The math prodigy whose hack upended DeFi won’t return funds(bloomberg.com) |
The math prodigy whose hack upended DeFi won’t return funds(bloomberg.com) |
e: missed at the end of the article:
> (Except for the headline, this story has not been edited by NDTV staff and is published from a syndicated feed.)
So perhaps this is reproduced under a legit syndication deal?
It looks like if you fall foul of big merchant banks and stock traders you can have the full force of the DOJ land on you, but crypto is not important enough.
He also thinks Tesla Wall Batteries will mine crypto soon and “broke into” a private event Elon was at and made a TikTok of it.
I want him to have a successful future is all.
If it weren't those, it would be whatever else existed to fixate on.
I have a friend or two like that and I know that if I could fix Bitcoin it would not clear up their life or make them safe.
This is a nasty position to take. You should never take joy at others losses.
I'm cheering to see the grift coming apart. Yes, some people are losing. But the early the grift falls apart, the fewer future people get destroyed by it.
I'd rather cheer seeing crypto fail, then stand by and watch it suck in vulnerable person after vulnerable person in perpetuity.
Also, I absolutely do cheer the losses of bad people. If a scammer or ethnonationalist loses their hard earned winnings.... Good.
If you really hate crypto projects so much, rather than complain all day long about the crypto-bros getting rich off of their tokens, just hack the smart contracts themselves and the project should offer a bounty if not beg for a negotiation for that and once the project creators fix the bug, you keep the rest.
Job done, until the regulators come.
People aren't that black and white (sorry).
If a despicable bigot is facing the death penalty for stealing a bag of chips, would it be ‘tone deaf’ to say that’s an unfair punishment?
A key factor in an offence is the location of the offence, which usually determines jurisdiction and the relevant laws.
In the classic example of hacking an American bank from Canada, the offence occurs on the American bank's servers in the United States. That's relatively clean and simple, legally.
With an Ethereum smart contract ... I'm not even sure where to begin. Where does the offence even occur, legally speaking? What aspect of fraud by a non-American, against an American resident by executing an adverse smart contract, occurs under the jurisdiction of the United States, if any?
Q: is the programming language these things are written in powerful enough and have sufficient data access for the developers to include sanity checks that would halt trading automatically if something is happening too far out of the norm such as an unusually high volume of attempted night discount sales? Or maybe that would just block extreme discount sales if there have been too many of those recently?
More to your point, you can always have more logging, slow things down to make them safer and allow communities to react in a timely manner, but it's far from trivial. The real problem is that any mistake can be fatal from the defender's point of view.
> It also saved on costs by limiting the number of interactions between the platform and outside entities. For example, when Indexed needed to calculate the total value held within a pool, instead of checking token prices on an exchange such as Uniswap, it sometimes extrapolated from the value and weight of the largest token within the pool, called the “benchmark” token.
> This way, it reduced the fees it paid for transactions on the Ethereum blockchain.
This cost-saving mechanism ultimately allowed the hack to take place.
i found the address and i take everything back and declare the opposite, that address is not random at all.
-- original post --
> The Ethereum address used for the attack included the number ... shorthand for ...
So Bloomberg thinks people choose the numbers in their wallet addresses and are responsible for any perceived numerological meaning. Are they for real?
Sure the guy could have sat there recreating addresses until one includes this number, but i consider it more likely this is the result of searching randomness for patterns they want to find.
Someone noticed the pattern in the randomness and Bloomberg includes it, as it makes the antagonist more evil and the story more interesting.
> The Ethereum address Medjedovic used for the attack included the number “1488”—shorthand for a neo-Nazi slogan—and he’d written the N-word into the code itself, 16 times. A Twitter user called him the “Dylan [sic] Roof of Balancer Pools,” a reference to the mass shooter who killed nine Black people at a church in Charleston, S.C., in 2015. Medjedovic liked the tweet.
Here’s another:
> Medjedovic apparently flirted with extremist ideas: The classmate says he heard him speak favorably about White supremacy and eugenics.
He is clearly a white supremacist, how is this “searching randomness for patterns they want to find”? This is speculation, but it wouldn’t surprise me if this guy generated lots of addresses until he got one that did have 1488 in it.
With a flash loan, the funds must be returned by the end of the transaction, or the transaction fails. This makes the completion of the transaction the collateral, as if it fails at any point, all transactions (including the loan) get reverted.
What if someone wishes for full protection of the law and publicly asks for it beforehand, but then gets involved crypto/DeFi — would they then "deserve" the law's protections while others involved in crypto/DeFi do not?
The Ethereum address Medjedovic used for the attack included the number “1488”—shorthand for a neo-Nazi slogan—and he'd written the N-word into the code itself, 16 times. A Twitter user called him the “Dylan [sic] Roof of Balancer Pools,” a reference to the mass shooter who killed nine Black people at a church in Charleston, S.C., in 2015. Medjedovic liked the tweet.
Completely counter to every experience I’ve had working with Waterloo people. My sample group always seemed smart, interesting, kind.
Jesus, this whole cryptocurrency racket is a joke.
When you deploy a smart contract on a permissionless blockchain, you don't own the smart contract or the funds that it controls.
These developers are hypocrites who don't believe in the basic premises of this technology. It is easy to preach the virtues of decentralization when it makes you money and run back in the arms of daddy government when things don't play out in your favor.
The judiciary could write the latter any time they got the right technical input. The question really is - what’s worth putting in the effort right now?
And those answers are coming soon.
But we shouldn’t conflate smart contracts with legal contracts in discussions.
They had to sue or they would be sued themselves (which they might regardless), but there is no law restricting you actually from inflating the market value of an item (or a security). Their advantage is that he doesn't have a lawyer (or claims to) -- which is a stupid move; and that they froze his gains (another stupid move). If a hack is actually involved under Canadian law we shall see but a civil lawsuit is not unlikely to dictate that.
He misled their market maker, not the holders. Of course without reading the case one can not say anything and has an incomplete view, but they are trying to shift blame here.
There is precedent of course, when Oil futures went negative and in the end brokers paid the difference -- as their software wouldn't allow people to trade non-negative ranges.
tl;dr: I think they are still on the hook for the lost funds back in the E.U./U.K.
I agree, but with the caveat that code is the letter of the law only. As it currently stands, there is no way to resolve a dispute, ambiguity, or unintended consequence with smart contracts in the same way that a court of law would handle such issues with a conventional contract. There is no room for interpretation and all smart contracts must be understood as such.
The only thing interesting about this case is how incompetent he was, while having his entire brand and identity be based on intellectual superiority. He should have used a virgin address and Tornado cash. He should have not needed to risk any funds for failure, as he should have tested the transaction in a localhost staging environment for free. Him getting doxxed is the only thing that allows this theory to be tested, whether he, or we, believe it was legal, it is now unnecessary liability. Instead, everyone knows who he is, that he's spiraling mentally, a judge in his hometown jurisdiction froze his addresses and the funds within it (which is a legal abstraction that does not freeze the funds but makes it illegal to move them until the order is lifted, in his favor or not). Just piling on the liability.
I think “code is law” is a decent crux of a more fleshed out defense, I think the Canadian attorney for the project founders is grasping but I’m not as familiar with the direction courts go there, I would prefer to see something similar play out in US federal appeals court (which is sadly after the drama of trials court and how opinions calcify throughout). It would be great and beneficial to see a transcript of how the “Sushi flooding” is argued the context of a broad computer access abuse law.
I'm astonished at how poor his OPSEC was. He could have taken any number of precautions to shield his identity -- did he really think that deleting the messages on Discord would be sufficient?
oh well, he slipped up and is now probably a fugitive since he keeps using his court "frozen" funds.
It’s from a place of spite. Don’t be spiteful, it makes you a bad person.
A 401k has regulations. My broker has a fiduciary duty to act in my best interest. The money invested into the markets helps power the economy.
And yes, I am spiteful towards grifters and conmen. Don't be tolerant of them, it makes you a bad person.
In real finance, there is an understanding that technical loopholes can exist, since not every outcome can be foreseen when writing laws, but the legal system can frequently prosecute against a series of actions which are, individually, legal, but which together are taken in order to achieve something illegal.
