a system is _good_ ,
| just that it's _possible_. There is nothing "special"
| about blockchains that exempts them from normal
| government regulation.
| lolinder wrote:
| Ah, I misunderstood what you were saying. I thought you
| were advocating that we _should_ do that, and I was
| wondering why that would be better than the status quo.
| [deleted]
| [deleted]
| leifg wrote:
| Even if that is desired and wouldn't spark a
| philosophical debate about wether centralized entities
| should get involved at all, there is a much deeper
| problem.
|
| Every transaction that is occurring now on the chain will
| be invalidated.
|
| That means you can't even reverse a single transaction
| you will have to reverse one transaction and ALL other
| transactions that happened after the one you want to
| reverse.
|
| If that happens too often why would I want to to transact
| on a chain that is under constant threat to be forked
| off?
| nightpool wrote:
| You're thinking too narrowly about the types of "hard
| forks" that are possible and what the space of all
| possible regulations could be. For example, one possible
| idea (with a lot of downsides! this is just an example,
| not a proposal), is that the US government could just
| promulgate a "US super-key" that allowed it to sign any
| transaction and have it be considered valid, and require
| users running blockchain software in relation to
| financial applications to respect those transactions.
| This would be a bad proposal for a number of reasons, but
| it's _possible_ , because blockchains and the code that
| enforce them are inherently a social construct, an
| agreement made between all participants.
|
| But the answer to "why would I want to to transact on a
| chain that is under constant threat to be forked off" is
| even simpler: It's because, in this hypothetical, the
| regulatory environment you operate in gives you no other
| choice. Unless you and _everybody you transact with_ has
| the ability to boycott or subvert the regular financial
| system entirely (e.g. you 're doing entirely black market
| transactions), then you'd have to fall in line if a
| government that was crucial to your operations or your
| downstream supplier's operations required it.
| whatshisface wrote:
| Anyone could start a cryptocurrency today with such a key
| and give it to the FBI, and if people thought that made
| them safer, they could buy that currency and use it.
| Ekaros wrote:
| Even if you could isolate output chains, that means many
| of subsequent transactions that are legit would get
| cancelled...
|
| Or you would need to make more crypto cover those...
| Which then would destroy the whole deflationary idea with
| likes of bitcoin...
| HWR_14 wrote:
| You wouldn't have to reverse all the transactions. You
| could trivially create a fork (which has to be longer,
| and therefore have more transactions available) that
| includes every transaction but one from the blockchain.
| Well, that is you can create that fork as trivially as
| you can create any other fork.
| leifg wrote:
| Sure maybe. But that only really works if few (if not
| all) entities have control over the consensus mechanism.
|
| On a regular PoW blockchain you will have to recalculate
| all the hashes according to the difficulty which will up
| to the miners.
|
| But even if you could, it's an absolute technical
| nightmare.
|
| To build an analogy that somehow fits. If you have git
| repo and you find out that a particular commit that you
| want to undo, what do you do?
|
| - Rebase all changes to an earlier commit, remove the
| faulty commit and recalculate all commit hashes that
| follow it.
|
| or?
|
| - Create a new commit that reverts the old commit.
|
| In reality you opt for option 2 99.99% of the time. The
| only reason you would ever want to remove a commit from
| history is if you accidentally exposed information to an
| audience that is not supposed to see it.
| HWR_14 wrote:
| When you first responded to chippiewillie you talked
| about how forking would produce a reversal of all the
| transactions. That's not true, but it is what you
| identified as a "much deeper problem"
| leifg wrote:
| My apologies, I used "reverse" and "invalidate"
| synonymously.
|
| Nevertheless on a public blockchain all transactions
| would be invalidated and that indeed is a problem.
|
| Because everyone who received coins would have to wait
| again for n confirmations in order to be sure they got
| their money. In theory nobody should be able to add a
| double spend transaction to the pool but I wouldn't bet
| on it.
|
| That's what I mean with technical nightmare.
|
| You would have to make sure to properly identify all
| transactions. Possibly take down the system, exclude a
| single transaction. Make sure that the miner who will
| find the next block will include the right transactions.
| Make sure of that for the following block. I don't see
| that happening with a large coordination effort, meaning:
| centralization.
|
| And when you come to that conclusion you should probably
| take a step back and rethink "why are we doing all of
| thatch blockchain stuff when we need to rely on a central
| authority?"
| HWR_14 wrote:
| > when you come to that conclusion you should probably
| take a step back and rethink "why are we doing all of
| thatch blockchain stuff when we need to rely on a central
| authority?"
|
| I think blockchain is going to eventually die for that
| exact chain of reasoning.
| rnk wrote:
| You'd have to be forking it once a week, because there is
| so much stealing going on. We'd probably end up with a
| weekly split. Imagine how crazy that is. And of course
| people would make false stealing claims. Maybe you are on
| vacation when they reverse something that takes your
| money, because you have a chance to weigh in.
| stjohnswarts wrote:
| Sure but it doesn't mean I will get my "money" back like it
| would with a bank. There is no FDIC for crypto.
| tornato7 wrote:
| Plenty of crypto companies insure their deposits through
| third parties. Actually, Ronin users should have been
| able to insure their deposits with Nexus Mutual.
| motoboi wrote:
| Just as a side note, people give Starbuck literally billions
| every year. Not sure what would happend if starbucks get
| hacked and lost people money.
| lmkg wrote:
| Unlike traditional banks with their burdensome regulations
| and gate-keepers, the permissionless, decentralized nature of
| the blockchain means that they can't get the money back.
| gowld wrote:
| The increased risk of total loss in the edge case is in
| exchange for a more efficient system with lower prices in
| the average case. Individual users should make an informed
| decision about the tradeoff.
|
| See also http://go/hackernews/item?id=30838572 and https://
| en.wikipedia.org/wiki/Financial_crisis_of_2007%E2%80...
| cecilpl2 wrote:
| This sounds like an argument for why companies should be
| allowed to sell unregulated drugs and use asbestos and
| lead paint.
|
| Individual consumers, who we all know are extremely
| knowledgeable and informed on all topics interacting with
| their lives, should weigh the increased risk of total
| loss against generally lower prices. And then in the
| event they unluck into in the total loss case, they
| should just shrug their shoulders and accept that they
| were lucky.
| throw_nbvc1234 wrote:
| Companies selling "unregulated drugs" could also mean
| people getting the covid vaccine in mid 2020 rather then
| waiting months and months for trials. People could have
| made that personal choice based on their own situation
| and risk factors. Also compare the regulation between
| "drugs" and "supplements" in the USA.
|
| I find it hard to argue that "asbestos and lead paint"
| are the same kind of individual choice as a bank or
| unregulated drugs.
| cuteboy19 wrote:
| The whole thing exists because etherium is prohibitively
| expensive. And blockchain is far from efficient
| ethbr0 wrote:
| >> _Imagine how preposterous the idea of storing $650mm in
| USD in a random game studio 's checking account would be._
|
| > _Giving $650mm in USD to a random company is still
| infinitely safer than doing so with crypto._
|
| Chris Roberts has a very interesting opportunity he'd like to
| propose to you...
| tomatowurst wrote:
| Here's another preposterous offering: 20% APY "risk free" from
| owning crypto.
| rchaud wrote:
| Everybody thinks they can time their exit before the Ponzi
| reveals itself.
| MattGaiser wrote:
| They must just be loaning it out and slaying people endlessly
| on margin calls.
| abxytg wrote:
| Congrats, you understand defi better than most degens now.
| gowld wrote:
| or muling for money laundering.
| jazzyjackson wrote:
| I report each of these schemes that advertise on facebook as
| scams; they used to have a rule against crypto advertising
| but apparently that was lifted last December.
| outside1234 wrote:
| Are we going to regulate this insanity yet?
| apeace wrote:
| Can someone attempt to explain or speculate at what the attacker
| is doing with their wallet right now?
|
| https://etherscan.io/txs?a=0x098b716b8aaf21512996dc57eb0615e...
|
| As I write this at about 17:00 UTC, they seem to be doing lots of
| small transactions (about $1 USD), and they are coming "From"
| many different places, but only showing "To" the "Ronin Bridge
| Exploiter".
|
| I don't understand this stuff well enough to see what it is
| they're doing, but I'm curious. I'd imagine they're working
| diligently to secure their rather large fortune...
| buzzert wrote:
| I think it's random people just trying to get their name to
| show up on a currently very popular etherscan address.
| apeace wrote:
| Ah, thanks. Didn't think of that!
| apeace wrote:
| As some other commenters pointed out, those small transactions
| are all spam.
|
| So I decided to go back in the transaction history and look at
| what the attacker has done with the funds. So far, it has all
| been funneled (through about 2 hops), to something called
| "Huobi 35", e.g. this transaction[0]. Some of these have taken
| place in just the last few minutes (17:15 UTC or so).
|
| I'm assuming "Huobi 35" is the Huobi exchange?[1] And maybe
| "Huobi 35" refers to this 35% APY thing they offer?[2]
|
| If that's accurate, why would the attacker take this approach?
| Won't authorities be storming Huobi's offices and taking the
| ETH? Is it possible that through Huobi the attacker is able to
| exchange for other coins very quickly?
|
| If you look at all the transactions leading to Huobi so far it
| is only a small percentage of the amount stolen, but it's still
| many millions of dollars...
|
| Also, why'd they wait so long to move into Huobi?
|
| [0]
| https://etherscan.io/tx/0x075df6c4b44733a0e76aa4947b56b4c0c0...
|
| [1] https://www.huobi.com/
|
| [2] https://www.huobi.com/support/en-us/detail/74899843012340
| babyshake wrote:
| Huobi is Chinese I believe. One potential side effect of
| countries like China "banning" cryptocurrency is that they
| may not be motivated to help in these situations.
| omarfarooq wrote:
| The 35 refers to this being the 35th address for the Huobi
| Exchange that Etherscan was able to identify.
| bombcar wrote:
| There are no authorities who understand this enough to
| operate that quickly. By the time any authorities care, it'll
| be long gone from Huobi.
| giarc wrote:
| Bingo. Read all the technical language in this single forum
| post. Now go to your local police office, ask to speak to
| someone and you'll get the fresh recruit who knows a lot
| about traffic laws. You might as well be speaking latin to
| them.
