by atlacatl_sv on 5/23/22, 1:31 PM with 397 comments
by neonate on 5/23/22, 7:14 PM
by SamBam on 5/23/22, 3:39 PM
In real finance, there is an understanding that technical loopholes can exist, since not every outcome can be foreseen when writing laws, but the legal system can frequently prosecute against a series of actions which are, individually, legal, but which together are taken in order to achieve something illegal.
That is, modern finance and the law also attempt to deal with intent.
But in the Ethereum smart contracts world isn't the whole premise that the code is the law? That we don't need any of these pesky courts or banks or auditors or anything: the code is the law, and the decentralized blockchain will enforce it.
With this worldview, if the attacker simply exploited poorly-written code to find a loophole, how do the owners of Index have a leg to stand on?
by blakesterz on 5/23/22, 2:31 PM
“I did not steal anyone's private keys. I interacted with the smart contract according to its very own publicly available rules. The people who lost internet tokens in this trade were other people seeking to use the smart contract to their own advantage and taking on risky trading positions that they, apparently, did not fully understand.”
by vmception on 5/23/22, 2:51 PM
This is misleading, either intentionally or due to Medjedovic's incompetence.
You can fork the current head of the mainnet blockchain to localhost and try infinite permutations for free to see what the next state of the blockchain will be. And then if you like that state, you can then pay to send the working transaction to the mainnet to make that same state occur, in a sure bet. (nearly sure fire bet as in some cases, someone could replace the mainnet transaction in route, but they wouldn't necessarily know what to look for or change if its a distinct kind of transaction)
Medjedovic either didn't know this, because his skills didn't translate as well as he thinks, or Medjedovic knows this and hasn't come up with a stronger argument to support his actions yet (of which there are plenty) and actually is relying on public sympathy to support his actions.
Either way, there is an opportunity for broader education on how these exploits can be cooked in something akin to a "hyperbolic time chamber" or quantum reality without anyone's knowledge, ready to hop back into our dimension fine tuned and ready to cause maximum effect, all within the ~15 seconds between blocks if necessary, as the state changes per block.
by caymanjim on 5/23/22, 8:01 PM
This is how crypto operates. Buyer beware.
by motohagiography on 5/23/22, 4:00 PM
In a smart contract, I'd make a legal distinction between syntactic parsing and calculation, which has to do with the purity of functions and data. An arbitrage would be fair game if it levered an unanticipated calculation, whereas a recent example where the contract was only checking the last several bytes of a destination address key would be a parsing exploit. Medjedovic's arbitrage as described appears to be a pure calculation advantage, and not exploiting a parsing error, and so this is very reasonably fair game.
He used logic endogenous to the contracts, with no exogenous control of the systems running the contracts. When you exploit a buffer overflow, you are breaking through (sabotaging) a parser as a means to manipulate the raw memory and machine - whereas this arbitrage is closer to something that lies somewhere between clicking on a link someone provided but had some unspoken intention about you not using it, and a SQL injection or other evaluation error that yields an index. (edit: Actually, it's more like saying something really funny and unexpected on a platform that hasn't banned that kind of humor yet, and they're just mad about the consequences. we could even see a future where the distinction between a hack and arbitrage will be the complexity class of the algorithm and whether it represented a scheme that was Turing complete)
Unfortunately, in Canada they'll go after him just as a fugitive now, and there is no shortage of political actors who will want to make him the perfect example villain for their hysterical policy objectives. This is one of those increasingly classic situations where a really smart kid gets system-involved and can't comprehend how insane it is because the legal system and politics are not subject to mere reason. If he has the money, fleeing before charges were laid was probably even rational, as there is no reason to expect the legal system is equipped to deliver justice in something so new.
by shockeychap on 5/23/22, 4:05 PM
So much of this reminds me of Chesterton's Fence, where "innovative" solutions are deployed by people who never put forth the time and effort to fully understand how the existing system came to be the way that it was - and the problems that it had to deal with and solve along the way.