That is, modern finance and the law also attempt to deal with intent.
But in the Ethereum smart contracts world isn't the whole premise that the code is the law? That we don't need any of these pesky courts or banks or auditors or anything: the code is the law, and the decentralized blockchain will enforce it.
With this worldview, if the attacker simply exploited poorly-written code to find a loophole, how do the owners of Index have a leg to stand on?
The problem with smart contracts isn't that there are bugs, but that buggy results are final with little to no recourse, by design, unless you get everyone to agree to hard fork the chain (rolling the "bad" transactions back and eplacing the buggy contract) and/or the implementation (if the bug was in the platform rather than the contract).
The legal system has a similar principle of not being liable for conduct that predates a ruling or law that forbids it, but it also has the principle of agreements being interpreted according to common sense understanding by a person with ordinary skill, and where skill differences exist between them the non-expert's interpretation is the one given precedence.
These meta rules don't have equivalents in smart contract systems, which makes them brittle. The only way smart contracts end up being used for non-trivial purposes is if they are made explicitly subordinate to the existing legal infrastructure in ways that will gum up the works, or if smart contracts are subject to mandatory formal verification possibly including game theoretic 2nd order effects.
Smart contracts don't have to exist outside the judicial system. Smart contracts are simply a way to automate transactions in a way that's efficient, transparent, and credibly neutral. Yes, we may still have to invoke courts for the 0.01% of transactions that are clear exploits. But the other 99.99% of the time, it's a much more efficient system than using written contracts to handle normal, everyday outcomes.
Even without blockchains or smart contracts, we already have automated systems that execute transactions based on algorithmic rules. If you blatantly exploit a vulnerability in those systems, then courts will generally punish you. That doesn't mean that automated systems are pointless, because 99.9% of the transactions aren't exploits. That's still a huge win, because it means we don't have to have our lawyers email redlines back and forth every time we want to trade an S&P index futures contract. (Near) fully automated transactions are 1) orders of magnitude more efficient, 2) expose general purpose composability where one automated system can be predictably inter-connected with another.
When you put an automated transaction system on-chain, you drastically increase the advantages of both, because you're embedded in an open application network with credible neutrality. A smart contract exchange like Uniswap can process about the same amount of volume as a centralized exchange like Coinbase, but the difference is that Uniswap only needs about 50 employees, whereas Coinbase needs 5000. That's primarily because Coinbase runs inside a silo'd network. That entails replicating many functions like user account management, that aren't necessary for an application like Uniswap that piggybacks off the credible neutrality of a decentralized consensus layer like Ethereum.
Yes, but that's a wrong and unfair way to define and apply laws.
> humans are imperfect
Smart contracts and "code is the law" mantra don't contradict this. You're imperfect and you commit a mistake, you lose. You find a mistake in someone else's code, you win.
This is much better than the current legal system where we are all collectively forced to adapt to, or even pay for, someone else's mistakes.
In the world of smart contracts code is indeed law, but that doesn't change the fact that in the real world law is law, and the fact that you used a smart contract to commit a crime doesn't make it any less a crime.
Plenty of crypto hypers say the same. E.g. from a quick search of "Smart Contract advantages," the very first article, by a law firm:
> Guaranteed Outcomes: Potentially the most attractive feature, smart contracts could offer a way to substantially reduce or completely eliminate the need for litigation and courts. This is because when parties commit to using self-executing contracts, they bind themselves to the rules and determinations of the underlying code, rather than exposing themselves to interpretations med by parties outside of the contractual relationship.
I think some confusion arises because that "smart contracts" only make sense if code really is law, in the sense that any transaction executed by the contract -- even unexpected, surprising transactions -- is considered to be fully consented to by all parties interacting with the contract.
I agree that that's a terrible idea - bugs can always exist, and having no recourse when millions of dollars are lost due to a coding error is a huge and unreasonable risk.
But otherwise -- if, ultimately, courts can force "smart contract" transactions to be unwound if they are found to be exploitative, unintended or otherwise invalid -- then what's the point of having smart contracts in the first place? What's the value proposition? Why not just use regular contracts?
For example, robbery is when, with intent to commit theft, you take property by force.
Anything else is not robbery.
Theft by taking is: when a person unlawfully takes or, being in lawful possession thereof, unlawfully appropriates any property of another with the intention of depriving him of the property, regardless of the manner in which property is taken or appropriated.
(The above is georgia, robbery/theft/etc are state crimes so defintions vary a bit)
Again, it requires doing so unlawfully (or converting unlawfully).
If doing what this person did isn't unlawful in the real world, it's not theft, it's not robbery, it's not anything.
So you have to find a crime that actually matches what happened.
It's not wire fraud - that would require " false statement, promise, or misrepresentation in order obtain money or something of value from someone else."
etc
So what crime do you believe this actually is?
(So far i've only seen a civil lawsuit, and while there is a warrant for his arrest, that's for refusing to move the tokens to a neutral third party, or show up to court :P )
The "laws of physics" analogy doesn't match up. I feel like it would be more appropriate in an anarchist society (physics are the only laws, thus everything that obeys physics is game).
This feels more like discovering an exploit in a video game. It's up to the devs to patch it, or tournaments to outlaw, but if you find something out, you can use it. We agree to play by the rules, but if someone comes up with something last minute, they can win.
(Well, maybe you can still complain, IANAL, but it gets a lot murkier.)
If this smart contract is considered a legally binding contract, then, yes, this would likely be illegal despite the proverbial "letter" of the smart contract not being broken. If it isn't, then it may not necessarily be illegal (but possibly still could be).
A smart contract is a piece of code running on a public permissionless blockchain. The developers who deployed that code do not own it. Medjedovic had as much the right to take money out of the smart contract using the contract's logic as Kellar and Day.
Being blockchain developers, Kellar and Day know these facts very well, but they persist in their hypocrisy because it is in their financial interest to do so. They are betting on a non-technical jury being convinced by a good lawyer that Medjedovic "hacked them" or "stole their funds" (which is not at all what happened here).
They don’t. They simply have to accept it as a bug bounty successfully collected and paid out, and treat it as a learning experience and evolutionary process. Do better next time, if there is a next time.
This is why things like "land registry on the blockchain" will never happen. When a court decides that a sale of a house was unlawful, then the blockchain is wrong and irrelevant.
Code isn't law. Law is system that ultimately sends people to your house and puts you in a locked house that you're not allowed to leave, and lets other people live in "your" house now.
Math can't enforce who lives in your house.
Edit: It would be great if there was more moral in finance, but I think that's wishful thinking and doesn't really distinguish traditional finance or Defi. The only nice thing about Defi is that everyone can see what's going on in contrast to what happens when you do something in traditional finance.
Do not see any 'unauthorised access' in that case i.e not the classic definition of 'computer hacking'. However if the case does end up progressing I do wonder what form a defense will take.
It's like the people who invented smart contracts never heard of the incompleteness theorem.
https://www.cnn.com/2021/02/16/business/citibank-revlon-laws...
And they're a gigantic bank, it's the original digital business, every banker knows a single arithmetic error is dangerous.
Just bankers being inept.
It does? Maybe for the poor, but certainly not for the rich/corporations.[1]
[1] - https://www.imf.org/external/pubs/ft/fandd/2019/09/tackling-...
but on your main point regarding “modern finance and law”:
2021: https://member.fintech.global/2022/01/05/the-top-five-compli...
https://www.kyckr.com/aml-fines-2021/
tldr fines amount to billions in total and sometimes criminal proceedings are brought forward.
Examples of code NOT being the law: Some defi protocols have made those affected by a hack/loophole whole again with their own funds. Some defi protocols explicitly exclude certain jurisdictions like the US from accessing their protocol. Surely if they all belived "code is law" they wouldn't give a fuck, right?
That's a terrible example. If the code really weren't law, they'd reverse the transaction, or force the hacker to give back the money, like a court could.
Since the code is law they're stuck, and so just hand the victim some money out of their own pockets, to try and eliminate bad press and keep people's trust.
