“And now, folks, it’s time for: Who do you trust? Hubba hubba hubba, money money money. Who do you trust? Me, I’m giving away free money. And where’s the Batman? At home, washing his tights!” – The Joker (Batman 1989)
The Poly Network was
hacked for approximately $600 million worth of different cryptocurrencies early
last week, and the assault was noteworthy mostly for its scale. It's the
largest cryptocurrency breach in history, but it's not by much compared to the
$500 million Coincheck theft in 2018. From a distance of 50,000 feet, it seemed
to be the obvious next step in a sequence of hacks dating back to the alleged
2013 Mt. Gox breach, which was worth $473 million at 2014 BTC values.
In summary, despite its
magnitude, the Poly hack didn't hold my attention.
Then things started to
become strange.
Poly, miners, security
company Slowmist, and Tether, a stablecoin issuer, are said to have started
multiparty talks with the hacker. The substance of those talks is still
unclear, but we do know at least two things: Poly offered the hacker a $500,000
"bug reward" in exchange for the stolen money, and Slowmist claims to
have tracked down the hacker's IP and email accounts (though the hacker deniedbeing compromised).
A third strong theory is
that the hacker realized he/she/they would have a difficult time selling
anything close to $600 million in tokens (we don't know the hacker's gender,
but I'll use "he" throughout for convenience and since it's likely
true). Binance CEO Changpeng Zhao pledged that any compromised money
transferred to his platform will be "frozen," while Tether took the
step of freezing approximately $33 million worth of its USDT stablecoin that
was stolen in the breach.
Other variables may have
had a role, but they were most likely enough to set the stage for what happened
next: The money was refunded by the hacker. By Thursday, Aug. 12, the hacker
had transferred nearly all of the stolen cash (except the frozen tethers) to a
multi-signature wallet that the Poly team had access to.
To put it another way,
this is the proverbial dog that got trapped in the vehicle. The hacker didn't
know what to do with their money after pulling off the world's largest crypto
theft.
Turn your face around.
Now, with the assistance
of the Poly Network, the hacker is attempting a "face turn," which
is a rapid transformation from villain to hero in professional wrestling.
On the morning of Aug. 16, the hacker posted a message via a verified Ethereum address including the following:
“MONEY MEANS LITTLE TO
ME, SOME PEOPLE ARE PAID TO HACK, I WOULD RATHER PAY FOR THE FUN,” the hacker
said on Aug. 16 through a confirmed Ethereum address. IF PUBLIC HACKERS CAN
HACK THE POLY NETWORK, I AM CONSIDERING TAKING THE BOUNTY AS A BOUNUS [sic] FOR
THEM... I HAVE ENOUGH BUDGET TO LET THE SHOW GO ON IF THE POLY DOESN'T GIVE THE
IMAGINARY BOUNTY AS EVERYONE EXPECTS.”
“I TRUST SOME OF THEIR
CODE, AND I APPRECIATE THE PROJECT'S OVERALL DESIGN, BUT I NEVER TRUST THE
WHOLE POLY TEAM.”
To put it another way
(to explain the allegedly machine-translated message), the world's most famous
crypto hacker claims he did it for fun. But, expanding on comments made on Aug.11, he claims to be a harmless hacker who is just looking to expose a design
fault rather than take money. He says that returning the cash was always the
goal, and that he's now ready to pay more "bounties" to hackers who
assist discover and patch vulnerabilities in Poly using his own money. He's a
genuine Good Samaritan!
While pushing for the
recovery of the stolen money, the Poly Network has greatly aided this face flip
by giving the hacker a very attractive nickname: Mr. White Hat.
Of course, “White Hat”
refers to a “white hat” hacker. In theory, a white hat hacker simply examines
software vulnerabilities to help patch them rather than exploiting them for
profit. A "black hat," on the other hand, hacks with the purpose of
profit or malice.
