As my hoard of Ethereum looses half it’s value in a week (the story of that hoard is for another), we read of catastrophic bugs and daylight robbery. What a wonderful world Nakamoto has created!
We are used to hackers stealing passwords or exploiting bugs to make off with millions in a few seconds. But this month we have seen a blatant fraud make off with millions, with a sneering insult for good measure.
As Keven Reynolds reports, “People Behind Crypto Protocol DeFi100 May Have Absconded With $32M in Investor Funds” [2]. If I read this right, basically “some guys” on the Internet booted up yet another Decentralized Finance platform, and got people to buy their tokens and otherwise give them money. Then they skipped town with the cash, leaving behind an insulting note.
This scam is daring, but it certainly isn’t innovative.
Nakamotoan philosophers tout the blockchain as “trustless”, solving the problem of having to trust your government regulated bank. Somehow trusting “some guys on the Internet” is supposed to be better than trusting your own government and institutions.
Right.
On the Ethereum front, the EF has reported that they finally fixed a bug that is said to have been a “clear and present danger” to the whole system [3].
I don’t totally grok the details, but I gather that there was a bug that let hackers force the innards of the system to spin, chewing up time and work, disastrously slowing down transactions. In the case of Ethereum, you are also burning “gas”, and potentially losing work as transactions time out. Basically, some serious sand in the gears.
After several years, this bug has been fixed. Why did this take so long? For one thing, crypto protocols are getting insanely complicated, and Ethereum’s executable contracts are even more complex. There are many features, and everything happens in a decentralized environment with lots of players and economic forces as well. So it’s hard to know exactly how things are going to work. The bug in question was a wrinkle in the code, but the damage was due to the economic ramifications of certain ways the code could be made to work.
Even when a bug is identified, Ethereum’s engineering makes it difficult to respond. Ethereum follows the general Nakamotoan philosophy adopted from the open source software community: changes are proposed, implemented as a “fork”, and then voted on by the users. If the fork is adopted by most users, the change is accepted. Otherwise, the change is rejected.
Ethereum is a benevolent dictatorship, so changes can be forced through without waiting for overwhelming consensus. Indeed, Ethereum 2.0 is edging nearer to reality after many years of development, even though most users really don’t care enough to support the work. But First Citizen Buterin insists, and it is happening, so it is happening.
The result of this bass-ackwards engineering process was that developers worked for three years to develop patches to address the bug. These fixes were included in a recent update, code named ‘Berlin’. Only after the fork was executed was the bug disclosed officially [3].
“With this blog post, the intention is to officially disclose a severe threat against the Ethereum platform, which was a clear and present danger up until the Berlin hardfork.”
From [3]
OK, this kind of security by obscurity is not ideal. But it’s also hardly unusual. Developers often prefer to keep problems quiet until a fix is available and in place, for obvious reasons. It’s a risk, but often the best of bad options.
This particular incident actually keeps my confidence in the Ethereum folks. This was a difficult situation, and the fix was non-trivial. And they appear to have acted in the interests of everyone, as best they could. (As usual, President-For-Life Buterin was personally involved, too.)
But it does once again show that these cryptocurrencies are no more bulletproof than any other software heavy enterprise. It also shows, once again, the difficulty of engineering this stuff, once it is in the field with millions of dollars riding on it. How long can these projects keep dodging bullets?
- Kevin Reynolds (2021) Ethereum Foundation Says Berlin Hard Fork Addressed ‘Clear and Present’ Threat. Coindesk, https://www.coindesk.com/ethereum-foundation-says-berlin-hardfork-addressed-clear-and-present-threat
- Kevin Reynolds (2021) People Behind Crypto Protocol DeFi100 May Have Absconded With $32M in Investor Funds. Coindesk, https://www.coindesk.com/people-behind-crypto-protocol-defi100-may-have-absconded-with-32m-in-investor-funds
- Martin Holst Swende and Peter Szilagyi, Dodging a bullet: Ethereum State Problems, in Ethereum Foundation Blog, May 18, 2021. https://blog.ethereum.org/2021/05/18/eth_state_problems/
Cryptocurrency Thursday
Robert McGrath's Blog 