“I did not steal anyone's private keys. I interacted with the smart contract according to its very own publicly available rules. The people who lost internet tokens in this trade were other people seeking to use the smart contract to their own advantage and taking on risky trading positions that they, apparently, did not fully understand.”
Yes, it's a little disingenuous to claim "code is law" until it doesn't suit you anymore.
This is misleading, either intentionally or due to Medjedovic's incompetence.
You can fork the current head of the mainnet blockchain to localhost and try infinite permutations for free to see what the next state of the blockchain will be. And then if you like that state, you can then pay to send the working transaction to the mainnet to make that same state occur, in a sure bet. (nearly sure fire bet as in some cases, someone could replace the mainnet transaction in route, but they wouldn't necessarily know what to look for or change if its a distinct kind of transaction)
Medjedovic either didn't know this, because his skills didn't translate as well as he thinks, or Medjedovic knows this and hasn't come up with a stronger argument to support his actions yet (of which there are plenty) and actually is relying on public sympathy to support his actions.
Either way, there is an opportunity for broader education on how these exploits can be cooked in something akin to a "hyperbolic time chamber" or quantum reality without anyone's knowledge, ready to hop back into our dimension fine tuned and ready to cause maximum effect, all within the ~15 seconds between blocks if necessary, as the state changes per block.
This is how crypto operates. Buyer beware.
> This is how crypto operates. Buyer beware.
This statement rings very true for me, and perhaps is the bit we agree on. With crypto there is no "oversight" that blocks you from depositing your funds into unsafe contracts, etc. It's up to you as the user to do your own research before depositing funds.
There are many projects within crypto that ARE well built, and have been carefully tested, analyzed, slowly released to the public, etc. I like having the ability to make this choice myself instead of relying on some gatekeeper to decide what I can do with my money (cough "accredited investor rules").
We already do exactly that, e.g. Accredited Investor.
In a smart contract, I'd make a legal distinction between syntactic parsing and calculation, which has to do with the purity of functions and data. An arbitrage would be fair game if it levered an unanticipated calculation, whereas a recent example where the contract was only checking the last several bytes of a destination address key would be a parsing exploit. Medjedovic's arbitrage as described appears to be a pure calculation advantage, and not exploiting a parsing error, and so this is very reasonably fair game.
He used logic endogenous to the contracts, with no exogenous control of the systems running the contracts. When you exploit a buffer overflow, you are breaking through (sabotaging) a parser as a means to manipulate the raw memory and machine - whereas this arbitrage is closer to something that lies somewhere between clicking on a link someone provided but had some unspoken intention about you not using it, and a SQL injection or other evaluation error that yields an index. (edit: Actually, it's more like saying something really funny and unexpected on a platform that hasn't banned that kind of humor yet, and they're just mad about the consequences. we could even see a future where the distinction between a hack and arbitrage will be the complexity class of the algorithm and whether it represented a scheme that was Turing complete)
Unfortunately, in Canada they'll go after him just as a fugitive now, and there is no shortage of political actors who will want to make him the perfect example villain for their hysterical policy objectives. This is one of those increasingly classic situations where a really smart kid gets system-involved and can't comprehend how insane it is because the legal system and politics are not subject to mere reason. If he has the money, fleeing before charges were laid was probably even rational, as there is no reason to expect the legal system is equipped to deliver justice in something so new.
So much of this reminds me of Chesterton's Fence, where "innovative" solutions are deployed by people who never put forth the time and effort to fully understand how the existing system came to be the way that it was - and the problems that it had to deal with and solve along the way.
I'm not trying to sing the praises of finance and banking; there's much there that is broken. (I'm also not a fan of crypto or NFTs.) But I am saying that many of the "old" ways came about in response to a litany of problems that are neither obvious nor intuitive, and you need to understand why it works the way it does before putting out a new solution.
To steal from Frank Zappa: Legal isn't the same as allowed, allowed isn't the same as fair, fair isn't the same as just, and just isn't music.
Hey! He’s just like me.
> But did Medjedovic do this, or did the algorithm? Barry Sookman, a lawyer in Toronto specializing in information technology, says it's a distinction without a difference: “Individuals are responsible for the activities of technologies they control.”
This of course goes both ways — aren’t the index fund creators responsible for their technologies too?
So the question becomes "Who's law?"
This sounds very much like the same thing, and since digital currency is not heavily regulated, some might say at all, I think the outcome, while unfortunate, is not illegal.
Sadly Day & Keller and others will likely haunt this poor kid with lawsuits and frivolous attacks, but in my book he did not break the law.
Importantly they had automated the creation/redemption mechanism poorly. Here's the operative passage:
By eliminating human managers, Indexed could forgo management fees like the 0.95% its bigger rival, Index Coop, charged for simply holding its most popular index token. (Indexed would charge a fee for burning tokens and swapping assets within a pool, but those only applied to a small fraction of users.)
It also saved on costs by limiting the number of interactions between the platform and outside entities. For example, when Indexed needed to calculate the total value held within a pool, instead of checking token prices on an exchange such as Uniswap, it sometimes extrapolated from the value and weight of the largest token within the pool, called the “benchmark” token.
This way, it reduced the fees it paid for transactions on the Ethereum blockchain. Kellar saw full passivity as a “natural extension of the way index funds already operate.”
Kellar was wrong.
In bringing down the costs, they eliminated the very thing that might have prevented the transactions that cost them all the money. The trades were legitimate, just unfortunate for the holders and to ask the courts to reward the incompetence of the management of indexed is to ask the courts too much.
So now they want crypto to be treated as regulated securities, but let me guess, only when it benefits them...
If that's what it takes to live the "code is law" dream, count me out.
This is another example of make risks public and reward private. They are arbitraging the financial system and trying to have the freedom of cryptocurrency, but when things go bad, want law enforcement to come fix it.
Opsec really isn't that difficult, you just have to give it some thought.
Yes, getting a proper audit for a Defi Protocol is expensive (probably 8 person weeks at $20-30k/week or ~$200k), and every good audit firm has a 3-6 month waiting period. But when you’ve got 100x that to lose, it’s a drop in the bucket.
My brokerage sends me plenty of prospectuses and other documentation that I don't read that describes exactly that. I depend on the regulators and the lawyers of other clients that have a lot more to lose than I do to make sure they stick to the rules.
An exploiter conducting a big heist and disappearing never has to prove that they can't do it again, because they're rich immediately.
You don't even need to perfectly predict the next state to make risk-free attempts; you merely need to submit your transactions using flashbots (which operates a gateway directly to the miners). You pay a portion of your profit to the miners as an incentive to include your transaction, and if your transaction fails for any reason it fails atomically and is not included in the block, meaning you have paid no gas and your attempt is thus risk-free. One caveat is that this only works if the transactions can be assembled into a bundle within the same block.
They'd at least risk losing the transaction fees...
That often isn't true anymore, see https://ethereum.org/en/developers/docs/mev/
which means non-trading transactions would look so different that someone playing with higher gas wouldn't know what to replace in the bytecode within the 15 seconds between blocks
and the user also has the choice of sending directly to a miner just like the MEV people do, to skip the mempool
which is looks like he did (but not sure, just noticed his contract mentions MEV)
https://etherscan.io/tx/0x1710f8c91f03d43a51b94fb5db00305cdd...
You have described mining.
Nobody is suggesting grandmas code their own smart contracts.
This is not the reason to keep grandma's savings away.
But yield farmers and high value targets should open insurance policies
And the insurance pool participants should also be wary ha
This is of course entirely untrue, and anyone who has done even the smallest amount of onchain trading would know this.
It's this very attitude, that omly the annointed elite should be allowed to do anything, that draw people to crypto. Now personally I would avoid this scheme like the plague for other reasons. Smart contracts are hard to get right, and especially the ones that rely on very complicated game theorethical considerations for correct operation. And further an index fund of tokens whether manually or automatically managed sounds like a bad idea since I don't believe in the underlying tokens.
Except what's next? Live in hiding in a foreign country? Craft a new identity and find new chains to exploit? I suppose 18 years old is a good time to learn that you can have all the money in the world, but it won't do shit for you if you can't spend time with the people you want to.
