Hacker News new | past | comments | ask | show | jobs | submit login
Ethereum Is a Dark Forest (medium.com/danrobinson)
553 points by gottagetmac 53 days ago | hide | past | favorite | 447 comments



Have a friend who lost more than $12k in the process of buying a house. Scammers sent the wiring instructions a few hours before the legit closing attorney sent the real instructions. The email looked exactly right except for a minor change to the domain name from address.

After one hour, wire transfers sent in error are no more recoverable than crypto.

How the thieves knew so much about the process and timing is supposedly being investigated, but no one is holding out much hope. And the attorneys have a strong incentive to cover up any evidence of intrusion on their side, assuming it was their infrastructure infiltrated.


I wanted it to be convenient and electronic transfer but my lawyer said I’m simply not allowed to. I had to get cheques from my banks and hand deliver them to the lawyer’s office.

I’m not sure I fully understand, in retrospect, the desire to shave off inconvenient corners for large life events you do so rarely. I think there’s real wisdom in some of these things being so slow and old school.


This reasoning also (especially?) applies to voting. Trying to make voting "efficient" is not worth it when we do it rarely and we have not had a problem just getting people to count ballots manually.


This is a really bad comparison. Making it easier to vote has a big affect on how many people vote.

Requiring a hand delivered check vs wire transfer to buy house has a minimal effect on how many people buy a house.

Plus, the US has elections far more frequently than how frequently an average person buys a house.


> Making it easier to vote has a big affect on how many people vote.

I think OP meant "efficient" as in "efficient for the people doing the counting." In this case, efficient is not the same as easy. It's efficient to count a bunch of ballots by having people enter their choices directly into a bunch of counting computers that are networked to a central counting computer.

It's easy to vote by getting a ballot (by mail or in person), marking it, and dropping it into a box. But counting those votes is not efficient, or at least not fast.

I'm with you; I want the latter, not the former.


I find myself commenting on this more and more often, but check out what freeandfair.us is doing in the voting space.


> This reasoning also (especially?) applies to voting. Trying to make voting "efficient" is not worth it when we do it rarely and we have not had a problem just getting people to count ballots manually.

THat's a very rose-colored view on voting, one that conflicts with amount of recounts and outright election fraud that has taken place just in my lifetime. Not to mention the outright denial of some to candidates to attend or speak at conventions and caucuses or having heir delegates ignored entirely.

Ethereum was recently, and succinctly described to be the following by Udi Wertheimer:

“I think that Ethereum is a convoluted mess and I don’t know what it’s good for but fine; other people like it. Good for them.”

That pretty much sums up my perception, at first it was supposed to be a global computer, which made no sense to me... then it was THE Blockchain upon which smart contracts could be created, entirely ignoring Bitcoin's could do that multi-sig txs or nLock. But would facilaite things like smart-contracts for hotels and car rentals, then that faded into obscurity when they knew it was not practical at all given its limitations. Then when Crypto Kitties fad came on I stopped attending the local meetups entirely as I couldn't take them serious anymore.

I was always the 'Bitcoin maximalist' at those events, and while I was using their meetups as a way to grasp why Ethereum even mattered as I was at IBM's Blockchain division where they were openly pushing for ETH based solutions and using an equally complicated things as Solidity was when they mandated everything be done in Hyperledger Fabric.

Ultimately, I realized it was complexity for complexity's sake driven by people who really don't understand this technology at all, and did so with no real reason to justify it other than it fit with the 'it isn't Bitcoin, its this other thing' narrative. IBM really dropped the ball on their advantage to capitalize on the use of this tech to many of its multinational customers, many who seemed eager to explore the possibilities, as a result of this.

I still have some screen caps from the internal study material from the exams and other internal material on a phone somewhere that just focused on how Bitcoin was nothing more than digital currency for criminals online. And how Ripple and Ethereum were some how immune to that with no real explanation to anyone who actually understood the technology [1].

To this day I'm still baffled how anything but greed explains how Vitalik, a former member of Unsystem, was the guy behind this and the subsequent clusterfuck that is ETH/Classic/DAO whatever it wants to call itself.

I kind of wished it had all been a big prank to transfer funds from stupid investors and Putin who were mesmerized by empty claims and buzzwords to fund Unsystem's loftier goals for privacy on Bitcoin but after the DAO I was pretty convinced it was never going to happen. Crypto Kitties made me realize that even they had no idea what they were really building.

1: https://thexrpdaily.com/2020/01/20/ibm-said-ripple-is-unique...


Not sure if it’s general but here in the UK our lawyer made us come in to collect the bank account number and were very explicit about never using other details because of this scam.

I saw a variation of it first hand at a company I once worked at. The scammers gained access to the lobby of the building, removed the post and replaced it with invoices with different bank account details on.


Interestingly, property is the slowest and old-schoolest of all the branches of law. Some systems of deeds and recorders have existed for hundreds of years.

As an attorney I used to look at a lot of boilerplate skeptically but is a RE attorney told me I had to sign in the presence of a clergy, my mother and law, and three local stray dogs I'm marching my butt to a pet store and making some calls without a question.


As an attorney, you should know to read your contracts more carefully :) nothing in a pet store should qualify as a "stray dog," so is the whole thing null and void now?


To buy treats, to lure in said strays :-)


> I’m not sure I fully understand, in retrospect, the desire to shave off inconvenient corners for large life events you do so rarely.

Same. I’ve seen people but one car over another just because it was available nearby instead of a half hour bus ride away. How many times in your life do you buy a car that an extra half hour is significant?