| m3nu wrote:
| You can read the messages in those transactions by choosing
| "view input as...". Pretty funny actually:
|
| > Hi. Please donate to innocent Russians population who are
| being punished! Help Innocent People ($HIP). We are supporting
| orphans and Ukrainian refugees.
|
| https://etherscan.io/tx/0x25d6e35669f2143ab2efaba96aacd54314...
| Jerrrry wrote:
| It will be laundered in millions of $1 transactions, with
| others that are doing the same.
|
| Then it will be sold at a discount for Monero or a shitcoin,
| and then theyll get a couple thousand dollars in cash in the
| mail for the rest of their life.
|
| im jealous at this point,
| vmception wrote:
| No they'll add some liquidity to Tornado cash
|
| And then a bunch of other large hacks will notice that
| Tornado cash is big enough to handle _their_ large amounts
| too, adding more liquidity to Tornado cash
|
| And then some FAANG engineer is going to take their clean
| $50k paycheck and buy into a new launched token on Uniswap
|
| And that token is going to rally 100x because the tornado
| cash withdrawals keep buying that token
|
| And then that engineer is going to sell the tokens into the
| Uniswap liquidity pool, transfer the Ether to dollars, and
| report capital gains as just another lucky crypto trader
|
| You're welcome
| easrng wrote:
| The thing is, they didn't. If you check the tx history most
| of it went to Huobi and some to FTX and Crypto.com
| vmception wrote:
| That's pretty funny, good luck with that big attack
| vector on them
| Jerrrry wrote:
| vmception wrote:
| Here is one of many styles of telegram channels that
| promote newly launched tokens on Uniswap solely for the
| gamble and fun
|
| https://t.me/goobygambles
| Jerrrry wrote:
| the premise is, though, to lure in others via 1000% fomo
| -- that is only inflated because of the user buying the
| questionable tokens, then use their capital for exit
| liquidity?
|
| seems pretty simple
| vmception wrote:
| Well no, in the way I described its primarily inflated
| because of your tornado cash notes being withdrawn (by
| you to virgin addresses) and you directing those
| addresses to buy the token
|
| While you simultaneously get to _pretend_ to be one of
| the fomo users who _also_ bought the token, from
| different addresses that are linked to your identity and
| exchange account
|
| The way Uniswap works is that prior buyers are the exit
| liquidity (look at how liquidity pools work, its
| different than posted order exchanges so you dont have to
| wait for people to show up with an order to sell into),
| and the majority of the prior buyers (because you are
| those prior buyers) would be the capital withdrawn from
| tornado cash (the dirty money from the big hack), the
| other fomo users can sell at a premium too depending on
| the price they buy
|
| So your only goal here is for you and your clean money to
| blend in with the rest of the clean money crowd by having
| it promoted on these "degen gambles" channels, just
| because you don't want a future wiser investigator to
| suspect this token was created solely for you to cash out
| your tornado cash money.
|
| (Also, dont use someone else's node over clearnet to do
| this. Connect to infura over a tor OS (not just the
| browser) or run your own node.)
| mring33621 wrote:
| While I'm usually quick to judge crypto hacks/losses as "play
| stupid games, win stupid prizes," I am impressed, based on a
| quick reading, with the tone and content of this "Community
| Alert". They sound professional in what's no doubt a very
| stressful situation. Good Luck, Ronin!
| onebot wrote:
| It is amazing to me that these bridges can't figure out a
| reliable auditing mechanism. I can't wait to learn about how this
| was accomplished. But with the amount of money at risk, it seems
| like there has to be a mechanism to secure these things and maybe
| have a backstop in the even something does go wrong.
| px43 wrote:
| Lots have bridges have figured out good auditing mechanisms,
| and have built in fail-safes, circuit breakers, daily limits,
| etc. Those aren't the ones in the news for getting hacked
| though.
| bogota wrote:
| IE6 wrote:
| Anecdotally, I see this response to criticism of crypt pretty
| often: that we just don't understand. If you wanted to help a
| non-believer understand where would you point them? Not
| interested in being red-pilled into s**-coins but rather
| understand the benefits better. All of the sources I frequent
| are quite critical of the actual benefits (if any) of crypto.
| quantum-crt wrote:
| What if they transfer the funds to the address of a random
| person. Imagine being that guy.
| woah wrote:
| As usual on HN there are a lot of useless comments in this thread
| that are ill-informed dunks on cryptocurrency, but the real story
| of what happened is actually about the hazards of _not_ using a
| blockchain.
|
| The system that was compromised was a "proof of authority" chain.
| These are different from proof of work or proof of stake chains
| that have hundreds or thousands of distinct validators. In a
| "proof of authority" chain, a usually small number of nodes,
| often run by closely associated entities have control over the
| chain. This is not a trustless system, and it does not have the
| same security and decentralization aspects that people usually
| associate with a blockchain. I would argue that it is not
| different than a trusted third party custodying the money.
|
| In this case, the system was especially egregiously abused in
| that 4 of the "validators" were actually controlled by the same
| entity. This then required the hacker to compromise only two
| systems to steal the money.
|
| The hacker is guilty of theft, but Axie Infinity, in my opinion,
| is guilty of falsely advertising their system as a blockchain.
| sk55 wrote:
| 100% this.
| iskander wrote:
| The security practice here is even worse than what you're
| describing, the company servers had been authorized to sign on
| behalf of the DAO, so only one compromise was required to get
| 5/9 validators.
| vmception wrote:
| The consensus model of the database isn't relevant when the
| bridge contract itself was what signed off right?
|
| Isn't the issue that the keys were just for signing that
| transaction for that contract?
|
| Or did they really compromise 5 of 9 nodes for the entire
| blockchain? If it was this, it still doesn't suggest that was
| really necessary and only coincidence. It is just a fine to
| compromise funds on a centralized blockchain as long as you can
| get the funds over the bridge before the validators pay
| attention to block it, that's pretty common too. A flight to
| security.
| woah wrote:
| It sounds like the component that was compromised was a
| bridge controlled by the same validators. I'm glossing over
| the different components of the system for simplicity.
| schemescape wrote:
| Does "gas-free RPC" mean just a regular non-blockchain endpoint?
| michaelmarkell wrote:
| No, In Ronin for a while there was no ether (they wanted free
| transactions) so they had a special rpc endpoint that could
| accept "free" transactions with gas priced at 0. They still
| process 4/9 of the transactions on ronin even though they
| introduced a paid gas now -- RON
| paulpauper wrote:
| This is possible bullish because it takes this ETH out of
| circulation. Very hard for hackers to sell so much hot eth.
| Likely it will sit dormant in wallets for a long time, maybe
| forever. It may never hit an exchange.
| toyg wrote:
| _> The attacker used hacked private keys_
|
| Why do people write "hacked" instead of "stolen"? To make it look
| like robbing them is harder than it actually is?
| MichaelGlass wrote:
| If you have a legal system, then breaking my lock is unlawful
| intrusion, and if you take something from behind my locked
| door, it's theft.
|
| Without a legal system, e.g. crypto, if you solve my puzzle,
| then you deserve the reward. It's just math!
| ganzuul wrote:
| teknopaul wrote:
| I don't think any math was done. They sneaked a copy of the
| answer.
|
| Of course, if someone does work out the math (as they did
| with MD5 and sha1) it's going to be popcorn time.
| monocasa wrote:
| > Without a legal system, e.g. crypto, if you solve my
| puzzle, then you deserve the reward. It's just math!
|
| My fear keeping me from getting into the... offensive crypto
| space has been that the original owners of the wallets won't
| see it that way, and an imperfect opsec will leave me as one
| of the 70% of murders that don't get solved in the US.
|
| Someone with millions to billions in crypto has a decent
| chance of being diversified, and use to backfilling the lack
| of access to the state's monopoly on violence with some of
| their own.
| toyg wrote:
| Steal, copy, exfiltrate, obtain - that's not the point.
|
| The point is that hacking, when transitive, involves
| manipulating an object. It is _not_ a synonym for "copy".
| When people use it like that, it's typically to hide the fact
| that their (human or technical) systems were so bad that
| somebody managed to copy data they should not have. "They
| hacked keys!!11!" - No, something or somebody gave them keys,
| but you want us to believe that it required incredible
| skills.
| cesaref wrote:
| Stolen has a very specific meaning, it involves taking
| something from someone else, denying them the ability to use
| it. If the person still has the thing, you've not stolen it.
|
| I think 'copied' is the right word here. They hacked the
| system, and copied the keys.
| ttoinou wrote:
| Stolen implies a concept of property. Which doesnt exists
| here....
| CydeWeys wrote:
| What meaningful distinction is drawn by using one of these
| words over the other? "Hacked" typically implies it happened
| over the net, whereas "stolen" typically implies it physically
| happened in person. The former is more appropriate here, no?
| jsmith99 wrote:
| I like to distinguish attacks where money was stolen using
| stolen credentials from those that occured simply by
| manipulating smart contracts. Some crypto enthusiasts would
| consider the second type of attack to be legitimate activity
| rather than theft, so long as the attacker stayed within the
| letter of the 'law' as expressed on chain.
| fsckboy wrote:
| hacking a system and stealing a key (copying) is a lot less
| interesting than hacking a key by exploiting some
| cryptographic weakness
| bruce511 wrote:
| I'm not sure I agree. I mean secrets can be stolen.
| Apparently pirating music or movies is theft and so on.
|
| We've often seen the naritive of Big company stealing ideas
| etc from smaller companies.
|
| So stealing can extend beyond simple physical property, and
| could acceptably encompass IP as well.
| cesaref wrote:
| It's a smart move by the entertainment industry to try to
| rebrand piracy as theft, as the public at large understand
| theft as a bad thing. Legally though I think it's
| 'copyright infringement' which sounds a lot less sexy.
| teknopaul wrote:
| Certainly in the UK theft is "taking possession with
| intent to permanently deny the owner of it". Copyright
| infringement is not theft by that definition.
|
| Saw this great stand-up skit by someone who was asked to
| compare copyright infringement to stealing a car...
|
| It like stealing a car but You just stick you finger out,
| touch the car, and it's your car!
|
| And the owner still has the car!
|
| And literally all my friends do it!