I'd wager this individual could get much more satisfaction out of developing novel, interesting mathematics that do actual good for humanity, surrounded by a group of like minded high performing individuals. But he seems to have thrown hopes of that out the window. It's sad, really.
But I'm perhaps projecting.
Yeah, but tradfi has this problem too: sometimes it's hard to tell the difference between straight up trading, and spoofing/otherwise manipulating the market. Maybe the moral of the story is this, that free markets are a myth, and crypto is just making this even more clear.
This idea of the Turing completeness, or maybe complexity class of your transaction logic determining whether it is an endogenous logical arbitrage trade, or an exogenous manipulation scheme may have some really appealing features.
Hypothetically, if the steps of your transaction logic operate on or recurse over feedback into and from the market, you are in fact, "manipulating," it. I'd wonder how describing manipulation in terms of recursion limits and feedback would impact the definiton. Whereas, if you are precalculating or front running some periodic market function, you are arbitraging it with endogenous market information and that makes it "legit."
Where this guy might be vulnerable in that model is the question of how far upstream of his actual transaction did he get before the feedback loop he was operating over is not considered a part of that market - and whether his arbitrage was legit because it was between markets.
TFA claims he was originally offered to keep 10% (over a million dollars) from this hack, free and clear. Not agreeing to that deal meant willingly putting himself at the mercy of said legal system. Talking about a single decision as rational in isolation is disingenuous.
I will go back to this idea of an endogenous logic calculation vs. exogenous parsing errors description, where so long as he did not misrepresent the identities or sabotage the functions of any of the sources or destinations of the funds he used in his system, he should be in the clear.
It would be interesting to verify whether his technique had this "functional purity," that I've named and am balancing my argument on tho.
The same description can be said for using XSS to steal someone's cookies. XSS doesn't escape the JavaScript virtual machine similar to how you aren't escaping Ethereum's virtual machine. Technically the code allows you to inject arbitrary JavaScript, but that behaviour wasn't intend to be possible by the designers of the site.
The argument I'm using is that the casino didn't shuffle their deck and a player calculated an advantage. He didn't have hidden cards, a secret view of anyone elses. I'd like to verify that aspect of the strategy though as it's potentially a powerful heuristic.
I don’t get why purchasing a stolen NFT is different than purchasing a stolen guitar from a pawn shop. Shouldn’t the previous owner be able to use the courts to demand the return of the item that was stolen from them?
Or is this just something that hasn’t been tested yet?
--
For the downvotes, I'll add some further explanation: you have access to the keys in order to perform a sale of "your" NFT, but no US court (I am unsure of other countries) has yet ruled in a case that clarifies whether a person actually owns an NFT. For example, they have not ever ruled against someone who has "stolen" an NFT. Therefore, there is no case law that says whether a person legally "owns" an NFT.
Don't just take my word for it:
> Ultimately, an NFT owner has access to the underlying asset, but they may lack exclusive access to or control of the asset, let alone ownership of the asset or any intellectual property (IP).
https://www.lawyer-monthly.com/2021/05/nfts-and-ip-law-who-o...
The specific danger here legally is trying to apply general laws into an unregulated market. It's a bit like borrowing money from your mate and then trying to take him to court because he's asking for too much interest.
They are, or at least purport to be, fair at some level or through some mechanism most people may not immediately percieve.
When something really isn't fair, even by some indirect means or when accounting for some other imperative like geneneral societal necessity, then they are at least understood to be failures not successes.
This story though... it actually provides a good example of indirect fairness. Well yes and no, there's a point and also a counter to that point, net result throw up my hands glad I'm not in crypto:
Point, it's fair: You got robbed and think it's unfair that there's no recourse. That downside is just the fair price of being in that game at all, which you pay in trade for not having to deal with the traditional system and "the man". You have to absorb the occasional loss from a mistake as just a feature of the environment like the risk of your shipping boat sinking because the ocean is not a safe place. The only protection possible is pay an insurer or maintain your own emergency escrow or something, not any kind of police or rule-daddy.
Point, it's not fair: They are not in fact free of the man, and so they are not really getting the true freedom they are paying for by assuming all responsibility for their own risk.
(Rabbit hole because I sense this is a debate lawyers have all through law school, and there are various schools of thoughts about the nature of the law etc)
Yeah, that's by design. If your "notions of fair are often at odds" with someone else's notions of fair, and a judge needs to intervene to resolve the dispute, then things may not break your way.
> In their complaint, lawyers for Kellar and Day argued that two particular steps of the attack violated statutes against market manipulation and computer hacking. One was swapping almost all the UNI tokens out of the DEFI5 pool, the otherwise irrational trade that distorted the pricing such that Medjedovic could buy tokens out from under Indexed users, who were forced by the algorithm to sell. “The only purpose of that trade was to mislead token holders to part with tokens on terms they never would have agreed to,” says Stephen Aylward, a lawyer representing Kellar and Day. “We say that's a form of market manipulation.” The same argument applied to Medjedovic's interaction with the CC10 pool.
> The second illegal transaction, they argued, was when Medjedovic overwhelmed the pool with free Sushi, thereby tricking the algorithm into letting him bypass the size limit on certain trades. Aylward calls this “an intentional act by Andean to disable a security measure, like disabling the security system at a bank.” He argues that this falls under Canada's “extremely broad” legal definition of a hack, which can be interpreted as “subverting the intended purpose of a computer system.”
Enforcing a contract through a written contract & traditional finance vs a smart contract becomes a mere implementation detail since in either case somebody can come crying to the courts when they lose money. Smart contracts are only interesting if they’re a form of binding arbitration. If smart contracts are not binding, they just become poorly written contracts.
Smart contracts being binding honestly might need to be legislated.
It seems like it's working as designed, even if it's not the outcome its operators wanted.
Shame you can't manipulate an unregulated market. It's not illegal to do irrational things. Hell, even the regulated markets say, "The market can remain irrational longer than you can remain solvent."
The second argument is an analogy, "disable a security measure, like disabling the security system at a bank," and the limit expressed in the code was definitely an expressed preference by the contract author, but if they wanted it to be a legal contract subject to human interpretation, they would have specified this in English. Instead, they created a software tool, and they did not take into account how that tool might be used by the public.
The argument about this is whether code written for the express purpose of partipating in risky transactions can be imbued with any other coherent intention. The closest analogy would be that Medjedovic was at their gambling table and was counting cards, except there was no policy keeping him out of there, or against card counting.
Didn't they agree when they bought the token though?
>Yes, but that's a wrong and unfair way to define and apply laws.
Sounds like you're interpreting how to define and apply the law there based on what you feel is the right and fair way to do so. Seems a bit paradoxical.
Smart contracts, to date, have proven themselves to be truly idiotic inventions.
What is the “Final” Agreement Between the Parties?
https://corpgov.law.harvard.edu/2018/05/26/an-introduction-t...
There's still a very real use for smart contracts in that you change what bad actors can do to act badly. Before they may have been able to breach a contract by ignoring invoices now they breach a contract by exploiting a smart contract loophole. Basically your shuffling the trust and risk around which can be a useful tool. i.e. it can be quite costly to enforce (and do due diligencece on) a contract with someone in another country so the cost and technical risk of setting up a smart contract may be much more preferable than the posisbility of having to legally enforce redress for breach in a regular contract.
Smart contract is really the misnomer. In reality, they are automations of contractual obligations and cannot automate complete contract clauses.
It's just code, so the same reason we use APIs rather than doing everything by lawyers.
People on HN argue this with openly accessible APIs fairly regularly "ah but the machine let me do it, they must be OK with it" and I think that goes down badly in court.
So does the mafia and the child slaves corporations like Nestlé profit from, they all have "a role to play in the world economy". But it's about the morals and ethics and the hypocrisy of western institutions that allow these loopholes for the super rich in order for them to protect their wealth from taxation.