For this, I think it also matters how people view the car, the class of car, and the cost of waiting or goi g somewhere else.

If you're buying a cheap car to get you from point a to point b and you don't care about amenities, what does it matter? Will that civic the next town over make you much happier than the corolla in front of you (or vice versa, or whatever)? Some people just don't care about cars, or at least not for the type of car they are buying for that use at that point in their life.

Nobody can care about everything all the time, and sometimes people just decide not to sweat the things other people think are vitally important because they have other stuff they care more about.


I was so picky and spent months looking for my car. To the point the dealers were getting a bit irritated. When I finally picked I was asked what colour. “Don’t care. What do you have on the lot?”


True, if you really don't care at all then just buy the closest one. But in my (limited) experience with buying cars, once you figure out what will meet your needs, there's usually a significant value difference between the available vehicles and it seems silly to give up several thousand dollars worth of vehicle for the sake of one slightly longer journey.


Sometimes. For middle-of-the road needs and reliability, it's hard to go wrong with Honda or Toyota, and at the lowest level of vehicle that only leaves you a couple choices. If I was in that position and didn't know a lot about cars, I might just go to whichever dealership was closest that had one, test drive what they had, and if nothing really negative jumped out, buy it.

The more money you're willing to spend the more good choices there are at that level though, so this becomes harder to do when not operating at the lowest cost tier of cars.

This does change a did if people are willing to consider less traditional choices, like smart cars.


What's so inconvinent about that? I assume you have to go into the lawyer's office anyways. A cheque is just a signed document telling your bank to transfer the money-if you're buying a house then a cheque is the least of the things you're going to have to sign. Was it just a normal cheque? (Not a certified cheque or money order, or anything special) if so many people will already have them on hand.


For $100k it had to be certified. And was a bunch of hoops to jump through to get them. Took like a week.

Mind you this is Canada so things are likely different.


Fellow Canadian here, I did not have this experience.

The certified cheque was done in 20 minutes. All that was required was two pieces of photo id, producing the debit card and entering my pin to access the account.

This wasn't even my "home" branch, zero prior relationship with this branch and I walked into a random one on my way to work.

I'm guessing there are hoops to jump through if you're clearing out your entire bank account because it could be grounds of suspicious activity by the branch manager.


This is an artifact of insecure communications systems and poor operational security. Making people shuffle physical paper around, especially considering things like pandemics and climate change, is a temporary workaround, not a long-term solution.


I think the most important point is that it's slow, it involves many people, and leaves a physical trail. These are all advantages for any kind of ability to prevent or recover from fraud or simple mistakes.

Perhaps you can build a similar electronic system, but if one of the purposes is to make it slow and make it involve lots of manual confirmations, is there really a purpose to it? It's going to be much more complex than the paper system (replacing physical properties like uniqueness with brittle/complex cryptographic versions). Complexity always begets bugs.


Given that it had been working this way for hundreds of years, how is it temporary?


I imagine, barring an extinction event, that humans will be using digital communications systems and cryptography for many tens of thousands of years.


https://www.cnbc.com/2019/10/05/homebuyers-are-falling-for-t...

> Here’s how these scams usually go down: A thief hacks into a real estate or title company’s computer system and then studies the transactions, from the language used to the format of the wiring instructions. When the scammer strikes, he or she will often pose as someone from the real estate or titling company to instruct the buyer to wire funds to them.


Can't this be avoided simply by making sure the property owner gives you wiring instructions in person?


You aren't (usually) wiring the money to the property owner. It goes to the title or escrow company processing the transaction. They get the money, execute the paperwork, and then transfer the money to the owner after everything is squared away.


What is the incentive to use an escrow instead of dealing with the owner directly? How do I know the escrow won't run away like a crow with my money and the house?


The escrow company is supposed to be more reputable than the owner. They also handle this type of transaction, and know how to get it done properly, how to check the seller actually owns the house etc.


Not all the money goes to the home owner. Typically some goes to the bank for the mortgage, some to the buyers agent, some to the seller's agent, some to taxes/fees, and so on. The escrow/title company calculates all of this and ensures everyone gets their money.


or use public key cryptography, and have a verification signature that can only be signed by knowing a secret.


The scam here relies on someone having compromised the network of the company sending the instructions. In that situation, wouldn't you have to assume the intruder found the secret key?


The scam relies on absolutely insane system of financial institutions sending critical key information over email, instead of any controlled channel.


I'm not saying that cryptography wouldn't help in general, or that it's not incredibly stupid that we're not using it. What I'm saying is you can't just slap crypto on this particular scam to make it go away. These people have insider access to the machines that would likely be used to sign the email. If that is the threat model, it's a mistake to trust anything not delivered in person, signed or not.


Hey you know that and we know that, but the real estate industry is barely able to handle email, let alone secure it.


lol yes, because signed and encrypted email hasn't been tried.


In the US at least, you typically don’t even meet the owner. (Never mind that it’s not easy to make sure you’re paying the real owner without the aid of the various intermediaries. Nolo Press has good books about buying and selling homes and all the potential pitfalls involved.)


It's avoided by the companies involved taking 5 minutes to talk to each other when comuniticating instructions, and then holding the funds in escrow for a day before disbursing them.

But they don't care and they are not computer literate.


> After one hour, wire transfers sent in error are no more recoverable than crypto.

The receiver account can still be seized by government institutions though, something much harder with cryptocurrencies.


You would think, but in all scammer cases that I heard, they are able to get their money out.

I really don't get it, because I have to provide my ID every year or so for verification. I really don't get how these scammer can get away with that, but obviously every time.