Poly Network's
motivations for labeling the hacker a "white hat" ahead of time are
clear: It offers the hacker a way to get the money back and perhaps save their
reputation. Poly's sole goal is the return of money, and this approach is
brilliant: Honey does, after all, capture more flies than vinegar.
However, apart from
Poly's pleasant moniker and his own claims, there's no proof that the hacker's
initial intentions were positive. It's unclear why he transferred $600 million
when the vulnerability could have been shown with a far smaller hack, among
other conflicting facts.
Hubba Hubba Who do you trust, Hubba?
The incident exemplifies
a growing conflict that has accompanied the development of the bitcoin
ecosystem. Cryptography's fundamental premise, both technologically and
philosophically, is "trustlessness." In general, this is a belief
that reliable and secure blockchain technologies, rather than flawed and
selfish people, can be trusted.
However, as the
complexity, competitiveness, and stakes of crypto have increased, so has the
requirement for confidence in the people behind it. As have the ramifications
of betraying that confidence. This is especially true for Poly Network members
who have committed their money to it: The protocol, which serves as a custodian
as part of its cross-chain capabilities, had been entrusted with the different
stolen tokens.
However, the hack
demonstrates that they weren't actually trusting the system, but rather the
network's designers and programmers. The obvious weaknesses in their coding
have shattered that confidence. Poly is far from alone in this regard: as
previously stated, hacks and vulnerabilities have grown more common, especially
in decentralized finance (DeFi) systems, which are intrinsically more
susceptible than a simpler system like Bitcoin due to their complexity.
These attacks may be
seen as part of the process of improving the security of these systems. Whether
it was the hacker's intention or not, he has made Poly stronger.
Nonetheless, these
breaches reveal an unsettling truth: The reputation of the individuals whodevelop the systems is important in DeFi. And the Poly hack exemplifies one of
the reasons why this is a problem. Poly is supported in part by the team behind
Neo, a Chinese blockchain established in 2014. To gain a person's confidence in
the United States or Europe, they must overcome the same obstacles of language,
location, and politics that crypto was intended to eliminate.
Instead, the chasm has
sparked blatant conspiracy theories regarding Poly's motivations. Mr. White Hat
has been offered a position as Poly's Chief Security Advisor, the company said
this morning. This is almost certainly part of the network's honey-dripping
plan to keep the hacker happy. However, it has sparked suspicion that the breach
was an inside operation designed as a publicity stunt.
Another important
element of crypto's trustlessness is finality. “Completely non-reversible”
transactions, Satoshi Nakamoto argues in his 2008 white paper explaining
Bitcoin, are a feature of the system, not a bug: “With the potential of
reversal, the need for trust spreads.” That's because reversibility
necessitates the presence of an arbiter - a feared "third party" with
the authority to determine who is in the right and subsequently halt or reverse
transactions. However, cryptocurrency's whole purpose, and the characteristic
that distinguishes it from other digital payment systems, is to eliminate
third-party middlemen (and, at least in modern times, among currencies as a
whole).
Tether is, of course,
what I'm getting at here. With a market value of $63 billion and a vital
function in enabling trade, the stablecoin is a fundamental foundation of the
whole cryptocurrency ecosystem. Tether is often thought of as a
"cryptocurrency" similar to bitcoin, but its reaction to the breach
proves otherwise.
The firm behind tether
proved it is a "trusted middleman" by freezing $33 million implicated
in the breach. Tether has shown that it can freeze any money flowing on the
network at any moment, much like a bank (which it is in many ways). You're trusting
Tether's central administrators not to freeze your money when you utilize it.
(To be clear, the same is true with USDC, a tether rival, but Circle, the firm
behind USDC, decided not to interfere in this instance.)
As a result, as bleak as
it may seem, crypto systems are rapidly inviting the same timeless
philosophical dilemma that we confront when dealing with conventional financial
systems:
Who do you trust, hubba hubba hubba?
0 Comments