"When Kellar and his co-founders created Indexed, they imagined it as a step forward for DeFi, or decentralized finance, a blockchain-based movement that purports to offer a more automated, less intermediated version of borrowing and lending, asset trading, and portfolio management. Some proponents take a utilitarian view of DeFi, considering it an improved version of traditional finance, with its fee-taking middlemen and sluggish human decision-making. Others are more libertarian, seeing DeFi as an escape from the existing system, a way of circumventing the rules and restrictions imposed by governments or corporations. Then there are the skeptics, who think it’s all a grift.
Kellar, who describes himself as “very progressive,” fits squarely into the utilitarian camp."
And coins like USDC can blacklist addresses and comply with regulatory asks. It's hard to buy your argument that smart contracts are extralegal when there are operators that comply with legal authority.
https://www.techdirt.com/2007/07/24/criminal-charges-for-usi...
If the casino has Mafia backing, then maybe it is reasonable...
No idea who said this originally but it continues to be true. Abandon the system, and they find it was there for a reason.
Market manipulation, fraud.
I'm skeptical that any fraud happened here.
In fact, he paid very high prices for the initial tokens (860 times initial value at one point). Then gave away a bunch of tokens. Then waited for an algorithm to do something dumb around the pricing, and then swapped the tokens.
Who exactly did he appropriate property from here? He paid for all of it, and paid the prices the market demanded. The algorithm did something dumb, but that is no different than some trading bot algorithm doing something dumb and selling for less than it should, which happens all the time.
As for embezzlement, it requires a trust relationship - it's a violation of a fiduciary duty.
I don't think he had one?
So far, i've not seen any criminal charges here, only civil ones. Certainly prosecutors are slower at this sort of thing, but i'll be interested to see what happens.
And flash loan contracts are a bright neon sign saying "arbitrage opportunity!"
Law isn't law unless it's been enforced through courts, precedent and ultimately someone with authority to use force to force compliance.
And these systems could exist. But they are not the systems that are being designed. They are in fact antithetical to the stated goals of all of these cryptocurrencies and smart contract systems.
The cryotocurrency community supports the "code is law" talking point only until serious money is lost. Then they go the courts for redress under actual law, or they fork the blockchain.
It doesn't matter who can make the best argument in court. A good enough lawyer can convince a stupid enough jury of pretty much anything.
(a) Is this a theft from the person who placed the vending machine? Why or why not?
(b) How is this different from a smart contract on a blockchain?
For example, if DRNK costs $1 per unit, but I find out that by putting in $1.25 I get 2 units, have I actually exploited the machine? Is it not reasonable to assume that discount was intended?
Now, of course, if I'm prying open the machine with a prybar then we could argue that's just theft. But, putting money in the machine and getting units out is the intended interaction.
Similar to how if a gas station accidentally puts the price of gas at $0.20 per gallon, even though everyone knows that's probably a mistake, it isn't on them for taking advantage of the artificially low price.
So, that's what I'd say the difference is. A smart contract defines all the interactions that are valid. Thus, it is impossible to interact with a smart contract in a way that is "invalid" or "stealing". That'd be different if the user could modify the contract (apply a prybar) however, that's sort of the point, that you can't modify the contract to fix it.
If the contract said "all your deposited crypto goes to cogman10" would we call that a theft when someone put their crypto into that contract? Perhaps if I misrepresented the contract, but then the whole point of these contracts is they are visible to anyone that wants to read/use them.
In the case of the smart contract, you don't own the vending machine. It doesn't have an owner, it just "is". If it did have an owner, that person is probably violating all sorts of securities laws in countless jurisdictions. That's at least part of the point of all this smart contract stuff.
To make the analogy a little more apt, let's say the smart autonomous vending machine 1) lets people buy DRNKs by inserting money, 2) incentivizes people to refill it with DRNK by spitting out money, 3) once a month spits out money to the amused landlord, and 4) was deposited by aliens who disappeared without trace.
Presumably the smart vending machine would continue on its merry way like this until it either broke down or someone figured out a way to jimmy the lock. Looks like the later happened. Though everyone is upset, it's not clear who has the right to prosecute.
I think a better example is a claw gambling machine. You pay Fiat for a chance to grab fiat out of a pool.
If you come up with a strategy whereby you can grab more or all of the Fiat in a way that the game/machine designer and other players did not anticipate, is that theft?
Alternatively, people are playing a modified version of Poker with rules they don't understand, and someone understands the rules better and gets their money, is that a crime?
Ianal and don't know how a court would see it, but the way smart contracts are advertised would probably give you a fighting chance to make this argument where in normal finance you would have no chance.
Or might the hacker and his clever lawyers have an equally strong case that whatever the code allowed was the "true" intent, that the code is the ultimate arbiter of intent, regardless what Index might have said otherwise?
I kind of hope it does go to court, will be interesting to see what the opposing legal teams come up with.
No, it really doesn't. There are 2 questions that you are conflating here:
1. Can the courts force a user to return funds made via a valid smart contract transaction?
2. Can the courts force a blockchain to reverse a transaction that was made.
> Enforcing a contract through a written contract & traditional finance vs a smart contract becomes a mere implementation detail since in either case somebody can come crying to the courts when they lose money. Smart contracts are only interesting if they’re a form of binding arbitration. If smart contracts are not binding, they just become poorly written contracts.
Can you elaborate on why this would be the case? To me there is a large difference between a system (like credit card settlement) that can have transactions revoked easily after settlement, and one that can only be revoked by another separate transaction that the sender makes. To me it comes down to a mix of probability of reversal, and who can actually do the reversal (only the sender in the case of a blockchain system).
The courts already can't necessarily force a transaction to be reversed as it is. The money can be gone long before they get involved.
>To me there is a large difference between a system (like credit card settlement) that can have transactions revoked easily after settlement, and one that can only be revoked by another separate transaction that the sender makes.
There's a good deal of irreversible transactions, such as inter-bank transfers in traditional finance. It's also my understanding that most "Reversals" are just new transactions or cancellations of pending transactions. I don't see a HUGE difference in how an inter-bank wire transfer works and how sending somebody crypto works except that in the case of crypto it's the wallet/account holder in full control.
I'll acknowledge there are differences, which impacts the probability of reversal and who can do the reversal, but I still feel it borders on the edge of "implementation detail". It only feels like a truly profound difference if you want to make a transaction a bank would normally interfere with, like a ransom payment, payment for fraudulent goods/services, drug deal, money laundering, funds being sent to political dissidents, or similar. Whereas the idea of smart contracts bypassing the expense of the courts entirely seemed like a much more broadly useful notion.
There have also been plenty of instances of folks much closer to having relationships + knowledge and not being found to be illegal (though rarely there has been civil liability). IE financial advisors exploiting inside knowledge of their clients portfolios + what their companies are up to to make trades that advantage their companies at the expense of their clients.
As for the rest - the intended net effect of almost all trades in finance is to cleverly transfer the value of everything you can to yourself ;). The only question is whether he had a relationship that makes that illegal or not.
I suspect in this hypothetical scenario, however, the bitcoin developers would write a new rule.
If someone ever cracks modern encryption, that doesn't mean they can do whatever they want with everyone's accounts everywhere. If you find an exploit and exploit it, that's illegal.
When people commit harm to themselves out of ignorance, I think it’s reasonable for a government to step in.
Note that I think it’s reasonable to fundamentally disagree from a libertarian standpoint but I don’t see many reasonable people arguing against seatbelt laws.
At the risk of going off-topic, I think that seatbelts isn't a good analogy because I don't think we require seat belts to protect people from themselves. It is to protect other people. When you are unbelted, it is far more difficult to maintain control of your vehicle when things start to get even a little bit exciting. You can't worry much about car control when you're getting tossed out of your seat.
I would say helmet laws are a closer analogy, because AFAICT that is almost entirely about protecting people from themselves.
something is wrong when you can only buy virgin galactic, not spacex, because of burdensome regulations. the gap between the haves and have nots widen as you must be an accredited investor to buy the biggest winners this decade.
something is wrong when you can buy penny stocks, but experimental defi products exclude the us market because of regulatory concerns. the latter is much more transparent than the former.