Its easy to get fake ids that look very real (ask a local 20 year old).

Also you often do not even need to take a picture of an ID to open an account online, just have the info of an identity that you steal. After that, you get an atm card, wear a covid mask, shades and hat, call to raise the limit and take it out asap.


Which banks allow non-trivial ATM withdraw limits?

My experience with 4 different banks:

1. Limit of $500 cannot be changed

2. Limit raised to $1,100 over the phone; apparently if I show up at a branch and bring my first born, I can get it as high as $1,500.

3. Limit of $500 suddenly reduced to $200 (!) with the option to call in and raise it to $400.

4. Limit raised to $2,000. Some years later, suddenly reduced to $1,000. Haven't bothered looking into this yet.


Fidelity Investments brokerage and cash management accounts have a limit of $1000 a day, and I have four of them, so I can get $4000.

I recently learned that some Chase Bank ATMs inside branches used with Chase ATM cards can get $3000 in one transaction. I did it the first time a few days ago.


Good to know, thanks. Fidelity is actually my example #1. I've been told multiple times on the phone it can't be changed from $500, but that was years ago. Will try again.

Back to the topic, we're up to $3-4k now which is more than I thought, but still not enough to pull off this $12k scam.


Fidelity outsources their debit card servicing. A Fidelity rep told me that the cap is set per customer, and the withdrawal limit is set depending on the account balance and history with that customer. They told me that I could request a higher withdrawal limit if I wished to do so, and they may or may not approve it.


Interesting, I didn't think it was per-customer. At the time these conversations happened, I had plenty of money, most of it in my Fidelity account.

They could have saved a lot of money on ATM fees (which they always refund me) by increasing my limit, that's for sure.


Any particular reason you need so much cash on hand?


You never know when a good poker game will break out.


I travel a lot, and sometimes often to "emerging economies". Cash is always king, especially when your American bank puts yet another suspected fraud alert on your card...


What comes to my mind, is when you buy a boat or a motor second hand.


Rich people banks, like schwab.


They can use an account registered for a homeless person who has happily provided an ID in exchange for a small amount of money.


What's the next step, after the stolen money has landed in the homeless persons account?


>The receiver account can still be seized by government institutions

That is hardly an advantage for the victim. Come to think of it, that's a (rare but realistic) threat for normal, licit commerce.


What do you think the government does with the money? Keep it?


It costs you more to do the work to recover your money than you get back. The government's contribution is only the general deterrence, which has no effect to attackers from hostile nations.


Is it just me or is there fantastically more fraud these days than a decade or two ago? Any transaction feels like walking around in northern Canada during black fly season.

I receive several cold scam calls per day and I’ve known people who have done things like purchase a home and been inundated by fake calls from “the underwriter” and other scams.

Is there no mail and telemarketing fraud enforcement any more?


We're definitely getting more of the Chinese robocalls and other SMS spam here in Australia too. I think there are two sides to it: scammers like everyone else are feeling the pinch from reduced economic activity, and desperate people are easier to scam.

A lot of scams do feel like low hanging fruit that would be easy to track down. I think there is a lack of will and capability for resolving "small" scams of up to a few thousand dollars which can be crippling for individuals.


I wonder what changed in global cyber security and law enforcement during this time window.


In 1994 the Internet became widely available, exposing you to attack from 6billion people.


Imagine a world with way less wealth inequality


When we bought our house last year, the packet came with a big, bright red page (as well as a verbal warning from our loan officer) to look out for these scams.


Same for me a year ago, and they called early in the morning on the day of closing to repeat the warning. It wasn't even mentioned when I closed on a house seven years ago.


I tend to phone people I'm making transfers to, where they've emailed or otherwise electronically sent the sort code and account number, to verify. Adds a couple of minutes, but could save tens of thousands.


This is possible because the telephone network is (more) secured, in the same way email and other forms could be, but aren’t.


Similar, my old and jaded real estate agent said "don't trust this computer shit, call me or call the loan people on anything involving money or signing something"


Likewise. Ours instructed us to look up the title agency in the phone book, call that number, and verify the wire details before we did it.


> Scammers sent the wiring instructions a few hours before the legit closing attorney sent the real instructions.

In my view, this mess is temporary. It's caused by a partial transition from an old system (manual via solicitors, cheques, and bank managers) to a new one. The old one was pretty reliable, but involved a lot of expensive people. The new one is like operating in the matrix. When communications happens electronically, the checks built into the old system break down and it's near impossible for a human to know if a electronic message is real.

It is not near impossible for a computer to know of course. A computer validate a series of cryptographic assertions anchored at the titles office relaying what bank to credit, and it can do with far greater accuracy than the old "human relationship" system, and it can do it in factions of second. But right now we use the new system to communicate because it self evidently more efficient to do so, and still use the checks from the old system to validate those communications.

You see this all the time. Phishing fraud, where accounts are sent fake invoices from what appears to be a valid supplier is essentially the same thing - humans using eyeballs to verify an electronic document is valid (which is essentially impossible), as opposed the supplier just signing it and the bank account details it contains.

It's almost comically bad. I was asked by the accounting section of one of the top computer contracting organisations to verify I controlled another bank account. They demanded a bank statement to prove it. Problem: the details on the bank statement were inaccurate. I raised a ticket with the bank to get it fixed, but as seems to happen depressingly often the bank screwed it up. So in the I downloaded PDF, edited it, rendered it to TIFF, added noise, and sent it. It was accepted of course.

