
How to steal Ethers: scanning for vulnerable contracts - palkeo
https://www.palkeo.com/projets/ethereum/stealing_ether.html
======
jacques_chester
Here's my problem with smart contract maximalism.

Suppose my ether gets "stolen". For whatever reason I am able to turn to an
external legal framework -- police or a law suit.

Why wouldn't I just skip the middle bit and go straight to dumb contracts
executed by smart humans, rather than smart contracts executed by dumb
machines?

What exactly have I gained over the status quo if, at the end of the day, I
still rely on the enforcement mechanics of the status quo?

~~~
leppr
It doesn't take much imagination to come up with many settings where a
trusted, fair, omnipotent third-party arbitrator is absent.

Those unregulated environments are the trust settings where cryptocurrency
will shine, not the local, already regulated economies.

Applications like "real-estate on the blockchain", "event tickets on the
blockchain" are mostly just opportunistic buzzword riders. What cryptocurrency
best serves is international trade and black markets. All the places that
can't be regulated by traditional means, or that intentionally steer away from
regulators.

~~~
TeMPOraL
> _What cryptocurrency best serves is international trade_

I fear the day we go to war because of some clerk's off-by-one error in a
"smart" contract.

Honestly though, I'd think programmers of all people would be first to realize
that using code to represent law affecting anything in the physical reality is
a dumb idea. Think of any time you had to write a program to conform to
customer's requirement document. Does anyone here had, even once, done that
without discovering holes, inconsistencies or unintended consequences in the
document? And this is essentially the same exercise as formulating a "smart
contract", except the code can now ruin someone's life.

(There's some middle ground to be had here, though. A way of optimizing the
"long tail" of legal problems, without trying to do the near-impossible thing
of codifying intent.)

~~~
leppr
You just have to remember that there are humans behind it all. Before a war
happens, we would agree to fork the chain, like most people did with
Ethereum's DAO hack [1].

There certainly could be many life changing bugs happening for smaller
entities. But that's not a cryptocurrency-specific point. Humans are more and
more willing to accept trusting technology with their lives (factory robots,
pacemakers, automated cars, risky snapchats).

The key for cryptocurrencies is to keep humans in the loop: keep it
incremental and require human confirmation for meaningful transactions.
Machine learning can be used to detect anomalies in busy transaction flows.

[1]: [https://www.cryptocompare.com/coins/guides/the-dao-the-
hack-...](https://www.cryptocompare.com/coins/guides/the-dao-the-hack-the-
soft-fork-and-the-hard-fork/)

------
kolinko
Oh nice, and I just published "Show HN" with my symbolic execution decompiler
- [http://www.eveem.org/](http://www.eveem.org/)

Seems like there will be a big trend with all kinds of symbolic execution
tools showing up in the upcoming year :)

~~~
palkeo
I link to eveem in my article. I used it quite a lot for my investigation :)
Thanks for your great tool!

~~~
wslh
By coincidence we just published an article [1] comparing automated tools to
human auditing in smart contracts. I am reviewing your article for expanding
ours. At ethdev[2] someone suggested to check the Slither[3] tool also.

[1] [https://blog.coinfabrik.com/smart-contract-auditing-human-
vs...](https://blog.coinfabrik.com/smart-contract-auditing-human-vs-machine/)

[2]
[https://www.reddit.com/r/ethdev/comments/a4492r/comment/ebbn...](https://www.reddit.com/r/ethdev/comments/a4492r/comment/ebbnwt4)

[3]
[https://github.com/trailofbits/slither](https://github.com/trailofbits/slither)

------
bouncycastle
Be careful! There was once a guy who tried to hack an Ethereum smart contract,
but in the end the contract hacked him instead:
[https://techcrunch.com/2018/02/16/clever-ethereum-
honeypot-l...](https://techcrunch.com/2018/02/16/clever-ethereum-honeypot-
lets-coins-come-in-but-wont-let-them-back-out/)

~~~
jstanley
Non-GDPR-walled link:
[http://web.archive.org/web/20180301075711/https://techcrunch...](http://web.archive.org/web/20180301075711/https://techcrunch.com/2018/02/16/clever-
ethereum-honeypot-lets-coins-come-in-but-wont-let-them-back-out/)

~~~
bouncycastle
Excuse my ignorance, but was is a non-gdpr-walled link exactly?

------
rienbdj
have we finally found a way to monetize PL research?

------
tempodox
Isn't that potentially life-threatening because there's a good chance of
stealing from criminals?

~~~
Grangar
How would they go about figuring out who did it though? Can't really involve
law enforcement in that.