| toyg wrote:
| I guess I'm old, but "hacked" to me typically involves
| trickery in manipulating _the object itself_ , not just
| exfiltrating it. You hack a system to copy data, you don't
| "hack data". If you say you hacked keys, I expect you
| manipulated those keys with some crypto wizardry, but in this
| case it just means somebody somehow obtained them somehow.
| skybrian wrote:
| "Hacked" makes it sound like they had security measures against
| theft.
|
| I wonder how good their security was? (Also, could an insider
| have done it.)
| mabbo wrote:
| In a system run by people, the transaction could be reversed,
| traced, and the culprits eventually brought to justice.
|
| In a system run by algorithms, designed to avoid oversight by
| people (governments), there is no such powers. There's no
| reversal. There's no checking the name on the account the
| transfer was to. It's just gone.
|
| I do not understand why people who have legal intentions would
| want to be part of the crypto economy. There's nothing but more
| risks with zero benefits.
| lfkdev wrote:
| Why are you actitng like theres no corrupt goverment? Your
| country is not the whole world
| FanaHOVA wrote:
| > I do not understand why people who have legal intentions
| would want to be part of the crypto economy. There's nothing
| but more risks with zero benefits.
|
| I agree 100% on the risk, and my main problem with it is the
| avg person getting caught up in it. But at the same time, you
| see all the "PayPal froze my funds" posts, etc, so obviously
| the current system is flawed in its own way.
|
| You could imagine a future in which PayPal is a layer on top of
| Ethereum (or any other L1 chain) and provides reversibility,
| etc, for a fee, but at the same time the user also has the
| freedom to eject out of it and take all the funds with them.
| The maxi "everything must be 100% decentralized" take is a bit
| naive, so hopefully these accidents help us move in the right
| direction.
|
| I think long term we might have a lot of the same guard rails
| we have today, but they'll just be re-built from scratch in a
| digital-first way, rather than what we currently have.
| tornato7 wrote:
| I agree. The crypto industry has made a lot of progress
| toward securing private keys, with another 5-10 years of
| cryptography I think it will be a somewhat 'solved problem',
| thereby allowing companies like PayPal to offer their own
| custodial / layer 2 services with minimal risk.
|
| Institutional-quality digital asset custody and signing was
| basically non-existent until Fireblocks launched just over
| two years ago, and there is still a lot of progress to be
| made on cryptography primitives and infrastructure best
| practices.
| lottin wrote:
| They think that government is tyranny, therefore lack of
| government is freedom. Yes, they are dumb as hell.
| logicchains wrote:
| What's so dumb about the idea of wanting to be responsible
| for your own outcomes? You make a stupid mistake, you suffer,
| nobody else does. If you don't want take responsibility for
| your own actions, feel free to stick to the mainstream
| financial system. Note however that as a result of that
| you'll be on the hook for bailing out other people's stupid
| mistakes when they fuck up, like how the taxpayer bailed out
| banks that made stupid loans during the GFC.
| mfringel wrote:
| With that kind of attitude, how are you going to get more
| people to come in and provide you with exit liquidity?
| frostwarrior wrote:
| They forget, freedom to be screwed is also freedom
| px43 wrote:
| I don't think anyone actually forgot that. It's kind of the
| point.
| scottiebarnes wrote:
| More likely they think government monopoly over money is a
| form of tyranny, or that unchecked government power is
| tyranny.
|
| See:
|
| Civil forfeiture: https://en.wikipedia.org/wiki/Civil_forfeit
| ure_in_the_United...
|
| Executive order 6102:
| https://en.wikipedia.org/wiki/Executive_Order_6102
|
| Greek austerity measures (which include the reduction of
| social welfare and benefits due to incompetence of government
| spending):
| https://en.wikipedia.org/wiki/Greek_austerity_packages
|
| And the most important consequence, hyperinflation, often
| caused by central banks and governments:
| https://www.investopedia.com/terms/h/hyperinflation.asp
|
| The illusion of security and stability is a very nice fantasy
| to live in. The price of everything you bought went up ~7.5%
| in the last year, the debt grows perpetually higher with no
| plan to ever pay it off, housing and stock market bubbles
| continue to grow, and this is totally normal and sustainable.
| lottin wrote:
| What I was saying... the government doesn't have a monopoly
| over money. The whole crypto narrative seems thought out by
| people who don't have a clue about how things work and have
| zero real-life experience.
| scottiebarnes wrote:
| > the government doesn't have a monopoly over money
|
| Who is determining our monetary policy then? Who is
| setting interest rates? Where does the money for a
| trillion dollar stimulus package come from?
|
| > The whole crypto narrative seems thought out by people
| who don't have a clue about how things work and have zero
| real-life experience.
|
| Right now I'm questioning how much you understand about
| what money is and how it works.
| lottin wrote:
| > Who is determining our monetary policy then? Who is
| setting interest rates? Where does the money for a
| trillion dollar stimulus package come from?
|
| I don't know... does the answer to any of these questions
| suggest to you that the issuance of currency is a
| government monopoly? If that's the case, you should
| probably start here:
| https://en.wikipedia.org/wiki/Monopoly
| scottiebarnes wrote:
| Yes, controlling the world's reserve currency and forcing
| others to adopt it fits the definition of monopolizing
| money.
|
| You should probably start here:
|
| https://en.wikipedia.org/wiki/Bretton_Woods_system
|
| https://www.thebalance.com/what-is-a-petrodollar-3306358
|
| https://www.investopedia.com/terms/r/reservecurrency.asp
| lottin wrote:
| Q.E.D.
| Stevvo wrote:
| > There's nothing but more risks with zero benefits.
|
| Risk has upside. That is the benefit.
| koonsolo wrote:
| The ethereum network has been rolled back before, so what you
| say is not correct.
|
| Hence Ethereum Cassic, which didn't roll back.
| tommiegannert wrote:
| I think this is where insurance companies generally pop up as a
| solution. I.e. the same solution as with regular bank accounts.
| Layering humans on top of algorithms makes sense.
|
| We already have SWIFT and networks layered under humans in the
| fiat system, so now we're just pushing more complex algorithms.
| In the case of block chains, I'd say the concept of asymmetric
| cryptography is an improvement over mutual trust in secure
| backoffice communication channels.
|
| I'm not into crypto (still thinking it's a solution waiting for
| a problem), but arguing that banks can do reversals isn't fair.
| Someone moving fiat quickly between banks will make it hard to
| reverse as well. I can't imagine a bank is going to just say "I
| guess they stole it from you, transferred it to us, but then
| withdrew from us. Let me go ahead and reimburse you anyway."
| That smells like a insurance case, no matter the underlying
| algorithms.
| godot wrote:
| I'll actually try to add and defend crypto a little bit here:
|
| > I think this is where insurance companies generally pop up
| as a solution.
|
| Real legitimate DeFi protocols are now often supported by
| DeFi insurance as well. I know nothing about Axie Infinity
| and have no idea if this applies for them at all.
|
| > (still thinking it's a solution waiting for a problem)
|
| IMO, although this has been said many times the past few
| years, I think we're starting to get past this. In a very
| simplified view, DeFi protocols that do lending (e.g. loans
| based on collaterals), can do this fully automated, and it's
| because "the money is programmable" thanks to smart contracts
| and value stored. This type of lending took human work to do
| in TradFi and has overhead, in both costs and speed. I feel
| like this is the start of what real solutions/applications
| look like; it's something that wasn't possible before.
| bufferoverflow wrote:
| Not zero benefits. In your system run by people your money can
| be frozen or taken away without your consent. Recent example:
| peaceful protesters in Canada. There are also tons of examples,
| when scammers would reverse a good transaction after receiving
| the goods.
|
| Another benefit of some blockchains: incredibly low transaction
| fees.
|
| Another benefit: smart contracts.
|
| I don't understand why you need to straight up lie.
| AlexandrB wrote:
| > Another benefit of some blockchains: incredibly low
| transaction fees.
|
| Indeed. This was the benefit of Ronin.
| px43 wrote:
| > In a system run by people, the transaction could be reversed,
| traced, and the culprits eventually brought to justice.
|
| The answer to your question is encoded in the very first block
| of the very first blockchain.
|
| > The Times 03/Jan/2009 Chancellor on brink of second bailout
| for banks
|
| https://en.bitcoin.it/wiki/Genesis_block
|
| Some people feel like they weren't being represented by the
| "justice" you're talking about, so they built their own thing
| where all the rules are publicly viewable, and consensus is run
| by the community. It seemed like a weird idea at the time, but
| the idea got popular, and people who like this new system have
| moved about two trillion dollars of global wealth into it.
|
| If you like the old way money was managed, by big institutions
| doing everything they could to extract wealth from the general
| public with no legal repercussions, then the good news is that
| the old system still exists. There are just some other options
| now too.
|
| Also, the idea that all cryptocurrencies are some laissez-faire
| Randian wet dream is simply not true. An extremely diverse
| array of crypto governance mechanisms are being experimented
| with. Many run by humans, all with their own interpretations of
| "justice", which you can read up on and participate in at will.
| Governance proposals reclaim funds judged to be unfairly
| allocated all the time. I doubt that will happen here, because
| Ethereum governance is generally very harsh on people who suck
| at testing code, but every person who lost money here knew
| exactly what they were getting in to when they chose to
| participate.
| jonshariat wrote:
| I don't think any of that is changed. If anything this allows
| that injustice to be amplified by those in power.
| ecf wrote:
| Genesis block does absolutely nothing to explain what it's
| actual purpose is. Just another hand-wavey answer by a crypto
| pyramid scheme peddler in response to genuine criticism.
| calrain wrote:
| Because there are people in the world who can wake up and have
| lost all money they had deposited in a bank. There are people
| who have to pay 20% transfer fees to move money overseas. There
| are people who don't have the ability to open a bank account.
| There are people who can lose all their banked money if their
| government doesn't like them.
|
| The first world doesn't have these problems.
|
| Crypto is a bigger play than 'get rich quick'
| acdha wrote:
| > The first world doesn't have these problems.
|
| ... but a lot of first-world guys are trying to get rich by
| selling systems which costs too much even for first-world
| users and doesn't solve those problems. If you live somewhere
| where your government will seize your assets, cryptocurrency
| won't help your physical assets and will only help anything
| else to the extent that you aren't worried about jail or
| worse for you or your family. You can't fix that class of
| problems with technology and it seems rather heartless to use
| those people's plight as a marketing tactic for a system
| primarily used by affluent people for speculation & money
| laundering.