Just think of non-smart contract parallels. If a bank had an ATM, the premise is that this ATM will execute a series of commands and allow you to withdraw/deposit/transfer funds. If a nefarious back actor found a series of user input that allowed them to withdraw millions of extra dollars, do you believe that the ATM provider will have no legal recourse? What about electronic slot machines?
In contrast, basically nobody outside of the blockchain space would waive their legal recourse in such a manner and thus would have legal recourse if the intent of their system was bypassed.
To go on to then argue that a legal system should not allow one to waive those rights as it would be idiotic to do so is a perfectly valid legal/moral/justice position, but also directly contradicts basically the entire purported value proposition of everything in the blockchain space whose primary “positive” differentiating factor is that “code is law” and they have waived those rights. To not allow them to do so basically invalidates their entire purpose.
Essentially, either let people bind themselves to “code is law” and suffer the consequence of their choice, or ban it at which point you lose decentralized trust and censorship-resistance making them no different than traditional implementations except that they are slower with higher operational costs.
I believe you're making this claim because _some_ crypto proponents believe "code is law" and because your personal logical framing is that web3 has no value add outside of being able to operate without legal recourse thus it must operate without legal recourse.
First, even if web3 had no useful value add, it doesn't mean it ought not exist. I can create a SaaS company that does exactly the same thing another company does just with my own logo and API documentation. Does non-uniqueness invalidate my company's existence? What if I forked an open source SQL database and slapped my name on the repo? Have you heard about something called substitute goods? I don't see why Pepsi can't exist in a world where only Coke is the norm.
Second, web3/blockchain/defi does have benefits outside of traditional web2/finance. The ability to not require depositing your funds into an account to transact on a protocol, for instance, is a clear value add. The ability to buy/sell NFTs without a middleman (if they choose to eschew a middleman) is a novel and potentially valuable value add as well. There are countless other applications of web3 that I won't delve into but these concepts can and should operate within bounds of legal recourse.
The observer will pay $100 dollars per blocked shot, and earn $1 per 3 point play made. All the games are played 1v1. To the untrained basketball player participants, this may seem to be a fair game. After all, it's quite rare in a real basketball game to see a 3 point shot blocked. So they sign the contract, fully agreeing to pay $100 per blocked shot and earn $1 per made 3 pointer.
To game this as a participant, I go to the ends of the earth ( I hear Sudan and the Netherlands are both nice this time of year ), and find a 6'8 ,215 lb boy and recruit him to play for me. He proceeds to block every single shot in every contest, winning hundreds of thousands of dollars and bankrupting the organizers. Just to further weight this, I also hire an opposing player who is only 4'3 to shoot as many 3 points as possible as quickly as possible.
Now, they signed the contract and agreed to it. They didn't have a clause for height, or any sort of caps, and now they have unlimited downside. How would the legal system handle this? Do you think they would release the participants liability? Perhaps, but not likely if they didn't sign the contract under duress. They fully agreed and had consideration ( the $1 per 3 point made ).
It's a contrived example, but it's useful to show that technicalities can be exploited in real world contracts just the same as smart contracts.
But it would appear that you expect us to believe that some commentary added by a random hacker news poster means the opposite?
(There have been exploits in both ATMs and smart contracts, after all.)
But I also think the shift directionally makes sense. Traditional finance (really most transactions for that matter) have moved towards fewer middlemen dependent, more democratized forms of transactions (e.g. wealthy folks can call their traders to buy/sells stock -> open to middle class -> no need to call traders -> no fee no minimum online trading). To me, not requiring institutions to maintain custody of my funds is a value add.
But most importantly, it could just be something different (that fails or doesn't fail, who knows). I don't think the web3 space NEEDS to eschew legal recourse because 1) that's not the only supposedly value add and 2) because it doesn't NEED to provide any value add for that matter. Perhaps web3 can just be the Pepsi the web2's Coca Cola. Only time will tell.
At that point it's no longer a premise (for those particular countries), but until then it's just a supposition.
I think courts are wary to wade deeply into a new financial system like this but at the same time I find it hard to believe that the judiciary and the legislature would rule (in the long run) that they have no ability to "make things right".
If crypto grows as as many people suggest and you have some significant percentage of the country that has savings or investments tied to these smart contracts, if there is a loophole like in this case, you'd have lots of people writing their local or national representative about this. I find it hard to believe that politicians would tell the people they represent "tough luck code is law".
The court doesn't care how crypto idealists think the world should work.
It gets more murky if a founder explicitly lies to investors in order to get them to buy their token. Fraudulent misrepresentation is problematic in most jurisdictions, but this has nothing to do with the mechanics of the "rugpull" itself.
"According to the SEC's complaint, the defendants misappropriated nearly $4 million of investor funds. The SEC also alleges that Chiang and Tippetts misused additional Sharenode investor funds by spending at least 133 bitcoin to list NSG tokens on an unregistered trading platform and to fund a team of captive traders to trade NSG tokens amongst themselves to create the false appearance of a robust market with increasing prices. These traders allegedly created the false impression that more than $2.5 million worth of NSGs were traded daily on BitForex during the first 60 days and that the price of NSGs was steadily increasing due to investor demand. According to the complaint, however, the manipulation scheme collapsed when investors tried to sell their NSG tokens, because there were no actual buyers, causing the token's trading price and volume to fall precipitously."
This isnt exactly a classic "rugpull", but it does make it fairly clear that you cant just take customer funds and use them however you'd like just because its a cryptotoken and you have access to the smart contracts controlling it. You really shouldnt use customer funds in furtherance of additional frauds, like these people did here.
> These traders allegedly created the false impression that more than $2.5 million worth of NSGs were traded daily on BitForex during the first 60 days and that the price of NSGs was steadily increasing due to investor demand. According to the complaint, however, the manipulation scheme collapsed when investors tried to sell their NSG tokens, because there were no actual buyers, causing the token's trading price and volume to fall precipitously."
This is also the fund owners doing something nefarious - that doesn't mean that somebody else executing a transaction according to the contract and the market could be held accountable because the fund's customers lost money. Someone has to be on the other end of every transaction, that is how a market works.
A better example would be 3rd parties pumping and dumping a crypto asset. Should this be illegal?
Only having a slight understanding of crypto, if local courts are required, what's the point of crypto? Why not use the existing financial systems, where all of this is built in?
> [a crypto bro] criticized the team for turning to a centralized institution like the courts for help
But that's exactly the flaw of smart contracts, and why its promises will never work.
The hard part of contracts was never execution. The hard part was always conflict resolution and abidance by fair rules (i.e. "laws"). The hard part is what creates the overhead.
Smart contracts never solved the hard part. They remove the solution to the hard part, claiming the hard part is not needed at all. But the problems these solutions solve are the hard part. Pretending they don't exist is not "solving" anything.
There are so many examples of this. A minor can't enter into a contract. Severely mentally disabled can't either. Someone with a gun to their head can't either. It doesn't matter if they enter into a million dollar contract. That contract is invalid.
This is not "waste". This is the hard parts.
So that's one use of crypto.
In the non Web3 world, we typically have to rely solely on the financial institution providing the service to make transactions. That is, we have to have a Paypal account to withdraw from Paypal. We can only buy/sell Robux on Roblox, etc. Smart contracts allow us to essentially utilize any provider we want without the provider having custody of the funds at any given time.
I can go to any dex I want and transact without depositing funds. The dex also cannot agree to perform a transaction and hold my funds hostage, like how Paypal screws over some of their merchants with their "internal investigations." I can also buy/sell coins that the dex mints (e.g. ORCA coin) anywhere I want. It's not tied to a single account nor is it tied to single exchange.
And that's without getting into NFTs, flash loans, LPs, and other features of Web3.
"Code is law" is a mantra chanted by people in no position to make it so.
Mark the result of theft or other illegal transactions, and any subsequent transaction as dirty.
Make any exchange, any vendor, any trader, and any user check with a government database before or immediately after receiving a payment, with penalties prescribed by law.
You immediately limit stolen crypto to the black market.
It’s no different to a thief stealing your bike then selling it to someone else on a street corner. Just because that person is the current owner and thinks they legitimately purchased it doesn’t make it rightfully theirs. In fact it’s even worse because it’s trivial to identify who the rightful owner is in this case, and if you buy an NFT you can look back at exactly who has owned it previously.
