Follow

This is great: "stable" coin project relies on community governance, so a hacker borrows $1b, uses it to get a 67% voting stake, votes that the project should wire them $182m, then pays back the huge loan and exits -- all in the space of 13 seconds. The "stable" coin immediately crashes.
theverge.com/2022/4/18/2303075

Even better: The project had been warned about the possibility of flash loan attacks, but the founders had dismissed the concerns.
theverge.com/2022/4/22/2303732

@mathew@mastodon.social "takes out a billion-dollar loan and pays in back in 13 seconds" is an absolutely absurd thing for anyone to have done ever

@alexandra @mathew i just wanna know where one goes to borrow $1bn

i could Do Some Shit with that

@mathew @alexandra okay i don't think i could do the shit in question in a single blockchain transaction and, furthermore, i would not want to

@juliana @alexandra @mathew They had 1bn in imaginary money. You can have 2bn of my imaginary money, if you promise to pay it back! The transfer protocol is really simple: you just imagine you have them.

@mathew Nowhere in the rules does it say a dog can't play basketball.

I see no crime committed here

@mathew@mastodon.social the fact that "stable" is a top feature (whether true or not) for these is already such a red flag for the entire landscape

It's like putting "They always arrived at work on time" on an employee's evaluation (just that it most likely wouldn't even be true, as seen here)

Doesn't even look like anything illegal happened...

@RyunoKi @mathew not a "hacker" but a scammer. Please, let's not mix hackers into this.

@rysiek @RyunoKi To me this is classic hacker work: making use of unintended consequences of a software system.

I also don't really see it as a scam — the entire system worked exactly as it was designed to, and nobody was lied to.

@mathew @RyunoKi the question is: how the tools and skills were employed?

You wouldn't write "drivers robbed a bank", you would say "robbers" -- even if driving was a crucial skill in that particular robbery.

@rysiek @RyunoKi Yes, but this wasn't a robbery.

And often things which are actually robbery or theft get described in other terms. Police civil forfeiture, for example. Or wage theft.

@mathew @RyunoKi I am not saying it was a robbery. I am saying that just as you would not use the word "driver" to denote members of a gang robbing a bank, perhaps we can find a better word for someone who pulls that kind of a swindle in crypto.

There is zero reason to use the word "hacker" here.

@rysiek @RyunoKi As someone on Twitter just pointed out to me, this was really a leveraged hostile takeover followed by asset stripping — all of which is standard capitalism and perfectly legal when corporations do it.

@rysiek @RyunoKi The hacker aspect is seeing unintended consequences of some software and making use of them. It's a capitalism hack.

@mathew @RyunoKi I am not disputing it might be a "hack". What I am saying is using the word "hacker" every single time unintended consequences of some kind of computer system are (ab)used.

It is as if you were insisting to *exclusively* use the word "drivers" for people taking part in *any* bank heist that involved cars.

That's just silly.

The fact that computers were involved, or that unintended consequences were exploited, does not make it okay to slander a whole community of creative people.

@mathew @RyunoKi creative people, might I add, that often have nothing to do with or, in fact, actively avoid cryptocurrencies and all the bullshit around them.

By insisting to use the word "hacker" in such cases you effectively insist on painting that community with that particular brush.

Which is most unexcellent.

@rysiek @RyunoKi I didn't intend the term "hacker" to be negative. I think this is a most excellent hack, in fact. We could use more people creatively destroying crapto schemes.

@mathew @rysiek @RyunoKi I have to say i agree with @mathew here, it's a clever use of a system to make it do something its creators didn't intend, all without breaking anything. In this case, i think hacker is warranted, even if it's linked to something negative like theft. For hacker to have meaning, we can't either whitewash it.

@axx @mathew @RyunoKi it still feels both unnecessary and unspecific enough to me though. But I am not going to die on that particular hill.

@axx @rysiek @RyunoKi I disagree that it's theft. And I'm sorry that I was unclear enough in my original post that people thought I was suggesting it was a negative thing.

@mathew @axx @RyunoKi yeah, I think it was a question of framing, plus people constantly taking about "hacks" when they mean "NFT scams". That got me to overreact in this particular case.

Thank you for engaging with me on this!

@mathew >in the span of 13 seconds

a block executes atomically, it doesn't "take time" to execute a transaction so really it all happened instantly

the journalists are kinda crappy here since it's hard to articulate how transactions are included, but it's pointless to say "how long" it took to happen since any flash loan arbitrage like this always happens in the span of a single tx

"Flash Loans allow you to borrow any available amount of assets without putting up any collateral, as long as the liquidity is returned to the protocol within one block transaction."

Wow, that's a pretty cool hack actually. And in hindsight predictably leads to exactly this.

docs.aave.com/faq/flash-loans

/via mastodon.social/@mathew/108183… @mathew

@mathew The best part is that's not even a complicated attack. Only basic financial and cryptocurrency knowledge required

@mathew There is going to be UNENDING shenanigans with consensus voting and so-called smart contracts.

Its like a whole generation of people have to learn the hard way why financial regulations exist and are so complicated.

These motherfuckers should learn to play D&D. Then they will figure out what rules lawyering, unintended consequences, min-maxing, and system loopholes are.

@gudenau @mathew AFAIK, this is a vulnerability particular to proof-of-stake currencies. They're meant to replace computation intensive proof-of-work schemes by giving verification powers to the largest stakeholders. That's how this transaction happened: The trader in question borrowed enough to become the largest single stakeholder in the system, which gave them unilateral powers to verify their own transaction. It's a known vulnerability that PoS schemes struggle to defend against.

It has nothing to do with PoS, it was a DAO governance issue.

PoS currencies are not structured around voting, they're more like having passive ownership in a fund and receiving dividends.

@mathew ngl I’m surprised they were able to turn a profit out of it, guess they found a trade where this one obscure currency was able to be sold out within a few seconds – what a mess lol

also I concur with @rysiek – nothing was hacked, all that was done is quickly buying votes and using them to transfer cash

@mathew Also, let’s be specific – this is a DAO governance issue where no mitigations were put in place, not inherently crypto or stablecoin. But it does show the role trust tends to have to mitigate all the weird, nitpicky situations and rules that are disregarded in daily life.

@xerz @rysiek Taking out a flash loan, buying votes, using them to transfer cash, and returning the loan all in a few seconds using software *is the hack*.

@mathew
The raider borrowed $1Bn, paid it back 13 seconds later, and paid about $100M for the privilege. So that's 10% interest over 13 seconds, which works out to an annualized percentage rate of 24,275,077%.

They paid back in the same block, so the annual interest is unbounded.

@mathew
This is awesome 👍
Sounds like a similar clever hack as the original DAO. A bunch of script kiddies with no adversarial thinking skills set up some (dumb) system and someone who actually is smart, takes advantage of them.

I expect we'll see many more cases like this as the whole Ethereum/web3 world is full of these clueless people.

🍿

Sign in to participate in the conversation
Mastodon

The original server operated by the Mastodon gGmbH non-profit