Right now most organisations are wide to being exploited because they are communicating electronically, and using eyeballs to validate the result. They seem oblivious to the idea The Matrix wasn't just a move, it was a prophecy. And now the future it prophecised has arrived.

It will change, but only after quite a few companies have been ripped a new one.


That scam relies on the purchaser sending the full payment almost as soon as the bank transfer details have been sent to them, otherwise they’ll see the legit details too.

When I’ve bought residential property in the past, there have always been various fees to pay in advance, using the same bank details. So when it comes to the final big payment, I’ll have already had the bank details for weeks, and have already used them to send previous payments. Double checking the payment instructions by phone just before making the payment helps too, as that allows confirming the account and the final amount.


This problem can be avoided if the parties use digital signatures and require a phone call for final confirmation of the instructions.


That requires the escrow companies hire people who understand technology instead of just sales.

It's a principal-agemt problem. Real estate agents hire their friends to do escrow.


I mean... this is the most literal definition of "man in the middle attack" you can get.

And we already know the solutions to that


I am closing on a house, and this is quite terrifying. How in the world did the scammers know all the exact details of the house? I am guessing the $12k was good faith money? In my case, I was able to write a plain old check for my good faith money.


It was the down payment on the house in this case. And was actually a lot more than $12k. It has to be a wire transfer since checks take so long to clear and the title can't transfer with that uncertainty.

My advice to anyone buying or selling is to get the attorney's phone number from a known good source in advance, and call them to verify the wiring instructions before submitting. Also compare the bank account name down to the character with the real one (although I don't know how hard it is fake this). Your bank should read off the bank account info you're sending to before you give the confirmation to proceed.


> It has to be a wire transfer since checks take so long to clear and the title can't transfer with that uncertainty.

Why was an escrow service not an option?


Escrow is an option. They require wires.

Checks can be uncleared long after they clear (another common scam, since checks have no security model), so nobody sane accepts checks from stranges for large numbers.


My title company gave us all of the relevant information and account numbers in person on paper and made us sign documents agreeing that we were warned not to trust any information sent via email, web, or phone. You should expect the same.


Most title companies send those warnings via email. "Don't trust email from anyone but me." It's insane.


Last time I had to wire a large amount of money I used paypal's verification trick - first sent a small amount of money and then phoned the person on the other side of the transaction and asked them to tell me how much money I'd sent them, and only once they'd confirmed that trusted the information to send the balance.


I could imagine a MiTM scam where the scammer relists the owner's property, and provides the mark with the scammer's email, phone number, mailing address etc.

Depending on how sophisticated the scammer is, the MiTM between communication can be transparent to the victim.


This is very common on Craigslist. Scammers offer arbitrary vacant properties for rent and disappear after collecting deposit and first month's rent.


No need to be terrified, lots of ways to confirm the wire instructions are legit. Calling a known good phone number or going to the title company in person.


Well, I'm not sure why transfers are not checked against the name, especially for high value ones

This is fraud. It might not be recoverable immediately but it merits a police report. And maybe with that report you can have the receiving bank take action


The receiving bank is in Russia or somewhere.


For anyone interested, a friend of mine works on a technical solution to this exact scam.

https://certifid.com/

No affiliation besides having a friend who works there.


That doesn't help. The scammer will just imitate certified instead of the escrow company.

And it's yet another party that can get hacked.

The solution is for the parties to talk too each other to verify their relationships, instead of replacing all the trusted people by random websites.


It's generally considered useful to actually look at how a thing works before disparaging it counter-factually.


Whenever I send a wire, I have to prove the name of recipient, that being a company or a person. Why would I wire it to an unrecognised name?


That makes no sense, unless the money has been taken out of the target account in physical form.


I really think that all of this DeFi stuff is playing with fire. If these tools scale large enough, it's easy to imagine breaking the right link in the system at the right time to cause catastrophic failures.

Remember that all complex systems operate in a degraded state. If there's ever a way that only part of a complicated swap executes correctly the trade can get really far out of position. People in Ethereum land will say things like "the smart contracts can't possibly execute if all of these conditions aren't met!", but I can assure you that lots of extremely fault-tolerant systems built by very smart people (like electronic stock exchanges) have failed in very surprising ways.

Weakly collateralized flash loans are just faster leveraged tools with all of the tradeoffs that entails.

YMMV, there's definitely a lot of money to be made.

https://www.youtube.com/watch?v=SjbPi00k_ME << Relevant.


This DeFi stuff is playing with fire because the products being released have significantly outpaced the state of the art in building safe smart contracts.

To make an analogy, imagine that instead of DeFi, we were talking about skyscrapers. Imagine that thousands of engineers funded by millions of people who believed in them were building 25 kilometer tall towers using technology that they discovered in Isaac Arthur videos. And they were doing it today, before any of the technologies like active support structures had been properly matured. That's what's happening here. It's not that building towers is bad or unsafe, and it's not that the technology behind 25 km towers is fundamentally unworkable, but it IS the case that you shouldn't be doing it just yet given our current engineering knowledge.

Defi is insanely cool, insanely powerful, and it will dramatically change the landscape of society. But given the state of today's technology, if your product is anything fancier than Uniswap (sorry Maker, sorry Curve, sorry YAMs, sorry Augur, etc), it's not safe and it's ahead of its time. A lot of these projects are repeats of things like pets.com. Great idea, but it was too early (Amazon eventually fulfilled the vision though).


I don’t disagree with your claim here, but aren’t existing systems even worse? The conventional electronic payments system is in many ways permissionless. Even if crypto doesn’t live up to all the promises it makes, it may still add value.