I'm not trying to sing the praises of finance and banking; there's much there that is broken. (I'm also not a fan of crypto or NFTs.) But I am saying that many of the "old" ways came about in response to a litany of problems that are neither obvious nor intuitive, and you need to understand why it works the way it does before putting out a new solution.
by omarhaneef on 5/23/22, 2:42 PM
To steal from Frank Zappa: Legal isn't the same as allowed, allowed isn't the same as fair, fair isn't the same as just, and just isn't music.
by jakear on 5/23/22, 2:41 PM
Hey! He’s just like me.
> But did Medjedovic do this, or did the algorithm? Barry Sookman, a lawyer in Toronto specializing in information technology, says it's a distinction without a difference: “Individuals are responsible for the activities of technologies they control.”
This of course goes both ways — aren’t the index fund creators responsible for their technologies too?
by Overtonwindow on 5/23/22, 3:22 PM
This sounds very much like the same thing, and since digital currency is not heavily regulated, some might say at all, I think the outcome, while unfortunate, is not illegal.
Sadly Day & Keller and others will likely haunt this poor kid with lawsuits and frivolous attacks, but in my book he did not break the law.
by JackFr on 5/23/22, 5:35 PM
Importantly they had automated the creation/redemption mechanism poorly. Here's the operative passage:
By eliminating human managers, Indexed could forgo management fees like the 0.95% its bigger rival, Index Coop, charged for simply holding its most popular index token. (Indexed would charge a fee for burning tokens and swapping assets within a pool, but those only applied to a small fraction of users.)
It also saved on costs by limiting the number of interactions between the platform and outside entities. For example, when Indexed needed to calculate the total value held within a pool, instead of checking token prices on an exchange such as Uniswap, it sometimes extrapolated from the value and weight of the largest token within the pool, called the “benchmark” token.
This way, it reduced the fees it paid for transactions on the Ethereum blockchain. Kellar saw full passivity as a “natural extension of the way index funds already operate.”
Kellar was wrong.
In bringing down the costs, they eliminated the very thing that might have prevented the transactions that cost them all the money. The trades were legitimate, just unfortunate for the holders and to ask the courts to reward the incompetence of the management of indexed is to ask the courts too much.
by antishatter on 5/23/22, 2:32 PM
by giantg2 on 5/23/22, 9:59 PM
So now they want crypto to be treated as regulated securities, but let me guess, only when it benefits them...
by TameAntelope on 5/23/22, 4:01 PM
If that's what it takes to live the "code is law" dream, count me out.
by kristjansson on 5/23/22, 4:52 PM
by RcouF1uZ4gsC on 5/23/22, 4:16 PM
This is another example of make risks public and reward private. They are arbitraging the financial system and trying to have the freedom of cryptocurrency, but when things go bad, want law enforcement to come fix it.
by bobsmooth on 5/23/22, 7:42 PM
Opsec really isn't that difficult, you just have to give it some thought.
by jrm4 on 5/23/22, 9:51 PM
by pcj-github on 5/23/22, 11:20 PM
by yobananaboy on 5/23/22, 5:51 PM
Yes, getting a proper audit for a Defi Protocol is expensive (probably 8 person weeks at $20-30k/week or ~$200k), and every good audit firm has a 3-6 month waiting period. But when you’ve got 100x that to lose, it’s a drop in the bucket.
by liminal on 5/23/22, 3:29 PM
by qgin on 5/23/22, 3:13 PM
by snickerbockers on 5/23/22, 10:32 PM
by jazzythom on 5/24/22, 3:23 AM
by vfclists on 5/23/22, 7:39 PM
It looks like if you fall foul of big merchant banks and stock traders you can have the full force of the DOJ land on you, but crypto is not important enough.
by turtledove on 5/23/22, 2:46 PM
by rvz on 5/23/22, 3:07 PM
If you really hate crypto projects so much, rather than complain all day long about the crypto-bros getting rich off of their tokens, just hack the smart contracts themselves and the project should offer a bounty if not beg for a negotiation for that and once the project creators fix the bug, you keep the rest.