| car_analogy wrote:
| > The first world doesn't have these problems.
|
| Yes it does:
|
| https://en.wikipedia.org/wiki/WikiLeaks#Financial_blockade_o.
| ..
|
| https://en.wikipedia.org/wiki/Operation_Choke_Point
|
| https://www.eff.org/issues/financial-censorship
| afpx wrote:
| Where in the world is it common to lose all money deposited
| in a bank? And, why not just create better banks?
| JumpCrisscross wrote:
| > _Where in the world is it common to lose all money
| deposited in a bank?_
|
| The last round of deposit haircuts were in Europe [1]. OP
| may be talking about having a bank account frozen by a
| corrupt government. Though if crypto became widespread,
| those same governments wouldn't have trouble coercing
| people into giving up their keys.
|
| [1] https://en.wikipedia.org/wiki/Bank_failure
| Reubachi wrote:
| Entire world in late 1920s, Iceland in 2008,Russia
| currently.
|
| Of course my examples are a bit tongue in cheek, much more
| nuanced and not as "Bank bad" as I paint them to be. But
| It's entirely possible for a bank run/economic downturn to
| wipe out a currency overnight.
|
| Does that mean crypto is the solution? It sure doesn't seem
| to be given cases like this (NFT/ETH being rugpulled
| from/by videogame devs). But I think that creating "better
| banks" can only mean "more government oversight", which
| leads right back to the original problem IE;
| economic/political factors having too much control.
|
| I of course keep all my money in the form of expired New
| Hampshire State Highway toll tokens.
| ecf wrote:
| Currency takes on the value in which people believe it
| holds. Bitcoin is no different, and would instantly crash
| in the scenario of a worldwide financial system collapse.
|
| It's juvenile to believe otherwise, and reaffirms the
| believe that Crypto is just a 21st century pyramid
| scheme.
| aeturnum wrote:
| > _I think that creating "better banks" can only mean
| "more government oversight"_
|
| I mean, a bank is just a financial business. Why wouldn't
| it be possible to improve "banks" but it would be
| possible to improve cryptocurrency companies (also
| financial businesses). What is the quality that gives you
| optimism that these new entities will be able to avoid
| the problems that you are worried about?
|
| Like, I get that the technology is decentralized and it's
| impractical to track down every node, but if the plan is
| to run an illegal business that's hard to shut down...you
| do not need blockchain to do that? And if the business
| can be legal that seems like it's about laws - not the
| tech.
| cesarb wrote:
| We had something like that in the early 90s: in an attempt
| to combat hyperinflation, the government froze all the
| money above a certain small threshold on everyone's bank
| accounts (known as the "confisco da poupanca", see the
| first bullet at https://pt.wikipedia.org/w/index.php?title=
| Plano_Collor&oldi... for a bit more detail). Even today,
| rumors of something like that happening again are enough to
| make old people take money from the banks, even though the
| country's constitution was later patched to specifically
| forbid that kind of measure (constitutional amendment 32
| which changed/added article 62 paragraph 1 item II, see htt
| p://www.planalto.gov.br/ccivil_03/constituicao/emendas/em..
| . for the full text).
| xtracto wrote:
| Venezuela, Greece, Russia, Argentina, Mexico. All of these
| had government bank withdrawal locks at some point to
| prevent "bank runs".
|
| The general population who had their money in the
| corresponding currency got f*ed because they could not
| exchange from their local currency to something better.
| FrenchDevRemote wrote:
| I'm not a supporter of cryptos.
|
| But most really corrupt countries.
|
| So about half the world, if not more. A large part of
| Africa, a large part of Asia, a good part of south America,
| some eastern European countries.
|
| If you want to create better banks, you'd have to pay
| bribes, millions/billions of dollars of bribes. So you're
| back to square one because you can't operate without
| charging huge fees or doing dodgy things.
| narrator wrote:
| In Argentina, in 2002, they took everyone's dollars
| denominated accounts at the Argentinian banks, converted
| them to Pesos and devalued the peso by 75%. Everyone in the
| country now had 1/3 of the money they previously had. The
| country is arguably still recovering from that theft.
|
| Currently, people who left Ukraine are finding out that
| their Ukrainian credit cards no longer work. Some people
| who have bitcoin are still able to use that.
| acdha wrote:
| Okay, now think about what would happen if Argentinians
| used Bitcoin. The same government would use the same
| powers to make the same request. Any business which
| accepted or made transactions in unapproved currencies
| would be punished. Any person keeping their money in a
| local exchange - as almost all Bitcoin users do given how
| expensive it is to do it solo - would have the seizure
| done automatically. The blockchain would be monitored by
| the government to identify non-compliant users -- better
| hope you have perfect opsec and everyone have or will use
| it with does too! - and anyone whose lifestyle is
| incompatible with their declared income is going to be at
| risk, too.
|
| There just isn't a technical fix for a political problem.
| If you live under the jurisdiction of a government
| there's such a wide range of mechanisms available for
| enforcement.
| narrator wrote:
| Everyone who had overseas bank accounts in 2002 Argentina
| did just fine. Bitcoin on a foreign exchange or in a
| self-custody wallet would also be just fine. Getting a
| foreign bank account is too expensive for your average
| Argentinian because you have to show up in person to set
| it up, but a self-custody wallet can be had on any
| minimal smart phone.
| mplewis wrote:
| What are Ukranians using Bitcoin for, specifically, right
| now?
| [deleted]
| gorwell wrote:
| Consider yourself lucky. You don't live in places like Russia,
| China or Canada, where your credit cards and bank account can
| be frozen or even confiscated without due process. For some
| living under these regimes, crypto is the only wealth they've
| been able to retain.
| AlexandrB wrote:
| > or Canada
|
| Come on now. You may not like the due process that was
| followed, but it was still due process (as-in following the
| letter of existing law). By this logic the US should also be
| included on your list because of civil asset forfeiture.
| s1artibartfast wrote:
| Same with Russia and China, or Ukraine - they have a
| process as well.
|
| In the case of Canada, the process was the PM tells the
| banks to freeze the funds.
| merely-unlikely wrote:
| Yes, yes it should.
| gorwell wrote:
| They invoked the Emergencies Act to bypass due process.
|
| `When Prime Minister Justin Trudeau decided a week ago to
| invoke his country's Emergencies Act for the first time in
| Canadian history to quell the unrest, it gave the police
| sweeping new powers to go after the finances of the
| protesters.`
|
| https://www.nytimes.com/2022/02/22/world/americas/canada-
| pro...
|
| As for the US, I agree they belong on the list because of
| civil asset forfeiture.
| rmbyrro wrote:
| Sure, like this, right? [1]
|
| [1] https://www.fresnobee.com/news/local/article259205608.html
| game_the0ry wrote:
| > There's no checking the name on the account the transfer was
| to. It's just gone.
|
| This has happens with humans too. [1]
|
| [1] https://www.washingtonpost.com/world/2021/10/07/ghani-
| afghan...
| malfist wrote:
| Arguably it's the same risk as holding paper notes right? If I
| steal your life savings from under your mattress, there isn't
| necessarily anything to trace it back to me.
|
| However, there is a physical limit, pretty damn hard to run off
| with half a billion worth of paper notes.
| mnumber wrote:
| Why did you equally conflate the risks then immediately back
| peddle and say "physically stealing is harder i guess"?
| malfist wrote:
| I guess it comes across as me saying cash and crypto are
| equal. They're not. I was just trying to add nuance to the
| conversation.
|
| I am wholeheartedly a supporter of centralized, fiat
| currencies.
| paxys wrote:
| It isn't even just the limits of the notes themselves.
| Physical theft has to be done on location. You have to steal
| the money and get away as far as possible as quickly as
| possible. And there are local laws and police equipped to go
| after you.
|
| How do you deal with it when the money could be in the
| pockets of an Eastern European teenager with one script run?
| tomatowurst wrote:
| parent is talking about the financial system run by
| algorithms designed to evade sanctions and regulation, not
| being your own bank.
|
| You absolutely can keep millions under your mattress and some
| do when they cannot launder it but it would be up to you to
| reverse the transaction in a forced wealth transfer vs the
| bank who can simply trace or even reverse a fraudulent
| transaction.
| logicchains wrote:
| >I do not understand why people who have legal intentions would
| want to be part of the crypto economy. There's nothing but more
| risks with zero benefits.
|
| You don't get bailed out if you fuck up, but also you aren't on
| the hook for bailing out other people when they fuck up. If you
| hold BTC, nobody's going to suddenly take a bunch of it to bail
| out banks that made shitty loans like during the GFC.
|
| It's like the saying live by the sword, die by the sword.
| kurisufag wrote:
| because it facilitates person to person interactions without
| oversight. if you want to raise funds for an entity or cause
| that is controversial, it is useful to have an option that is
| nigh-impossible to subvert when done correctly.
| [deleted]
| blueprint wrote:
| because there are benefits for specific use cases to not
| requiring a human to be involved, mainly things like censorship
| .. in other words not something most people would need but
| something few can find zero other solutions for
| rkagerer wrote:
| You raise legit concerns. Though the practical degree to which
| recourse is available and the effectiveness and fairness of
| those reversals really vary depending on where you live and/or
| transact.
|
| In a headline-grabbing caper like this the advantage seems
| obvious. But from the less sensational, day-to-day perspective
| of a small seller, reversals can be a nightmare ripe with fraud
| (google "chargeback fraud" for anecdotes) infeasible to pursue.
|
| It does put onus back on the buyer / investor to do some
| diligence on who they buy from or send their money to, and
| increases the importance of reputation in the space. (I
| personally feel there's an opportunity right now for a
| reputation mechanism to complement the crypto economy and
| believe when that catches up it will help incentivize good
| seller behavior).
|
| Kind of like when coins were primarily used as a medium of
| exchange. Coin payments didn't have reversibility, and
| adjudication stayed within the purview other institutions, i.e.
| courts, instead of being diluted and delegated to e.g. VISA. A
| more efficient dispute resolution system - some kind of
| analogue of the legal system civilization has built up over
| centuries - is another opportunity I feel is ripe for
| innovation in connection to the crypto space.
