Ticker

6/recent/ticker-posts

Cryptocurrency's Trust Issues and the Poly Hack

“And now, folks, it’s time for: Who do you trust? Hubba hubba hubba, money money money. Who do you trust? Me, I’m giving away free money. And where’s the Batman? At home, washing his tights!” – The Joker (Batman 1989)

The Poly Network was hacked for approximately $600 million worth of different cryptocurrencies early last week, and the assault was noteworthy mostly for its scale. It's the largest cryptocurrency breach in history, but it's not by much compared to the $500 million Coincheck theft in 2018. From a distance of 50,000 feet, it seemed to be the obvious next step in a sequence of hacks dating back to the alleged 2013 Mt. Gox breach, which was worth $473 million at 2014 BTC values.

In summary, despite its magnitude, the Poly hack didn't hold my attention.

Then things started to become strange.

Poly, miners, security company Slowmist, and Tether, a stablecoin issuer, are said to have started multiparty talks with the hacker. The substance of those talks is still unclear, but we do know at least two things: Poly offered the hacker a $500,000 "bug reward" in exchange for the stolen money, and Slowmist claims to have tracked down the hacker's IP and email accounts (though the hacker deniedbeing compromised).

A third strong theory is that the hacker realized he/she/they would have a difficult time selling anything close to $600 million in tokens (we don't know the hacker's gender, but I'll use "he" throughout for convenience and since it's likely true). Binance CEO Changpeng Zhao pledged that any compromised money transferred to his platform will be "frozen," while Tether took the step of freezing approximately $33 million worth of its USDT stablecoin that was stolen in the breach.

Other variables may have had a role, but they were most likely enough to set the stage for what happened next: The money was refunded by the hacker. By Thursday, Aug. 12, the hacker had transferred nearly all of the stolen cash (except the frozen tethers) to a multi-signature wallet that the Poly team had access to.

To put it another way, this is the proverbial dog that got trapped in the vehicle. The hacker didn't know what to do with their money after pulling off the world's largest crypto theft.

Turn your face around.

Now, with the assistance of the Poly Network, the hacker is attempting a "face turn," which is a rapid transformation from villain to hero in professional wrestling.

On the morning of Aug. 16, the hacker posted a message via a verified Ethereum address including the following:

“MONEY MEANS LITTLE TO ME, SOME PEOPLE ARE PAID TO HACK, I WOULD RATHER PAY FOR THE FUN,” the hacker said on Aug. 16 through a confirmed Ethereum address. IF PUBLIC HACKERS CAN HACK THE POLY NETWORK, I AM CONSIDERING TAKING THE BOUNTY AS A BOUNUS [sic] FOR THEM... I HAVE ENOUGH BUDGET TO LET THE SHOW GO ON IF THE POLY DOESN'T GIVE THE IMAGINARY BOUNTY AS EVERYONE EXPECTS.”

“I TRUST SOME OF THEIR CODE, AND I APPRECIATE THE PROJECT'S OVERALL DESIGN, BUT I NEVER TRUST THE WHOLE POLY TEAM.”

To put it another way (to explain the allegedly machine-translated message), the world's most famous crypto hacker claims he did it for fun. But, expanding on comments made on Aug.11, he claims to be a harmless hacker who is just looking to expose a design fault rather than take money. He says that returning the cash was always the goal, and that he's now ready to pay more "bounties" to hackers who assist discover and patch vulnerabilities in Poly using his own money. He's a genuine Good Samaritan!

While pushing for the recovery of the stolen money, the Poly Network has greatly aided this face flip by giving the hacker a very attractive nickname: Mr. White Hat.

Of course, “White Hat” refers to a “white hat” hacker. In theory, a white hat hacker simply examines software vulnerabilities to help patch them rather than exploiting them for profit. A "black hat," on the other hand, hacks with the purpose of profit or malice.

Poly Network's motivations for labeling the hacker a "white hat" ahead of time are clear: It offers the hacker a way to get the money back and perhaps save their reputation. Poly's sole goal is the return of money, and this approach is brilliant: Honey does, after all, capture more flies than vinegar.

However, apart from Poly's pleasant moniker and his own claims, there's no proof that the hacker's initial intentions were positive. It's unclear why he transferred $600 million when the vulnerability could have been shown with a far smaller hack, among other conflicting facts.

Hubba Hubba Who do you trust, Hubba?

The incident exemplifies a growing conflict that has accompanied the development of the bitcoin ecosystem. Cryptography's fundamental premise, both technologically and philosophically, is "trustlessness." In general, this is a belief that reliable and secure blockchain technologies, rather than flawed and selfish people, can be trusted.

However, as the complexity, competitiveness, and stakes of crypto have increased, so has the requirement for confidence in the people behind it. As have the ramifications of betraying that confidence. This is especially true for Poly Network members who have committed their money to it: The protocol, which serves as a custodian as part of its cross-chain capabilities, had been entrusted with the different stolen tokens.

However, the hack demonstrates that they weren't actually trusting the system, but rather the network's designers and programmers. The obvious weaknesses in their coding have shattered that confidence. Poly is far from alone in this regard: as previously stated, hacks and vulnerabilities have grown more common, especially in decentralized finance (DeFi) systems, which are intrinsically more susceptible than a simpler system like Bitcoin due to their complexity.

These attacks may be seen as part of the process of improving the security of these systems. Whether it was the hacker's intention or not, he has made Poly stronger.

Nonetheless, these breaches reveal an unsettling truth: The reputation of the individuals whodevelop the systems is important in DeFi. And the Poly hack exemplifies one of the reasons why this is a problem. Poly is supported in part by the team behind Neo, a Chinese blockchain established in 2014. To gain a person's confidence in the United States or Europe, they must overcome the same obstacles of language, location, and politics that crypto was intended to eliminate.

Instead, the chasm has sparked blatant conspiracy theories regarding Poly's motivations. Mr. White Hat has been offered a position as Poly's Chief Security Advisor, the company said this morning. This is almost certainly part of the network's honey-dripping plan to keep the hacker happy. However, it has sparked suspicion that the breach was an inside operation designed as a publicity stunt.

Another important element of crypto's trustlessness is finality. “Completely non-reversible” transactions, Satoshi Nakamoto argues in his 2008 white paper explaining Bitcoin, are a feature of the system, not a bug: “With the potential of reversal, the need for trust spreads.” That's because reversibility necessitates the presence of an arbiter - a feared "third party" with the authority to determine who is in the right and subsequently halt or reverse transactions. However, cryptocurrency's whole purpose, and the characteristic that distinguishes it from other digital payment systems, is to eliminate third-party middlemen (and, at least in modern times, among currencies as a whole).

Tether is, of course, what I'm getting at here. With a market value of $63 billion and a vital function in enabling trade, the stablecoin is a fundamental foundation of the whole cryptocurrency ecosystem. Tether is often thought of as a "cryptocurrency" similar to bitcoin, but its reaction to the breach proves otherwise.

The firm behind tether proved it is a "trusted middleman" by freezing $33 million implicated in the breach. Tether has shown that it can freeze any money flowing on the network at any moment, much like a bank (which it is in many ways). You're trusting Tether's central administrators not to freeze your money when you utilize it. (To be clear, the same is true with USDC, a tether rival, but Circle, the firm behind USDC, decided not to interfere in this instance.)

As a result, as bleak as it may seem, crypto systems are rapidly inviting the same timeless philosophical dilemma that we confront when dealing with conventional financial systems:

Who do you trust, hubba hubba hubba?

Post a Comment

0 Comments