Now imagine if this was the deeds to your house on the blockchain.
Therefore phishing the seed phrase is not "actually stealing" it within the rules of NFT.
And outside the rules of NFT it's just a receipt; it's worthless. It's taking a picture of a picture of a bike, not stealing it.
If you steal my bike, that's theft. If you steal my DVD collection, that's theft. If you steal my steam account, that's theft. If you steal my NFT, that's theft.
Or are people banking on another layered solution which has arbitration, disputes, clawbacks, etc - all built within the blockchain. (I remember EOS discussing something like this)
Note: I understand that risk is present in any financial endeavor, but knowing that the courts can help you does de-risk the amount people will feel comfortable investing.
That's just the thing, isn't it? Courts have zero interest in upholding whatever boneheaded ideals that NFTs are meant to represent. Receiving stolen goods is a crime, and that's something courts are entirely geared towards resolving.
Say you hold most of your wealth in some cryptocurrency and are going to file for bankruptcy. Do you think the courts will tell your creditors that the Bitcoin is beyond reach? I suspect they wouldn’t treat it differently from any other asset.
That the blockchain is interpreted as a record of ownership is irrelevant. It merely records what has happened and says nothing about the nature of those transfers.
The transaction bundle will fail if the success criteria is not reached (often a certain level of profit), so the worst that happens is that the profit margin falls to that level or the transaction is not included with zero cost to the sender
I've seen quite a few people do this. May not everyone, but a lot. The "commentary added by a random law firm" is the general sentiment I understood when people were hyped up on smart contracts. There's an industry of smart contract programmers who write code under the assumption that there may be no recourse (to the legal system) if they introduced bugs.
If your attitude represents the sentiment of "web3" these days, it is really a very hilarious backtrack on the previous (hyperbole) claims...
https://www.aol.com/2016-11-02-broken-slot-machine-dupes-wom...
https://www.foxnews.com/us/not-a-winner-oregon-woman-denied-...
However, this works both ways. If the mistake is in the favor of the player, they are obligated to pay out:
https://www.msn.com/en-us/news/us/a-slot-machine-in-las-vega...
"Malfunction voids all wins."
Here, it's also been made very clear. "Code is law".
A better anology is if you figure out a mathematical advantage within the rules of a casino game, are you allowed to win? I believe you are, as long as it's within the rules of the game. And the casinos are smart enough to create rules against any lasting mathematical advantage.
The intention of the system is to work to as security. Just because you find a way around the security doesn't mean that you are now immune to the law regarding ownership. When SHAX gets cracked, that doesn't give the person figuring it out a right to transfer all the money out of your bank account just because they figured out the math.
What if you remove the last part? What if you know, clearly, that your interaction what not what the designer wanted?
> So, that's what I'd say the difference is. A smart contract defines all the interactions that are valid.
Implementations are not specifications. What do you mean by "valid"?
Well, then they should have designed a better vending machine, shouldn't they? It may be unethical but I certainly wouldn't call it illegal. Again, back to the gas analogy, I don't think someone pumping gas at $0.20 is breaking the law even though that's clearly not the intent.
> What do you mean by "valid"?
None of the interactions for this attack were using the system in a way it wasn't meant to be used. It wasn't exploiting code. It was buying and selling assets in a way that enriched the attacker. That is a valid interaction.
Also, the whole point of these contracts IS that the code is the specification. That's the whole point of crypto in general. Trust nobody and let the blockchain determine truth.
This is what I like to refer to as “stupid tax”.
I’ve had cases where I put money into a soda machine and it gave me a drink plus more than I deposited into it. Or kicked out more than one item because one was stuck and my purchase obviously unstuck it.
Does this make me a criminal?
As an aside I used to work at a place with a soda machine that was basically like a slot machine with slightly higher payouts than one in Los Vegas. This was at a grocery warehouse and the drinks were at cost so “losing” your bet cost like a quarter. Probably designed that way, who knows?
The smart contract implements a technical intent, just like the vending machine. But that technical intent will always have limitations. Some exploits are non-destructive, such as properly-weighted blanks. Some are destructive, such as crowbars. But let's not pretend that they aren't, in fact, exploits.
However, that's not what happened in this attack. This attack was far more akin to the "getting 2 units for $1.25" that I described. In fact, that's exactly what it was at the root of it. At no point did the attacker actually exploit code.
The technical and explicit intent was followed to a T here. The attacker got a loan (perfectly within the intent) bought a bunch of the index (again, within the intent) sold a bunch of a underlying stock of the index (Again, within intent), sold the index, and sold the loan. Nowhere in this process was there a "this violates the essence of the contract".
And, let's be frank here, it's not like the attacker didn't open themselves to a huge liability. Anyone that saw this attack in progress could have bought sushi coin or UCI and ultimately drained away the income this attacker was earning, potentially putting them on the hook for a pretty massive loan.
Now, would such a scheme be legal if this were actual securities and not crypto? Nope, because we put more protection around real securities in the US and other countries. However, crypto went out of it's way to make itself above the law and outside of securitifaction. That, in fact, was the entire point of crytpo, to be something governments COULDN'T regulate.
If he’d wanted, Medjedovic could now have traded $3,200 worth of Sushi for DEFI5 tokens worth $1,172,000. And had he simply done that, Indexed would have been fine. The protocol places limits on the amount of a new token that users can swap into the pool, so he would have been able to extract only about 1.5% of the pool’s value—which, given transaction fees, wouldn’t have been profitable for him.
Instead, Medjedovic’s script took out another flash loan consisting of $2.4 million worth of Sushi tokens. And rather than swapping them into the pool, it gifted them to it—a seemingly irrational move that Indexed’s algorithm wasn’t designed to handle. The “donation” overwhelmed the pool and circumvented its usual trade limit for new tokens. This allowed Medjedovic’s program to freely trade overvalued Sushi for undervalued DEFI5 tokens, then cash those out for the pool’s underlying assets, pay back the loans, and keep the rest, now worth $11.9 million. The attack on the CC10 pool brought the total haul to $16 million.
A smart contract defines all the interactions. Whether they are legally valid is another matter. In contract law, usually the intentions of the parties (at the moment of agreeing to the contract) are taken into consideration. In most other cases, the legal system has rules to determine the validity. The customary practices of the crypto ecosystem is something they might take into account, but it's not necessarily a final outcome.
Crypto /thread
That's probably what upsets me most about this story. These developers want to have it both ways: it is decentralized finance and nobody owns the contract as long as we are making money, but we want all the laws and regulations of traditional finance to protect us if things don't go our way.
I am saying this as someone who is pro-crypto. There are trade-offs to this technology. We need to pick a lane be prepared to deal with the consequences.
Decentralized finance is here to stay as an alternative to the traditional system. Some things are just impossible to regulate.
[1] https://www.trustnodes.com/2018/11/09/smart-contract-code-is...
And if "smart contracts" depend on real law, then they're not really needed in many of the supposed use cases.
That's obvious correct but what's the point? The whole discussion here is that there exists these "crypto anarchists" and their ideal world seems ridiculous to at least a couple people here...
We're all bound to the laws of physics, just as in the world of smart contracts all are bound to the laws of code. But none of that changes the existence of the laws of men.
- I'm not really saying the crypto-side argument is right, really just trying to clarify my perception of what they're saying re: the comment above me.
- The physics thing is really just a comment re: when it's hypocrisy and when it's not.
- FWIW, theft in crypto isn't super well-defined to me re: the laws of men either. Maybe someone who knows current law better than me can explain, but calling a function in a contract that sends updates from one pseudonymous address to another... I don't actually know if current written definitions of theft covers that, or needs some court to interpret it as theft. We kind of understand it as people, but I honestly don't know if "laws of men" as written, do.
Higher courts, due to their inherent ability to set precedents, usually also consider broader policy concerns eg. whether the decision makes sense from enforcement perspective, how the ecosystem might be affected etc..