|
| I do think the missing gaps of reputation and justice will be
| filled eventually and adopted by users, which would go a long
| way toward addressing your criticisms. In the meantime existing
| options of criminal / civil litigation remain available and
| people sending large sums of money would do well to make sure
| they know who they're sending it to so they can pursue if
| things go sideways.
| gear54rus wrote:
| You confuse legal with right. When the government is out for
| your money, crypto can be a life saver (as the recent russian
| example shows).
|
| So maybe you shouldn't dismiss it so quickly just because it
| never happened to you.
| jokoon wrote:
| Because it's cool money, and because it's a legal gray area.
|
| I can't wait for the law to change.
|
| At some point there will be a tax for receiving and sending
| dollars to a blockchain converter, or it will require some
| heavy regulations and control, and then maybe things will
| improve.
|
| Unless people understand the Blockchain is used to launder
| money, nothing will change.
| vivegi wrote:
| 5 of 9 validator nodes?
|
| The Byzantine Generals Problem Leslie Lamport, Robert Shostak,
| and Marshall Pease (1982) ACM Transactions on Programming
| Languages and Systems, Vol. 4, No. 3, July 1982, Pages 382-401
| https://lamport.azurewebsites.net/pubs/byz.pdf
|
| From the abstract: ... It is shown that, using only oral
| messages, this problem is solvable if and only if more than two-
| thirds of the generals are loyal; so a single traitor can
| confound two loyal generals. With unforgeable written messages,
| the problem is solvable for any number of generals and possible
| traitors. ...
|
| Clearly this hack (and other prior crypto hacks) demonstrates
| that the 'Unforgeability' condition is practically impossible due
| to security implementation weaknesses. One can never rule that
| out entirely. That leaves no less than 2/3rds of the network as
| the bare minimum for reasonable consensus.
|
| Lamport's paper is from 40 years ago and blockchains/systems that
| ignore these theoretical foundations are doomed to repeat the
| same flaws again and again!
| demux wrote:
| I was thinking how secure DApps built on Cosmos [0] would be.
| But I guess no matter the theoretical soundness, your DApp's
| security is as good as your L2 code. And messing around with
| L1s with no proper security foundation is a recipe for
| disaster. Re cosmos, if you guys aren't aware it's based on
| Tendermint [1] which is an advance in the field of consensus.
|
| [0] https://cosmos.network/ [1] https://tendermint.com/
| bob2222 wrote:
| HAHAHAHA. Good. Blockchain is for clowns
| tlb wrote:
| oof-size:large.gif
|
| To pick up one thread: how would increasing the consensus
| threshold from 5/9 to 8/9 help? It seems like the nodes were
| compromised with the same hack, so at most it's adding a little
| extra busywork for the attackers. But maybe there's a detail I
| don't understand.
| cjg wrote:
| And then when two of the nodes die at the same time...?
| ricardobeat wrote:
| > The Axie DAO allowlisted Sky Mavis to sign various transactions
| on its behalf. This was discontinued in December 2021, but the
| allowlist access was not revoked.
|
| Repeat with me: "decentralized"
| erdos4d wrote:
| How does one get hold of $625 million in ETH in the first place?
| The sums that usually accompany these hacks are astounding.
| colesantiago wrote:
| This wallet contains the $625M funds in what appears to be the
| largest crypto defi hack in history.
|
| https://etherscan.io/address/0x098b716b8aaf21512996dc57eb061...
| Apocryphon wrote:
| For now. Cryptocurrency hacks are like EVE Online news, where
| there would be a story every few months about a massive heist
| totaling tens to hundreds of thousands of dollars of real-world
| currency, or yet another bigger battle that destroyed enough
| vessels equivalent to that amount. Just people outdoing
| themselves every time.
| swarnie wrote:
| Wasn't there another one in the billions a few weeks ago? The
| guy with the cringe rapper wife?
| CydeWeys wrote:
| It ended up being worth billions, but at the time of the back
| years ago, Bitcoin was much less valuable than it is now.
| lalaland1125 wrote:
| That wasn't defi. That was a more traditional exchange hack.
| swarnie wrote:
| Im not sure i understand the difference between various
| cryptoscams.
|
| Is that the one where people launder money by buying jpegs?
| salt-thrower wrote:
| The amount that was stolen in that case is worth billions
| now, but at the time of the theft it was only a couple
| million. It has since increased in value which led to the
| "billions" headlines.
| jonathan-adly wrote:
| I just finished reading The Cryptopians by Laura Shin. I am 100%
| convinced that this will be the rule of smart contracts (where a
| certain percentage will always be "hacked").
|
| Structurally, smart contracts are very complex vehicles - and the
| financial reward to hack them is always higher than being a good
| player.
| erdeszt wrote:
| > We are working directly with various government agencies to
| ensure the criminals get brought to justice.
|
| It's amusing to see these kind of statements from the
| decentralized no goverment/no authorities crowd. To quote RKL:
|
| Well it's anarchy, fuck the cops Of course, how else, through
| peace. But when the looters come to kick your ass I bet you cry
| "Police!"
| vmception wrote:
| > It's amusing to see these kind of statements from the
| decentralized no goverment/no authorities crowd
|
| I see this meme and I don't get it
|
| Why do you think this studio was a no government no authorities
| crowd?
|
| I havent seen anything from Axie or its founders that suggested
| that, my assumption is that you see one word or one piece of
| technology that overlaps with the aspirations of completely
| different people that are anarchists, whats your assumption?
| erdeszt wrote:
| > Why do you think this studio was a no government no
| authorities crowd?
|
| I meant the general web3/cryptobro crowd
| vmception wrote:
| Then maybe just ignore those people and let the people
| running businesses just do what they need to do, like issue
| empty PR damage control statements like any hacked
| organization will do
|
| Lets make fun of them just like we were making fun of
| Okta's response over Lapsus
|
| No need to project your own cognitive dissonance
| erdeszt wrote:
| > No need to project your own cognitive dissonance
|
| Not sure why you felt the need to insult me but that
| won't lead to useful discussions...
| vmception wrote:
| Okay what word would you prefer to call "two competing
| and conflicting beliefs" and what are your actual
| thoughts on the rest of what I wrote?
| erdeszt wrote:
| What do you mean by "two competing and conflicting
| beliefs"?
| vmception wrote:
| A company that uses blockchain technology for their game
| contacting authorities
|
| A group of people that aspire for blockchain technology
| to fulfill an ideological goal
|
| You conflated both of those people as the same
| erdeszt wrote:
| Isn't that company also trying to fulfill the same
| ideological goal? Their twitter even says "Freedom for
| gamers". Looks exactly the same type of bs to me.
| vmception wrote:
| No, they're not.
|
| Many organizations use blockchain technology to offload
| the need to develop the account model, user state
| management, and accounting, lowers overhead costs for
| some kinds of ventures as well as being trendy which is
| able to get an audience very quickly. This inherently
| comes with some aspects of less-centralization (in case
| you or someone passing by is allergic to the word
| "decentralization"), there isn't any ideology to adopt
| with that, its just a matter of reality. In Axie's case,
| gamers are able to resell assets they've acquired without
| the Axie platform or opinion of company. It fulfills a
| market interest and that's it. Many people are also
| making enough money to support themselves by
| playing/grinding/joining guilds, this is also an
| aspiration form of freedom.
| Miner49er wrote:
| What other value is there in cryptocurrency over traditional
| money?
| Jxl180 wrote:
| Traditional money as in cash? Mailing cash to someone on
| the other side of the world is not ideal. Trusting PayPal
| or Stripe to not arbitrarily freeze your account because
| they think you're making too much money too quickly is not
| ideal. Having to show ID to send or receive a money order
| is not ideal.
|
| That doesn't mean I don't condone the government
| prosecuting thieves who steal crypto.
| Miner49er wrote:
| > Trusting PayPal or Stripe to not arbitrarily freeze
| your account because they think you're making too much
| money too quickly is not ideal. Having to show ID to send
| or receive a money order is not ideal.
|
| These are all benefits from lack of authority.
| vmception wrote:
| > What other value is there in cryptocurrency over
| traditional money?
|
| Collecting a bunch of it and using it like traditional
| money including earning more of it as well as converting it
| to traditional money simply because this market sector is
| hot and you can make a lot of money
|
| Focus on what you can control, there is zero need to adopt
| ideology to use it, and there is zero need to project your
| thoughts on it to rationalize sticking with less lucrative
| things
| shafyy wrote:
| I love how crypto brodudes are all like "fuck the government, we
| want anonymity and no regulations", and the second their dumb
| system stops working and they lose all their gambling money, they
| come running back to the government. Fucking pathetic.
| munificent wrote:
| Privatize the profits and socialize the losses. Classic.
| Barrera wrote:
| This is the kind of pain that comes from trusting scammers and
| nincompoops about unworkable blockchain "scalability" fixes.
|
| Here's the sequence. Those dumb enough to ignore it are doomed to
| repeat the pattern. I'm probably getting some details wrong in
| this Rube Goldberg scheme, so feel free to correct.
|
| 1. Citing "Ethereum network congestion," Axie Infinity announces
| an ethereum side chain, Ronin.[1]
|
| 2. Ronin was a centralized server (therefore fast and cheap)
| authorized to make Ethereum Mainnet transactions. The server was
| a hot wallet in other words.
|
| 3. The Ronin team tried to make it look like they were
| "decentralized" by splitting signing authority among 9 "validator
| nodes." (the article)
|
| 4. An attacker obtained 5 of 9 keys, which is the signing
| threshold.
|
| 5. With the required threshold of keys, the attacker signed the
| transitions moving assets off the Ronin servers.
|
| None of this is new. The Bitcoin "block size war" was fought over
| this very point. Unworkable scaling schemes are going to end in
| disaster with no fallback, and no recourse for those who lose
| money. You end up with nothing, and will be sad.
|
| And it's sad that the same lessons keep getting replayed over and
| over. It's really simple. Can your "blockchain" be validated with
| regular hardware? Does it use a secure consensus algorithm? Is
| there a secure side channel through which low-value transactions
| can flow? If not, you're going to have a bad time when the
| shenanigans start happening.
|
| Now, is that side channel effectively a single server? Handling
| hundreds of millions of dollars of value? Have they rolled their
| own crypto? If yes to any of these, get out and stay out.
|
| [1] https://medium.com/axie-infinity/introducing-ronin-axie-
| infi...