If crypto is building poorly-engineered space elevators to get out payments to and from the sky, maybe the current system is throwing them in artillery and parachutes and hoping they land where you aim.


I stayed with Bitcoin not because I don't see how cool Ethereum contracts are, but because it's all about getting at least 1 thing right, which is digital scarce money. Even that itself is an incredibly hard problem. Getting smart contracts to be secure will take much more time, so I'm staying an outside observer.


> Defi is insanely cool, insanely powerful, and it will dramatically change the landscape of society.

As a person who has been around this tech since 2011, can you explain what exactly it is you find so fascinating about this other than the seemingly absurd amounts of money some people have made so far?

This all just seems like a reshased version of the DAO to me and I have ignored it entirely.


We're told this is a global economy, and yet think about things that are still overly complicated and expensive nowadays with financial operations. Things like wiring money to people abroad, buy securities in other countries, and all other operations in the hands of a few large financial institutions. Now we throw much of that bureaucracy away.



>I really think that all of this DeFi stuff is playing with fire. If these tools scale large enough, it's easy to imagine breaking the right link in the system at the right time to cause catastrophic failures.

Substitute "software" for DeFi. Every single day we're playing with fire through low quality code and bad security practices. DeFi just exposes the real financial costs and consequences of terrible software development. How many countless dollars and hours and data have been lost through bad code?


Good point but it won’t stop DeFi’s growth. In my opinion, such risks shouldn’t stop DeFi’s growth neither. Similar risks have been present in conventional finance and economy too. Relevant: https://youtu.be/ed2FWNWwE3I

Instead of fearing from the risks we should quantify and analyze them.


Oh great, so we'll solve the problem of insurmountable complexity by putting another layer of complexity on top that is supposed to understand the first layer of complexity for us.


That's the entire state of computer science. Over time, strong systems become black box tools for more complex systems.


and less strong systems , also, become black boxes for other systems...


Until one of the systems break and you're forced to give up the black box illusion.


Isn't that the whole security / obscurity point? That true security only comes by being exposed to active, intelligent, informed adversaries for a sufficient amount of time?

Or, another way: each exploit and oops only improves the system, rather than being a signal of its failure.

And let's be honest, the competition is still "Oops, I accidentally sent $900M to the wrong party." [1]

[1] https://news.ycombinator.com/item?id=24222045


> And let's be honest, the competition is still "Oops, I accidentally sent $900M to the wrong party." [1]

The counterargument there is that Citibank is currently pursuing a resolution in the courts to that issue, and if they win they will get their $900M back. If you flub a DeFi transaction, you're shit outta luck.


And of course, if cryptocurrencies ever become anything more than Internet play money (and environmental disaster), the legal systems of countries worldwide will make sure the same protections apply. So yes, your newest cryptoanarchist token may have totally irreversible transactions (cross my heart, here's the math proof!), but the court can still order the thief to send back the money they stole in a separate transaction, under threat of prison time. The judge will not care that the relevant "smart contract" prohibits such behavior.

Because that's what real-world security ultimately boils down to: men with guns, ready to drag you where the law tells them to. It's not perfect, but it achieves 99% of the effect at the fraction of a cost of a "trustless" proof-of-work system.


By definition, if it can be regulated, it's no longer decentralized. And if it's not longer decentralized, blockchains have no benefits over regular databases.

Blockchains solve a very specific problem - decentralized transactions. Unfortunately solving that problem for the world's organized criminals brought a massive amount of heretofore hidden financial activity to light. Consequently, people, most of which don't actually understand blockchains, are trying to replicate this 'bonanza', like moths chasing a light bulb.

There many other use cases for decentralized transactions. But, with so much perceived opportunity at stake, industrial -strength pretzel logic is being applied to the problem, along with eye-popping amounts of venture and FOMO money.


Doh, that should have read 'there aren't many other use cases for decentralized transactions'.


TLS issuance is decentralized too, yet Certificate Transparency provides accountability, and inclusion into Mozilla's trusted CA list is basically the vetting process that binds CAs to legal entities.

In theory in crypto currency world "staking" is this process.


TLS is not decentralised, it's hierarchical. There are a fairly small number of root CAs, and an even smaller number of browser makers who define their trusted lists.


Just the Mozilla CA list has more than a hundred CAs ... https://ccadb-public.secure.force.com/mozilla/IncludedCACert...

And you can install your trust root if you want, for example I can't find any Russian ones in that list, so probably the Russian government uses internal ones. (Their tax authority interestingly uses Sectigo a CA from the UK.)


> Because that's what real-world security ultimately boils down to: men with guns, ready to drag you where the law tells them to.

But that's assuming the judge knows who the thief is. One of the main characteristics of cryptocurrency is that you can hold it without giving anyone your social security number.

In that respect it's much the same as cash -- if you get away with it you keep the money, but if you get arrested, they can order you to return it, and seize your house/car/wages/etc. if you don't.

The issue, which creates the demand for cryptocurrency, is that we don't have a digital equivalent of cash that isn't based on proof of work. But the regulatory system could create one quite easily.


> But that's assuming the judge knows who the thief is. One of the main characteristics of cryptocurrency is that you can hold it without giving anyone your social security number.

You can, but AFAIK it's harder to do that when you're trying to cash out your cryptocoins in fiat (though arguably, this becomes less of a problem for criminals with the growing numbers of goods and services you can pay for with crypto). Still, I think if governments ever allow for a mainstream, sanctioned adoption of digital currency, they won't let it keep this level of anonymity.