Job done, until the regulators come.
by zecken on 5/23/22, 5:31 PM
by npollock on 5/23/22, 3:36 PM
by paulpauper on 5/23/22, 3:24 PM
by tzs on 5/23/22, 3:51 PM
Q: is the programming language these things are written in powerful enough and have sufficient data access for the developers to include sanity checks that would halt trading automatically if something is happening too far out of the norm such as an unusually high volume of attempted night discount sales? Or maybe that would just block extreme discount sales if there have been too many of those recently?
by Jon_Lowtek on 5/23/22, 8:32 PM
i found the address and i take everything back and declare the opposite, that address is not random at all.
-- original post --
> The Ethereum address used for the attack included the number ... shorthand for ...
So Bloomberg thinks people choose the numbers in their wallet addresses and are responsible for any perceived numerological meaning. Are they for real?
Sure the guy could have sat there recreating addresses until one includes this number, but i consider it more likely this is the result of searching randomness for patterns they want to find.
Someone noticed the pattern in the randomness and Bloomberg includes it, as it makes the antagonist more evil and the story more interesting.
by anonu on 5/23/22, 8:44 PM
by Imnimo on 5/23/22, 5:16 PM
by bix6 on 5/23/22, 5:22 PM
by dimator on 5/23/22, 4:54 PM
by QuantumGood on 5/24/22, 1:08 AM
What if someone wishes for full protection of the law and publicly asks for it beforehand, but then gets involved crypto/DeFi — would they then "deserve" the law's protections while others involved in crypto/DeFi do not?
by WhitneyLand on 5/23/22, 5:13 PM
The Ethereum address Medjedovic used for the attack included the number “1488”—shorthand for a neo-Nazi slogan—and he'd written the N-word into the code itself, 16 times. A Twitter user called him the “Dylan [sic] Roof of Balancer Pools,” a reference to the mass shooter who killed nine Black people at a church in Charleston, S.C., in 2015. Medjedovic liked the tweet.
Completely counter to every experience I’ve had working with Waterloo people. My sample group always seemed smart, interesting, kind.
by knorker on 5/23/22, 4:44 PM
Jesus, this whole cryptocurrency racket is a joke.
by SergeAx on 5/24/22, 5:33 AM
by trasz on 5/23/22, 3:06 PM
by darepublic on 5/23/22, 11:06 PM
by viksit on 5/23/22, 8:43 PM
The judiciary could write the latter any time they got the right technical input. The question really is - what’s worth putting in the effort right now?
And those answers are coming soon.
But we shouldn’t conflate smart contracts with legal contracts in discussions.
by eftychis on 5/23/22, 9:52 PM
They had to sue or they would be sued themselves (which they might regardless), but there is no law restricting you actually from inflating the market value of an item (or a security). Their advantage is that he doesn't have a lawyer (or claims to) -- which is a stupid move; and that they froze his gains (another stupid move). If a hack is actually involved under Canadian law we shall see but a civil lawsuit is not unlikely to dictate that.
He misled their market maker, not the holders. Of course without reading the case one can not say anything and has an incomplete view, but they are trying to shift blame here.
There is precedent of course, when Oil futures went negative and in the end brokers paid the difference -- as their software wouldn't allow people to trade non-negative ranges.
tl;dr: I think they are still on the hook for the lost funds back in the E.U./U.K.
by __turbobrew__ on 5/23/22, 5:01 PM
by vfclists on 5/23/22, 7:34 PM
by henning on 5/23/22, 8:06 PM
by thawaya3113 on 5/23/22, 2:43 PM
by turtledove on 5/23/22, 2:45 PM
by kristjansson on 5/23/22, 4:18 PM
e: missed at the end of the article:
> (Except for the headline, this story has not been edited by NDTV staff and is published from a syndicated feed.)
So perhaps this is reproduced under a legit syndication deal?