Ever use a different email address to sign up for a different free trial, say? Let alone people sharing Netflix accounts... where do you draw the line around "stealing" here?
Yes. This is very obviously stealing, particularly if the promotion said it was for use once a day.
Edit: Also, sharing your netflix password may also very well be illegal: https://www.lawjournalnewsletters.com/sites/lawjournalnewsle...
This will force creation and use of wallet reputation checkers for most users of cryptocurrencies. Mixers will not want to be left holding all the blacklisted coins, since that causes them financial loss. Therefore mixers will launder coins at a very high premium (lemon market) and compete on developing their own systems for reputation checks and escrows to reduce their risk of being left with coins nobody wants.
So money laundering is what makes blockchains valuable?
Mixers will have to change their policies in order to avoid becoming a market for lemons in which everyone loses.
I do not expect governments to worry a tiniest bit about destroying value of an anti-government technology.
And arbitration contracts that can arbitrate the arbitration contracts, and so on.
And perhaps a smart contract to allow the amendment of existing contract, by vote of a group of wallets who’ve been elected by another smart contract, who’ve been elected by another smart contract with a larger pool of voters, and so on, until all stakeholders in the contract have had the chance to cast a vote, whose duration as a voter is limited to a 2-4 year term, before requiring another voting round.
That's what courts are for. When someone finds an exploit in the smart contract there must be a "no that's clearly not what anyone meant. Nobody actually wanted all the money in the world to go to Hacker McHackerface".
If your assumption is that one of these contract layers is "perfect", then it's not realistic.
But anyways that was in jest; the crypto community will eventually recreate the same systems and bureaucracies already in play today as they run into all the edge cases that occur with traditional currency (fundamentally: currency carries provenance and is only fungible until its not, and the transfer of funds between two parties does not actually involve only the two parties — and lawyers write excessively defensive, excessively long contracts for a reason).
https://twitter.com/qrs/status/1395784294451265536
> Smart contracts should be considered self-funded bug-bounty platforms.
And you don't need to make the smart contract explicitly subordinate to the law, they are as a matter of fact, because everything de facto is. This idea that code is law and crypto exists in a vacuum is complete delirium (although a popular one and sign that the scene has a lot of room to mature)
People who post smart contract code on the EVM are equal users of a shared computation infrastructure. If they want to put legal terms on who can use their smart contract and what for, they should need to make their own blockchain platform, because they certainly don’t own Ethereum.
The law already regulates mistakes in traditional markets. If you accidentally sell your shares for a fraction of what they are worth, you cannot go to a judge and ask them to return the “stolen” shares. When you subject yourself to a mechanistic market system, the predictable operation of the system is more important than any participant’s bad fortunes.
Where is this contract? I've never seen it. The rest of your argument is based on this premise. The "legal contract" of a computer program is the same, yet we have laws on what you can and can't do to other people's computer programs.
> The law already regulates mistakes in traditional markets. If you accidentally sell your shares for a fraction of what they are worth, you cannot go to a judge and ask them to return the “stolen” shares.
Someone taking all the money from a smart contract you gave money to is not like your fictional example of a person selling their shares for the wrong value.
Corporations and wealthy individuals with influence in the writing of this legal system, with massive amounts of financial resources, with negligible moral agency, and with limited criminal liability find very different utility in the ability to use the legal system to roll back contracts, to enforce them, or to ignore them.
Those who find themselves on the other side of this power disparity would often prefer to risk a potentially buggy but inviolate contract than one which they expect to be abused against them.
There is no way that AT&T, Comcast or Bank of America will ever agree to a smart contract written by an ordinary customer. As always, the companies will write their own contracts, and customers will either accept them, or leave. And if the company has monopoly power, tough luck.
In an analogous situation, if a shop mis-labels the price of an item (let's say, they forgot a zero or two for a $1000 item), the customer theoretically has the legal basis to purchase it at the labeled price. How is this scenario any different to a block chain contract with a bug?
This seems like a noble endeavor, but not an entirely practical one. Both sides of a transaction have to agree to these smart contracts, so where is this an advantage (outside of internal crypto trading)?
But if you can overcome the power balance problem, you can just fix the contracts directly anyway without them being smart?
For example, I don't think there's anywhere else where the mere act of purchasing a product or service can result in you giving up the right to sue the company in court and be forced to enter arbitration with an arbiter of the company's choice.
If they did, then the same would apply.
For example, if the court orders you to turn over your Bitcoin holdings to creditors in a bankruptcy proceeding and instead you transfer them elsewhere, you are probably going to jail. When you transferred them, the coins were in your possession, but you weren't the rightful owner.
But NFTs and certain smart contracts are meticulously designing a custom form of ownership for themselves. That's what changes things. And this would be true even if they didn't use blockchains!
If you throw out all that custom ownership logic, you lose the core of what makes an NFT an NFT. Now it's just a few dozen bytes that anyone can mimic.
This is a situation specific to NFTs and people that are going super hard on smart contracts.
And even if I was a true believer in NFTs, yeah I'd probably ask the courts to do that, but doing so would be a betrayal of my beliefs and evidence that the foundation of NFTs is very shaky. The idea that I would do something hypocritical in such a hypothetical situation doesn't change the argument I made in my previous post.
If you intentionally involve yourself in money laundering, you can't really complain about your money being blacklisted.
The ledger is public, which makes blacklisting trivial. No legal entity would be able to hold or trade blacklisted coins.
What does this mean? If a single blacklisted coin is put in a mixer then every other coin mixed together is blacklisted? You've just banned mixers. Eventually every single coin will be able to be traced back to a blacklisted wallet, so you've also just effectively banned crypto in the long run.
> No legal entity would be able to hold or trade blacklisted coins.
Mixers don't have to be entities though. No one owns them, no one is responsible for them. They're just code someone uploaded one day and promptly forgot about.
Further, in many places your example itself falls apart.
https://smallbusiness.chron.com/company-advertising-price-wr... https://www.findlaw.com/smallbusiness/business-contracts-for...
There was a case like that in the early days of online shopping, which was actually decided in favor of the customer. The prices of items in the shopping cart were stored in form fields, and the customer edited them before placing the order. The court considered that a counter-offer which was accepted by the store. (It probably wouldn't go that way today; for one thing online stores have gotten smarter about trusting data from the client.)
That's a bit different from simply editing the client-side view and never informing the merchant about the change, of course.
Not sure what you mean by custom form of ownership. If you are talking about fractional ownership, even that isn’t new.
Contracts around ownership are built on top of legal system. Smart contracts provide automation around defining and execution the contracts. That’s cool and can be super low cost, but apart from the automation, there isn’t much that’s different from traditional contracts. They can still be challenged in court.
For example, if you had a contract that, upon your death, transferred all your money to your nurse, your spouse could still challenge that in court if the contract was created under duress or created when you weren’t of sound mind.
If you get picky about the latter part, then I retract it and just say NFTs for simplicity.
For example, you can write a smart contract that would watch for divorce papers being filed by your spouse and upon filing, you would transfer your Bitcoin balance or NFT to some other wallet. A court isn’t going to fall for that. You will be found to have hidden community assets (ie assets you don’t entirely own).
Another point of comparison I'll bring up is cars, where if you let someone have your keys then you have limited or zero recourse in many situations where they do something bad.
Your car example is a good one. If somebody has your keys (either with permission or stolen) and they take your car, they have possession of it but at no point do they own it.
Another example - lots of companies have crypto wallets and own Bitcoin and other currencies. Corporate wallets are controlled by agents of that company. The people who know the keys don't own the crypto, the company does. If an employee transfers from a company owned wallet that they control to a wallet they own, that's theft the same as if they had wired money to an overseas account of theirs.
Possession and ownership can align, but they don't have to. Smart contracts can be legally binding, but that isn't guaranteed. None of this exists outside of our legal system.
But also I'm saying that a foundational pillar of NFTs is that possession on the blockchain is the only thing that matters.
It's possible to disagree with that pillar, but removing it would destroy a huge chunk of what NFTs are.
If you want me not to say 'ownership' for that concept, that's fine.
Also I'm not making this claim about crytocurrency in general. It's only specific subsets.