| spicymaki wrote:
| This is exactly why crypto is such a disaster. Every week there
| is yet another scam where people losing their money. The
| feedback from crypto enthusiasts is well look at those idiots
| for putting their money into some scheme <insert unintelligible
| jargon filled insanity statement here> or you are not smart
| enough use this thing. Look "nobody" understands what you are
| talking about. These financial systems are inscrutable and the
| problem is getting worse. You are building systems that are
| ruining peoples lives and making things worse for everyone.
| Please think about what you are doing and create system of
| value and meaning which improves humankind.
| saboot wrote:
| You are neglecting to mention the great upsides in crypto
| currency.
|
| * Giving criminals and scammers the ability to exchange goods
| and services anonymously.
|
| * Providing a source of funding North Korea's nuclear weapons
| program
|
| * Allowing nation states to engage in global commerce despite
| sanctions because they won't stop killing innocent people
|
| * Convincing older and gullible people to give their money to
| someone they don't know and a technology they can't explain
|
| * It's the future!!
|
| EDIT: Couple more
|
| * Transactions are so energy intensive that the currency
| eclipses the carbon footprint of many countries
|
| * Those transactions are also incredibly slow!
|
| * Matt Damon!
|
| I think there is a use for blockchain, but as a technology
| for everything from buying groceries to countries using it as
| a currency, no.
| Nextgrid wrote:
| > Giving criminals and scammers the ability to exchange
| goods and services anonymously.
|
| Plenty of scams happen right there in the open. With all
| the traceability that fiat currencies provide, gift card,
| advance-fee and other scams are still plentiful and the
| victims are very unlikely to ever see their money back. In
| the UK, even when reported by the financial institution to
| the National Crime Agency, they often do nothing and the
| institution is forced to return the money even in cases
| where it's very obvious it is part of a scam. A lot of
| people I know are still getting constant scam calls trying
| to get them to send _fiat_ money to them under various
| excuses so clearly these people are able to launder that
| money and evade the law just fine, and I doubt they 're
| using crypto for that.
|
| > criminals
|
| The other problem with considering every "criminal" as bad
| is that the definition of "crime" depends on who's
| currently in power. Beyond the obvious violent crimes that
| the majority of people will agree are bad and should be
| prevented/punished, there's also a huge "grey area" -
| Russians who disagree with the war (or even call it a war
| instead of a "special military operation" as is the
| official party line) are now considered "criminals" by
| their government. Do you agree with their assessment that
| those people are bad and should be punished?
|
| > Providing a source of funding North Korea's nuclear
| weapons program
|
| The fact that there are people working (or rather, being
| exploited) _on the ground_ in Poland and Russia:
| https://www.youtube.com/watch?v=SPjKs8NuY4s and
| https://www.youtube.com/watch?v=awQDLoOnkdI suggests that
| moving money is not the issue when they seem to be able to
| transport _people_ just fine.
|
| > Allowing nation states to engage in global commerce
| despite sanctions because they won't stop killing innocent
| people
|
| I disagree with punishing average people and making their
| life hell because their _government_ , over which they have
| no power over is doing something stupid. The vast majority
| of these people don't intend to hurt anyone and were just
| unlucky to be born at the wrong time and in the wrong
| place. If your solution to stupid governments is to make
| the life of their citizens impossible, may as well just
| nuke said country and be done with it?
|
| I'm no crypto fanatic. I don't believe in Web3 and call BS
| on whatever new crypto project comes out (and so far I have
| been right the vast majority of the time - every time as
| far as I know, but leaving the benefit of the doubt). I
| don't want crypto to take over the world because it's
| inefficient compared to competing solutions. But
| cryptocurrencies are a useful tool in certain situations
| just like end-to-end-encrypted messaging or anonymity tools
| such as Tor, and their benefits outweigh the cons even if
| they can be used to facilitate "bad" things.
| abriosi wrote:
| Having access to basic finance and the ability of storing
| money safely, should be a right.
|
| There are place in the world where these things don't exist
| because society doesn't get along.
|
| Should decentralized and anonymous communication, like TOR
| tries to be, exist? Should a decentralized currency exist?
| Should and open, free and decentralized internet exist?
|
| For some of us the answer is clear but complex. Between
| black and white there are many shades of grey
| f38zf5vdt wrote:
| Here we go again. While these things have been enabled by
| cryptocurrency, especially ransomware, all these human
| activities predate it. For those of us old enough to
| remember the drama of the crypto wars, it all sounds eerily
| familiar.
|
| > In fact, it's the proponents of widespread unbreakable
| encryption who want to create a brave new world, one in
| which all of us - crooks included - have a guarantee that
| the government can't tap our phones. Yet these proponents
| have done nothing to show us that the new world they seek
| will really be a better one.
|
| > In fact, even a civil libertarian might prefer a world
| where wiretaps are possible. If we want to catch and
| convict the leaders of criminal organizations, there are
| usually only two good ways to do it. We can "turn" a gang
| member - get him to testify against his leaders. Or we can
| wiretap the leaders as they plan the crime.
|
| > ...
|
| > If unescrowed encryption becomes ubiquitous, there will
| be many more stories like this. We can't afford as a
| society to protect pedophiles and criminals today just to
| keep alive the far-fetched notion that some future tyrant
| will be brought down by guerrillas wearing bandoleers and
| pocket protectors and sending PGP-encrypted messages to
| each other across cyberspace.
|
| > ...
|
| > As encryption technology gets cheaper and more common,
| though, we face the real prospect that the federal
| government's own research, its own standards, its own
| purchases will help create the future I described earlier -
| one in which criminals use ubiquitous encryption to hide
| their activities. How can anyone expect the standard-
| setting arms of government to use their power to destroy
| the capabilities of law enforcement - especially at a time
| when the threat of crime and terror seems to be rising
| dramatically?
|
| https://www.wired.com/1994/06/nsa-clipper/
|
| My take on it as an outsider is that these are bridging
| technologies that will probably die off once the rest of
| the world moves to a secure private digital currency system
| analogous to cash, since we will no longer need these
| "wildcat cryptocurrencies" any longer. Like how modern
| banking progressively evolved from distributed roots.
| mrmuagi wrote:
| >* Giving criminals and scammers the ability to exchange
| goods and services anonymously.
|
| I don't see how this is any different than the bog standard
| "encryption lets criminals and scammers the ability to
| exchange goods and services anonymously.". Should
| money/txns be fundamentally track-able/examinable/un-
| encrypted but your private data/messages not?
|
| Surely this contention is something you also consider --
| care to expand?
|
| >* Convincing older and gullible people to give their money
| to someone they don't know and a technology they can't
| explain
|
| I am surprised. My initial viewpoint was why would scammers
| bother to fish for bitcoin when bank transfers/gift cards
| are a lower barrier -- but seems you are right [1], the cat
| and mouse chase continues...
|
| [1] https://www.youtube.com/results?search_query=kitboga+bi
| tcoin
| allturtles wrote:
| > I don't see how this is any different than the bog
| standard "encryption lets criminals and scammers the
| ability to exchange goods and services anonymously."
|
| The obvious difference is that encryption has many, many
| actually useful and productive applications.
| sk55 wrote:
| Crypto has tons of awesome use cases. Here's a list of 77
| use cases.
|
| https://blog.chain.link/44-ways-to-enhance-your-smart-
| contra...
| Sargos wrote:
| >encryption has many, many actually useful and productive
| applications
|
| So does crypto but likewise opponents of encryption
| disregard the positives and focus on the negatives to
| align with their preformed ideas. The only way out of
| this trap is to have an open mind and internalize the
| fact that all technologies can be used for good and evil
| and thus are relatively neutral overall. Humanity must
| take the good and bad and see where the path goes in
| order to advance as a species.
| virtualritz wrote:
| >> encryption has many, many actually useful and
| productive applications
|
| > So does crypto [...]
|
| I'd wager that this is a lie. Please name one.
|
| These systems are self referential. Great if all to do is
| speculate with value changes inside the system.
|
| Other use cases? In short: no one has come up with any
| solution to the oracle problem.
|
| As soon as you want to exchange anything crypto with
| anything but crypto (e.g. USD or a physical asset like a
| loaf of bread) you need trust.[1]
|
| [1] https://youtu.be/MiLnDe_bX6Y
| sterlind wrote:
| I don't have much invested in crypto, and I find PoW
| hideous. I think crypto is most useful for illegal things
| and tradecraft, but illegal doesn't mean immoral, and
| useful to criminals is still useful.
|
| * Buying VPN relays anonymously, for connecting to
| through Tor, VPSes etc.
|
| * Buying drugs.
|
| * Donating to causes sanctioned by your country.
|
| * Paying informants.
|
| * Allowing you to prove you're the author of something,
| or knew a secret, later on.
|
| * "Dead hand" schemes which release information if your
| wallet activity stops for more than a couple weeks. This
| keeps people from killing you to keep something from
| getting out.
|
| * Online gambling.
|
| * Evading financial controls to send money to your family
| abroad.
|
| Some of this doesn't require any trust (e.g. proving you
| knew something before some date), most of the rest
| requires trust, but what makes crypto useful for these
| cases isn't lack of trust but auditability, anonymity
| and/or lack of control by authorities.
| dmitriid wrote:
| > So does crypto
|
| It doesn't. Everyone who claims otherwise can't come up
| with a single credible example.
| ipaddr wrote:
| Buying a subscription to gay.com from Syria. Your on the
| clock..
| xvector wrote:
| - not having a central payment processor know everything
| about you
|
| - buying drugs/porn/VPNs/etc in a country that has a
| backwards stance on them
|
| - anonymous donations
|
| - purchasing services (eg commissioned art) without
| revealing your identity
|
| - sending money to friends and family during
| hyperinflation/freedom from government (mis)management of
| currencies
|
| Freedom of speech (eg cryptography) is not worth much
| without the ability to actually use said freedom to drive
| a change (e.g. requiring work, thus requiring money.)
| MBCook wrote:
| So...
|
| - Not having anyone watch out for you
|
| - Buying slaves/child porn/weapons in countries with a
| "backwards stance" on them
|
| - You don't need crypto for that. A lawyer could do it
| for you.
|
| - See above
|
| - Use any other currency that's not undergoing hyper
| inflation
| at-fates-hands wrote:
| > * Giving criminals and scammers the ability to exchange
| goods and services anonymously.