> You can, but AFAIK it's harder to do that when you're trying to cash out your cryptocoins in fiat (though arguably, this becomes less of a problem for criminals with the growing numbers of goods and services you can pay for with crypto).

It also becomes less of a problem if any of the things you can buy for cryptocurrency can then be resold for fiat, which is already the case.

> Still, I think if governments ever allow for a mainstream, sanctioned adoption of digital currency, they won't let it keep this level of anonymity.

But that's the problem. If you can get it from cryptocurrency then it's available, so the only consideration is whether it's available from the system that isn't built on environmental destruction, thereby removing the demand from the system that is. It would be better if we'd admit that and get on with it.


In two to three years, Ethereum 2.0 will be using a Proof-of-Stake system and environmental concerns will be no more.

> the court can still order the thief to send back the money.

What if the court can not find the thief? What if the thief is from another nation? What if the thief is another nation?


I’m sure I remember people saying the same thing about proof of stake 2 – 3 years ago. What’s the hold up?


I am not so sure that people were talking about having PoS already used in 2020. What has been planned was to have the first phase of a PoS on testnets, and this milestone has been hit.

In any case, Ethereum still has a lot of characteristics of a research project. If you follow closely, you start seeing that ideas are explored, some approaches are validated, some are proven impractical, etc. Some delays and hiccups are inevitable. As long as the Ethereum Foundation keeps its transparency and does not overpromise I am fine with it.


So that 2 year timeframe mentioned earlier means very little?


It will ultimately have to be handled the same way these problems are handled with fiat: through international treaties and multinationals subject to several jurisdictions simultaneously.


How?

We are talking about a scenario where cryptocurrency become prominent enough that people would be trading with it. Governments and financial institutions can only control the on- and off-ramps from fiat to crypto. So now the US can claim to a quarter billion USD from North Korea [0], but what about a scenario where your assets are just numbers in a ledger that no one can control and these fiat ramps simply are irrelevant?

You want to talk about Governments trying to make it illegal? That is debatable, but a better argument. You want to make the argument that States and Institutions will create their own blockchains with backdoors so that they can override it? That is possible (or actually implemented if you look at Ripple), but that will be no real disruption of the existing global financial system.

I fail to see how "Governments will allow it as it is, but control it" is a possibility, though.

[0]: https://www.forbes.com/sites/danielcassady/2020/08/27/feds-m...


> I fail to see how "Governments will allow it as it is, but control it" is a possibility, though.

I do not claim that. I believe governments will allow it iff it's in a shape and form they can control. If some features prevent effective oversight, these features will have to be removed for the cryptocurrency to be officially sanctioned.


So you are talking about the "blockchain with backdoors" scenario (which absolutely defeats the principle and the purpose of any major existing system) AND making the existing leading chains illegal.

That is certainly is a possibility and a valid view, but to me a very short-sighted one. It assumes social-political systems are static. It makes us take for granted that global top-down Governments (hopefully democratic) will be the only legitimate form of power for a long period of time.

Blockchain or not, that leaves me with a very grim outlook of our future.


This may be my lack of imagination, but I can't see it ever being any other way. Hierarchical governance seems natural to us, pretty much written into fabric of social reality.

Once a group reaches more than couple dozen members, interpersonal pressures crumble as two random people don't really know each other or depend on one another - and you need to create a level of governance in order for the group to grow and stay coordinated. Rinse repeat, and you end up with hierarchical governance we know from every single society throughout history.

I know that "blockchain with backdoors" (or, "blockchain with anarcho-capitalist guarantees removed") goes entirely against the vision on which leading chains are built. But then, I disagree with that vision and consider it naive. I may be wrong about this, though. Time will tell.


This could be a good long conversation to have. Not sure if HN is the best place and format for it, so I will keep it short.

> Hierarchical governance seems natural to us, pretty much written into fabric of social reality.

Hierarchies have existed for basically forever and it's almost always the natural state of organizations not just for humans. I wouldn't argue the opposite. What has changed and almost certainly will keep changing is the nature of these different hierarchies. Moreover, we have more than one single type of hierarchy co-existing. Just compare Switzerland to China in present time, or compare the independence of Hellenic city-states with the growing centralization of the EU and you will know what I mean.

The one thing that is recent (and IMO misguided and/or totalitarian) is the idea that we can organize ourselves into one single global hierarchy, an all-encompassing entity that would be able to subject all different countries into one unified set of rules. Some look at Europe and the EU as a way to show that would be a good thing, but completely ignore the fact that the EU it is not an unanimous organization. Libertarians think that all-out globalization and absolute free-flow of commerce will smooth out every international issue and will completely ignore the fact that this only works if every one is on similar level of individual freedom and economic development. Communists refuse to accept past failed attempts because in their view Communism can only work if the whole world adopts it.

Every Utopian project that requires every one to conform to one single set of rules has failed and will always fail due to the impossibility of satisfying the needs, values and wants of everyone at a global scale. I hope we can agree on that.

> Once a group reaches more than couple dozen members (...) you need to create a level of governance in order for the group to grow and stay coordinated.

Right, and the beauty of blockchain is precisely that it solves the Byzantine Generals Problem. You can have any number of people that don't know and don't trust each other able to coordinate without any central authority.

Granted, this is not a perfect solution. It's not like that just because we can have a computer network telling us "who controls X and who should have access to Y" that people will blindly follow it. You will still have groups trying to control things by force, abuse the system and so on. Societies will still have to have their military forces.

The key difference is that now these disparate people and societies no longer requires nation-states to organize themselves. People won't be forced to swear allegiance with to one tribe or another just because of the place they were born, etc.