|
| Doesn't cash do the same thing?
| KarlKemp wrote:
| Cash doesn't scale, doesn't work remotely and, in any
| case, cash is actually useful for legitimate purposes,
| like snorting cocaine.
| 2muchcoffeeman wrote:
| Pretty sure the orignal post is a joke, but I think
| crypto is a bit like a VPN in this way. Sure your bank
| can see the initial spend. But after that it's harder to
| see where the money goes. And you have some of the
| benefits of normal banking systems. Much harder to buy
| things from far away with cash.
| osrec wrote:
| Almost every criticism above could be applied to the current
| mainstream financial system too.
| cinntaile wrote:
| > You are building systems that are ruining peoples lives and
| making things worse for everyone.
|
| Don't invest more than you can afford to lose, it's the basis
| of any investment strategy. If someone puts enough money into
| highly risky, speculative assets such as these that it would
| ruin their life, then they only have themselves to blame if
| you ask me... People have to take responsibility for their
| own choices.
|
| Edit: -4 that's a new record for me, thanks guys!
| ejb999 wrote:
| Its not really supposed to be an 'investment' - anymore
| than the dollar is an investment?
|
| If crypto wants to replace dollars, they are going to have
| to do better than this.
|
| Would you tell someone who's dollars are stolen 'don't have
| more dollars than you can afford to lose'?
| cinntaile wrote:
| I think Axie Infinity is some sort of NFT game? How is
| that going to replace the dollar?
| kemotep wrote:
| The article covers that it was Ethereum that was stolen.
| On the surface it appears none of the Axie Infinity based
| tokens were touched.
| headmelted wrote:
| Your response assumes the only victims are the people
| holding the bags, but its key feature is that it
| facilitates organised crime more effectively than anything
| in history.
|
| Now with that said, someone may respond to mention that
| it's key feature is actually [a store of
| value/decentralised digital money/new gold etc] and that
| person will be wrong.
| thinkmassive wrote:
| > The majority of cryptocurrency is not used for criminal
| activity. According to an excerpt from Chainalysis' 2021
| report, in 2019, criminal activity represented 2.1% of
| all cryptocurrency transaction volume (roughly $21.4
| billion worth of transfers). In 2020, the criminal share
| of all cryptocurrency activity fell to just 0.34% ($10.0
| billion in transaction volume).
|
| https://www.forbes.com/sites/haileylennon/2021/01/19/the-
| fal...
| warent wrote:
| Hideous victim blaming mentality here.
| mrmuagi wrote:
| I am torn. If someone is holding a "ruining peoples
| lives" chunk in their portfolio, it's not a diversified
| one -- and it leads to a good life lesson. And if ones
| all in the stock market and it crashes -- surely you
| should not victim blame, because there is a road to
| redemption (just weather the storm), and it's really not
| their fault. Nobody can predict wether the number goes up
| or down reliably in the short term, yada yada. However
| given the nature of crypto landscape wrt. scams, attacks,
| takeovers, thefts, I can't help but say "buyer beware"
| and "it's a wild wild west out here".
|
| I mean, you must agree it is good advice in hindsight to
| not hold all your eggs in one basket in this case. I do.
| cinntaile wrote:
| I'm not blaming someone for getting scammed, that's on
| the scammer. But I am blaming someone for ruining their
| own life if they put more money into a speculative,
| highly risky asset than they can lose. This isn't
| confined to crypto, it can also be regular stocks or
| other investments. I mean this in a general sense. I
| don't mean people taking advantage of people that aren't
| in the right state of mind (for whatever reason) to be
| clear, of course I don't put the blame on those people.
| mrmuagi wrote:
| Not sure why you got such a negative reaction. This is
| basic 101 holding a investment portfolio (I hope I have
| it right [1]), the more all in the upper right (higher
| std dev) of this graph, the higher risk, the more bananas
| you'll lose in your basket if things go, proverbially,
| tits up. Diversifying is a tool/shield against this by
| minimizing risk against reward.
|
| [1] https://youtu.be/8TJQhQ2GZ0Y?t=1640
| cinntaile wrote:
| Crypto is a touchy subject here, so if I am a bit harsh
| on the people that ruined their lives by putting all
| their eggs in one crypto basket... I was prepared for it
| not to go well. Although I think some misunderstood my
| comment as blaming the victim, which was not what I
| meant. But that's ok, I'll try to phrase it better next
| time.
| Uehreka wrote:
| When we raise concerns about crypto's riskyness, people
| like you show up and say "investment involves risk" and
| frame crypto as a speculative investment. Then when
| you're gone someone else will show up hyping
| Bitcoin/Ethereum as a currency that will change the
| world, which implies that it is or will be stable enough
| to use to pay for goods and services (as opposed to being
| a vehicle for speculation).
|
| Our frustration stems from our inability to get both of
| you in the same room to duke it out once and for all.
| cinntaile wrote:
| > Our frustration stems from our inability to get both of
| you in the same room to duke it out once and for all.
|
| If only the world were such a simple place where there is
| only one right and one wrong answer.
| Uehreka wrote:
| If folks are making the argument that risky speculative
| investments can be used as currency for day-to-day
| purchases, that's an argument I'd hear out, but I feel
| like it would be a difficult argument to make.
|
| And for the record, the argument I'm perceiving from you
| ("crypto is a speculative investment, invest carefully,
| enjoy it if you win") is the closest to reality of all of
| these arguments IMO. But I do also believe that highly
| speculative things like this make for bad day-to-day
| currencies, and have not yet been convinced otherwise.
| 3np wrote:
| I mean, you could replace "crypto" with "internet",
| "computers" or "collectible sidechain NFTs" depending on how
| big the tribe you want to attack is. Or for example
|
| > This is exactly why the cloud is such a disaster. Every
| week there is yet another scam where people losing their
| money. The feedback from cloud hosting enthusiasts is well
| look at those idiots for putting their money into some scheme
| <insert unintelligible jargon filled insanity statement here>
| or you are not smart enough use this thing. Look "nobody"
| understands what you are talking about. These technical
| systems are inscrutable and the problem is getting worse. You
| are building systems that are ruining peoples lives and
| making things worse for everyone. Please think about what you
| are doing and create system of value and meaning which
| improves humankind.
|
| ----
|
| This line of reasoning is what may very well lead to a ban on
| end-to-end encryption and public access to non-backdoored
| general computing.
| viksit wrote:
| curious - "can your blockchain be validated with regular
| hardware" - why is this a point you call out?
|
| is it that specialized equipment is not easily accessible and
| thus not truly decentralized?
| Vadoff wrote:
| Yes. Bitcoin can be validated with with regular hardware,
| thus full nodes are cheap and ubiquitous and results in a
| system that's highly decentralized. Even if a 51% were to
| hypothetically happen with miners, the full nodes will stop
| it.
|
| Ethereum and many others with massive blocks cannot be
| validated with regular hardware as there's too much
| computational power/storage involved. The majority of
| Ethereum nodes are by 3rd party services which use cloud
| services such as AWS. Additionally, essential services such
| as Infura which the majority of apps rely on are basically
| entirely centralized.
| thinkmassive wrote:
| Exactly. If validating the ledger requires millions of
| dollars worth of hardware, only a few people will know what
| it actually says, and they can collude to impose whatever
| rules they want (basically like what happened in the
| article).
| gruez wrote:
| >None of this is new. The Bitcoin "block size war" was fought
| over this very point. Unworkable scaling schemes are going to
| end in disaster with no fallback, and no recourse for those who
| lose money. You end up with nothing, and will be sad.
|
| I don't see the parallel to 'the Bitcoin "block size war"',
| though? The solution on either side (bigger blocks, lightning
| network) doesn't require trusting some party to handle
| transactions.
| tenuousemphasis wrote:
| I think their point is that at some block size, it's no
| longer feasible for most people to run their own node to
| verify the blockchain, and you start relying on a client-
| server model instead of a peer to peer model.
| tornato7 wrote:
| Yes, interestingly with Ethereum it's not the individual
| block size that's holding it back (they're around 80kb),
| it's the protected size of all blocks for people running
| validator nodes. You don't want to require node operators
| to have 100TB in SSD storage because your blocks all pile
| up too quickly (this is one of the main concerns about
| Avalanche scaling).
| thinkmassive wrote:
| Part of it IS the individual block size though.
| Individual blocks might seem small, but there's a lot
| more of them. Ethereum dApps store a LOT of state
| directly on the base chain. The other scalability
| disaster is making every node validate every instruction
| of a Turing-complete scripting language, which results in
| insane "gas fees" (or loss of fees when you didn't supply
| quite enough for the script to fully execute).
| jazzyjackson wrote:
| > (or loss of fees when you didn't supply quite enough
| for the script to fully execute).
|
| Are they planning to address this in any of the updates
| on their timeline? This turned me off from ETH
| completely, just feels like a house-always-wins situation
| skimming money from users.
| 3np wrote:
| Since it's deterministic, you can get a good estimate (in
| fact exact as long as you are not front-run) by
| simulating the execution locally before submitting it.
| All major wallets do this.
| thinkmassive wrote:
| No idea, Ethereum was an intriguing experiment for the
| first few years, but it's seemed like a dead end for a
| while now
| EVa5I7bHFq9mnYK wrote:
| That's exactly the situation in Bitcoin second layer now. There
| are a few centralized servers (lnbig etc) handling almost all
| transactions. Get out and stay out.
| tenuousemphasis wrote:
| It's not at all. The worst thing a centralized server can do
| in Lightning is refuse to route your transactions. Their
| peers have the keys and the pre-signed transactions necessary
| to unilaterally withdraw their funds from the channel.
| uncletammy wrote:
| > The worst thing a centralized server can do in Lightning
| is refuse to route your transactions.
|
| This is called censorship, the very thing Bitcoin was
| created to circumvent.
|
| It's an especially big problem given the fact that the vast
| majority of lightning payments are routed through lightning
| nodes operated by centralized cryptocurrency exchanges.
| Most of the remaining nodes on the lightning network are
| unreliable due to shortcomings in the lightning protocol
| surrounding state management, node connectivity, and
| inbound/outbound liquidity. That's not even getting into
| the abysmal incentive structure node operators face.