It's amazing how many cryptocurrency users are citizens of Panama...


Citibank is in an argument with other institutions that operate in broad daylight. Crypto nets allow anyone, anywhere to jump into the transaction as a feature. These guys don’t care about New York City police. I don’t think regulators will have any control without having a controlling stake in the ledgers.


no environmental disaster at all with POS or other systems different than POW


Exactly. There is no way I'd ever want to anything remotely important, or remotely high value, on a system that isn't run by humans and with transactions reversible in courts.

Who is it that uses these smart contracts, and for what? Is it mostly a gadget for research and speculation (still)?


I work in old industry and the supply chain guys as well as finance is having a boner from the idea of moving their crufty systems to blockchain. The whole paper trail around a bill of lading isn't a joke if you are shipping from say China to South America.

But - like the internet - it's just a fad that will soon pass.


It'll never happen on the supply chain because of all of the entities in the middle with zero desire to participate.


If they don't, they will be put out of business. Do you think if Walmart says "I will only buy from you if I am able to audit you and prove that your shrinkage is less than X%" they are just going to say "Opposite, sorry we can't do that."?

Or if Amazon ever starts a blockchain-based certification system to crack down on counterfeit products, the legit distributors are not going to push down on all their suppliers? Of course they will.


This thinking belies a very simplistic view of a very complex supply chain.

Brands like Nike often don't touch their products after they produce the design.

Manufacturing, distribution, shipping, warehousing, sales are all handled by a massive web of smaller entities with long term contracts. Most of these businesses use very very old tech, and will actively resist change.

Its a chicken or egg problem too, since having half of your products on a blockchain is pretty much worthless, it's an all-or-nothing problem which makes it that much more of a massive undertaking.

I've studied this pretty extensively and honestly don't think it'll ever happen. At least unless the current paradigm of supply changes massively.


> I've studied this pretty extensively and honestly don't think it'll ever happen. At least unless the current paradigm of supply changes massively.

"I don't think we will see any changes in the industry, unless the industry changes." Kind of tautological, no?

> Most of these businesses use very very old tech, and will actively resist change.

I don't think we are disagreeing. Maybe we are just thinking in different timescales.

I don't doubt current business will resist change. What I am saying is that there will be a point where adopting the technology will be such an obvious advantage for the large players that the existing business will either be forced to adopt or be disrupted by some new business.


> "I don't think we will see any changes in the industry, unless the industry changes." Kind of tautological, no?

Kind of not-at-all what I said no? Change is inevitable, blockchain is not the right tool for this job.

>adopting the technology will be such an obvious advantage for the large players

A centralized solution from a trusted third party has all of the benefits of blockchain with just about none of the downsides. Many institutions could fill this role from technology companies to major law firms in the supply chain space.


> A centralized solution from a trusted third party has all of the benefits of blockchain with just about none of the downsides.

So why hasn't it happened yet?

Also, who in their right mind would rely so much on a "trusted third party" to coordinate global supply chains?

What would be cost to have an organization that is able to maintain this level of trust?

What about the politics of it? Even if the entity were to be trusted, how can we be sure that there would be no countries forcing their political/economical might to bend this entity to do what they want? As an example, after the global pandemic, do you trust WHO more or less? Do you still believe that they are completely independent?

You are never going to hear from me that blockchain is a perfect solution for all problems, but a "centralized solution with a trusted third-party" is quite a spherical cow in comparison.


> Also, who in their right mind would rely so much on a "trusted third party" to coordinate global supply chains?

Just about every major brand.

You can think it's absurd all you want, but it's already a major industry.


Back to the main question, then: why hasn't it happened yet?


As I said in my previous comment, it is happening in a major way across industries. There just aren't any clear market leaders because as previously discussed, different brands have different ideas on who a trusted third party is.


> different brands have different ideas on who a trusted third party is

If different entities do not all trust the same centralized party, then it is not happening. You are pulling a spherical cow again as an answer. What is so hard to understand about that?


That is nonsense, why do all brands have to use the same solution for one brand to have something that works?

Why do you keep arguing about a space you're clearly unfamiliar with?


Because it's not a matter of the industry that I am talking about, it is the general principle.

To make an analogy: I don't need to know all of the details of foreign trade and banking regulations around the world to know that people can use blockchain-backed cryptocurrency to send money all around the world in a way that is faster and cheaper that any banking or remittance company ever will be able to.

As blockchain tech matures and gets easier to be adopted by the masses, it will not matter if currently we have a gazillion different banks and if companies each are using their own ad-hoc method for managing world-wide transfers and FX: the moment that consumers are able to say "I want to use my crypto to pay for this", companies that are not on-board with that will simply lose business.

---

To sum up: you are arguing that the status quo is the only way to make things and that the only way to have any change is when they are of interest to the status quo. I am arguing that the status quo will not matter the moment that blockchain technology gets more accessible and makes more economical sense as a way to verify and coordinate work among entities that do not trust each other.

What matters in the end (to quote from the OP that started our discussion) is "The whole paper trail around a bill of lading isn't a joke if you are shipping from say China to South America". This is something that blockchain is basically designed to solve. It doesn't matter if the companies now don't want to use it, when the people holding the purses start asking for a solution that only blockchain can solve efficiently, the companies that don't adopt will lose business and fade away.


> it is the general principle

So you're extrapolating a general principle that has yet to be proven anywhere into an industry you know nothing about. Great. This sort of attitude is part of why folks generally sneer at BlockChain enthusiasts.