| tenuousemphasis wrote:
| >It's an especially big problem given the fact that the
| vast majority of lightning payments are routed through
| lightning nodes operated by centralized cryptocurrency
| exchanges.
|
| I'd love to know how you came to believe this. Due to
| Lightning's design, there is no way to know how payments
| are routed, so it seems clear that you're either
| misinformed or lying.
|
| > That's not even getting into the abysmal incentive
| structure node operators face.
|
| Such as... getting paid for your capital by routing
| payments? Oh no, so abysmal!
| _1tan wrote:
| It is certainly not a general instance of censorship if
| certain node operators or miners choose to exclude
| transactions meeting certain criteria.
|
| This isn't comparable to e.g. a hard coded blacklist.
| risho wrote:
| they can't censor you. this is incorrect. all they can do
| is inconvenience you. ultimately you can close the
| channel with them at any time if you conclude they are a
| bad actor.
| thinkmassive wrote:
| Beyond that, LN transactions use onion routing, which
| means you define the exact route for your payment to take
| through the network. You can actively avoid ever routing
| through a particular node if that's your desire.
| AlexandrB wrote:
| Bitcoin second layer as-in the "Lightning" network? That's
| worrying. I thought Lightning was supposed to solve Bitcoin's
| scaling issues.
| tenuousemphasis wrote:
| No, that person doesn't know what they're talking about,
| see my response to them.
| anchpop wrote:
| Right now they're immature, but I'm hopeful that advancements
| in ZK-tech will allow practical ZK-rollups. ZKSync already has
| a zk-evm testnet running (which I believe is based on zk-llvm),
| so we're close. Currently all the big rollups have master keys
| which can be used to steal all the money deposited by them, but
| there's no reason in principle they have to have this. Polygon
| has permissionless rollups, so I'm quite hopeful that they'll
| be a viable trustless permissionless scaling solution soon.
| ethbr0 wrote:
| For those who don't follow blockchain tech, like me, here's a
| primer on ZK-rollups: https://learn.bybit.com/blockchain/zk-
| rollups-eth-scalabilit...
| DennisP wrote:
| The nice thing about zkrollups is that users have a
| cryptographic guarantee of being able to withdraw their
| money. The rolled-up transactions are posted on chain in
| compressed form, and a contract on chain verifies a concise
| proof that all the rules were followed, including that all
| transactions had valid signatures.
|
| So if this is done correctly, any master keys shouldn't be
| able to steal user funds. The key holders would be the ones
| authorized to post the data, but the worst they could do is
| censor transactions.
| anchpop wrote:
| Right. It's possible to conceive of a rollup, particularly
| a zk-rollup, without anything like a master key. But
| current rollups do have those keys. ZK-sync for example has
| two, one used mostly used for upgrading the smart contract
| that has a 14-day withdrawal delay (or something like that)
| and one for use in case of emergency that has no withdrawal
| delay. If the second were compromised, it would lead to all
| the money stored in the rollup being stolen. But there's no
| reason in principle that either of these are necessary.
|
| ZK-rollups are awesome because they don't introduce any
| trust assumptions (except for the master key issue, which
| is just an implementation detail). The only risk is current
| zk-rollup designs is that they could censor certain
| transactions by never including them in a "batch" (the
| rollup equivalent of a block), but with unpermissioned
| rollups like the one I think Polygon has even this issue is
| mitigated
| estro0182 wrote:
| >done correctly
|
| This has been the difficult bit for the ecosystem, and I
| think grasps at what GP is saying. For every competent
| dev/cryptographer in the space, there are 10(0) who are not
| because there's so much money floating around. Those 10(0)
| may implement zk-class protocols incorrectly and end up in
| the same situation we see today. There is promise in but a
| ton of validation/maturation to do for zkrollups in the
| wild.
| joosters wrote:
| The crypto(graphy) is rarely the weakness in these
| situations, so declaring faith in _(insert new tech buzzword
| here)_ is almost certainly not going to be the answer. It
| comes down to operational and human factors, like poorly
| written code. _(new tech buzzword)_ will involve lots of new
| code, and why do people think _this time_ the new code will
| be error-free?
| anchpop wrote:
| In this case, the weakness was that the keys that
| controlled the bridge were somehow stored insecurely. When
| attackers gained access to the keys, they were able to
| steal from the bridge. In a properly-implemented rollup,
| there are no keys to secure, so this attack vector is ruled
| out.
|
| But more broadly, there is really nothing else with the
| same security properties as a smart-contract-enabled
| cryptocurrency. Paypal will delete your account any time
| they want, Visa and Mastercard will blacklist whatever
| industries they feel like blacklisting, etc. If you want a
| system that's decentralized and where these attacks aren't
| possible, you have no alternative. The problem is that
| current blockchain-based systems can only handle a certain
| number of operations/second while remaining decentralized.
| The appeal of scaling solutions like ZK-rollups is that
| they give us the same security properties as the main chain
| without any security compromises (relative to the main
| chain). That's all conditional on their code being correct,
| but given that there's such a large payout to hacking e.g.
| bitcoin or ethereum or zksync and it still hasn't happened,
| we can guess that the coders have done their jobs well and
| such problems are at least very difficult to find.
| easrng wrote:
| You are misinformed. With most cryptocurrencies (except
| Monero) it is very easy to blacklist wallets, and since
| tx history is public you can't just move your coins to a
| new address to get around it either. You don't actually
| even need decentralized systems for private transactions,
| digicash with blind signatures would be private and
| vastly more efficient.
| nwiswell wrote:
| I think "very easy" is relative. How do you get the whole
| world to agree to participate in the blacklist (or even
| to be aware of it)? If you don't, then obviously it will
| remain possible to tumble/launder the coins.
|
| By comparison, if PayPal decides to freeze your account,
| that's it, the end, those funds are frozen unless and
| until you successfully run the corporate supplication
| gauntlet.
| dorgo wrote:
| I think what gp means is to tell all the exchanges (and
| maybe merchants) to blacklist your wallet. Not as simple
| and bullet proof as PayPal freezing your account but
| similar.
| easrng wrote:
| You don't need the whole world, just the exchanges. And
| and some ERC20 tokens can have addresses frozen by a
| central authority (ex. USDC and Circle, USDT and Tether,
| etc) which is why the attacker immediately sold the USDC
| for ETH on 1inch and Uniswap.
| nwiswell wrote:
| > You don't need the whole world, just the exchanges.
|
| Then you just tumble the coins and head to an exchange.
| 3np wrote:
| What you are saying applies equally to "the internet" and
| "computers".
| jonny_eh wrote:
| > 4. An attacker obtained 5 of 9 keys, which is the signing
| threshold.
|
| How?
| onebot wrote:
| Exactly. Sounded like the obtained four keys and then used an
| open backdoor RPC call to obtain the fifth.
| tshaddox wrote:
| > The attacker used hacked private keys in order to forge
| fake withdrawals.
|
| > The attacker managed to get control over Sky Mavis's four
| Ronin Validators and a third-party validator run by Axie DAO.
|
| Easiest explanation: at least one Sky Mavis employee and one
| Axie Infinity employee who have access to those private keys
| got together and took all the funds. Perhaps it was only one
| employee; it's not clear to me what the difference between
| Axie Infinity and Sky Mavis is (there isn't actually an Axie
| DAO, there's just a web page where they say they plan to be a
| DAO in 2023).
| ejanus wrote:
| I was thinking that Sky Mavis owns Axie Infinity. Is that
| wrong?
| JumpCrisscross wrote:
| > _Easiest explanation: at least one Sky Mavis employee and
| one Axie Infinity employee who have access to those private
| keys got together and took all the funds_
|
| Easier explanation: they were all in a Dropbox or something
| stupid like that.
| tmp_anon_22 wrote:
| Is there a chance they were all loaded into application
| memory?
| anchpop wrote:
| They shouldn't even all be on the same computer. Ideally
| they would be engraved in titanium and inside people's
| safe deposit boxes
| [deleted]
| rmbyrro wrote:
| Most likely that
| Mondialisation wrote:
| Is bitcoin's lighting network any different? Just curious
| thinkmassive wrote:
| Yes, LN is different. The Lightning Network consists of
| channels with funds held in a 2-of-2 multisig, so the only
| way one participant can have a quorum of signatures is if
| they already own both ends of the channel. There are Bitcoin
| sidechains that have a similar federation of validators, such
| as Liquid.
| jonathan-adly wrote:
| 1. Can your "blockchain" be validated with regular hardware?
|
| 2. Does it use a secure consensus algorithm?
|
| 3. Is there a secure side channel through which low-value
| transactions can flow?
|
| The only blockchain with 3 yes is Bitcoin lol.
| lvs wrote:
| once_inc wrote:
| Indeed. This is why Bitcoin maximalists tend to be set aside
| as "religious zealots" while their conviction is a direct
| result of these three answers.
| freddiecoleman wrote:
| Actually it's Chia.
|
| Bitcoin requires custom hardware. Chia does not - you can use
| an ordinary hard drive and run a full node on a Raspberry Pi.
| risho wrote:
| the only reason chia doesn't have specialized hardware that
| crowds out all commodity hardware is because no one cares
| about chia. the reason that bitcoin has highly specialized
| asics is because it is the progenitor and center of the
| entire cryptocurrency ecosystem and has been for over a
| decade. also proof of space is no better than proof of work
| at scale. it will ultimately have very similar
| consequences.
| freddiecoleman wrote:
| There is no such thing as specialized hardware for Chia
| farming. If you manage to pull that off then
| congratulations, you have created a bigger hard drive.
| risho wrote:
| the history of cryptocurrency is a history of projects
| making that exact claim and being proven wrong over and
| over again, but surely this time is different.
| 3np wrote:
| I have in fact not heard that specific claim much. There
| was the whole "ASIC-resitance" trend and the projects
| that did care about it (like Monero) tend to be right in
| their claims. Ethereum is still to a large extent mined
| on consumer-grade GPUs.
|
| There is not even any consensus on if this is desirable
| for PoW chains.
| thinkmassive wrote:
| Bitcoin MINING is only feasible with special purpose
| hardware, but that's not what was stated:
|
| > 1. Can your "blockchain" be validated with regular
| hardware?
|
| Bitcoin can be VALIDATED on practically any low end
| consumer computer, including an early Raspberry Pi.
___________________________________________________________________
(page generated 2022-03-29 23:01 UTC)