> you are arguing that the status quo is the only way to make things and that the only way to have any change is when they are of interest to the status quo

You keep building a strawman of my argument that's easy for you to tear down. Are you aware that there are more choices than "status quo" and BlockChain?

> when the people holding the purses start asking for a solution

That's the thing, consumers DGIF, and have proven this for generations by purchasing based on cost and quality alone.


> So you're extrapolating a general principle

If it is a general principle, it doesn't matter the specific application. That's the whole point of abstract thinking. But you don't seem to care about that. So, let's go back at the comment from OP:

  I work in old industry and the supply chain guys as well as finance is having a boner from the idea of moving their crufty systems to blockchain.
They are the ones holding the purses. Not "consumers who DGIF". It's not retail that is going to drive the adoption of better tech in the industry, it's the large purchasers who will make everything possible to increase their margins.

> This sort of attitude is part of why folks generally sneer at BlockChain enthusiasts.

Again, I will borrow the words from OP:

  But (Blockchain) - like the internet - it's just a fad that will soon pass.
My google-fu has failed me now, but I'd love to find a link to a story about a MS executive who thought that the idea that "internet search was stupid. People will just bookmark the sites they use more often and start navigating from there."

I will say this in the nicest way possible: your head is so stuck inside the box of the status quo and their current issues that you are not even able to contemplate a thought outside of it. You are dismissing something that can disrupt entire industries because the current implementation is not good enough. The moment that you stop thinking in a static way, perhaps you won't calling everyone "naive enthusiasts".

> Are you aware that there are more choices than "status quo" and BlockChain?

Sure there are! Yet none of the things you present as choices actually (a) solve the problem of coordinating work and attesting validity of information in a global scenario with competing actors and (b) have the potential to be automated/scaled to eliminate a lot of human intervention in the way that blockchain does. You are talking about big firms, big contracts, CYA agreements and certifications whose costs can not reduce with scale. How do you want me to believe that this is going to compete with technology that will be exponentially cheaper and simpler to operate and deploy?


For all the scams, ponzi schemes and outright theft that has happened in the blockchain space, I can bet a good amount of money that we as a society lose more every year to corrupt officials, subverted institutions and petty theft than we will ever lose on a system that is not run by humans.


In total? Yes. As a fraction of total volume? Debatable.


Some quick Google searches:

- World GDP: 142 trillion USD.

- Global cost of corruption: At least 5% of World's GDP according to WEF. [0]

- Cost of violence: estimated to be 11% of GDP in 2012 [1]

We are already at 16% and we are not even counting resources and parts of the world economy under the control of authoritarian regimes.

[0]: https://www.un.org/press/en/2018/sc13493.doc.htm

[1]https://www.researchgate.net/publication/261037678_Estimatin...


Then for crypto you need to count what fraction of value is used for illicit activity. Here is a paper estimating its about 46% of transactions [0]. If you look at transactions that cause real economic activity (as opposed to speculation) I bet the fraction would be in the 90%+.

[0] https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3102645


You are moving the goal posts. The point initially was to show that the current socio-political institutions are no better than "Wild-West" blockchain systems to avoid fraud and misappropriation of assets.

You are now talking about how much of a "real economy" blockchain can handle, which is a different matter and a totally unfair comparison. Let's talk about a "real economy" when people are allowed to enter a work agreement and have a contract specifying a salary in crypto.


Even without the real part I showed 44% is illegal activity, which is ore than 16%.


It is still unrelated to the point of comparing the percentage of funds taken from its owners or misappropriated in the blockchain vs fiat. The activity may be illegal, so what? They were still desired by both participants. Bringing that to the story is still goal-post moving.


You commented on “cost of violence”, if you talk about cost of violence this includes illegal activity.


Depending on the jurisdiction, a lot of non-violent activities are considered illegal and happen on black markets anyway: gambling/sports betting, recreational drugs, contraband goods, prostitution... A lot of the "violence" that you are trying to prescribe to this comes from the fact that these activities are pushed to the underground, not due to the activity itself.

You are grasping at straws and you know it. Right now all your argument is based on your preconceptions against blockchain, but you are misattributing a whole lot of things to it.

Come back when you have a significant number of cases of people being attacked in order to get their bitcoin wallets stolen, banks being robbed for private keys in paper wallets or corrupt officials locking people up and demanding crypto for payment. Then I will start listening to you in regards to "violence that is caused by the nature of cryptocurrency and blockchain"


>> each exploit and oops only improves the system

This is not necessarily true. If the system architecture is highly complex and poorly designed, each exploit will result in a patch which will only make the system more complex and more brittle. IMO this is exactly what is happening with Ethereum.


Of course DeFi is playing with fire. And of course a lot of people are going to get badly burnt.

But the analogy is closer than you think. People still get badly burnt by real fire every day. Without coal fired power stations, blast furnaces and internal combustion engines we would not have modern society. If currently thinking is correct, without cooking food on fire there would be no intelligent hairless apes contemplating a future when DeFi actually does something useful.

PS: As the article says, transaction fees are of the order of $10..$20 per trade. DeFi trades derivatives in crypto currencies that have found no useful niche whatsoever (bitcoin being an exception, if you regard being the currency of choice for illegal activities as useful). In that environment, the only people who are reliably making money are getting those fees.


> I really think that all of this DeFi stuff is playing with fire. If these tools scale large enough, it's easy to imagine breaking the right link in the system at the right time to cause catastrophic failures.

We've already been through this with algorithmic trading in stocks: the flash crashes of 2010-12. Some were way bigger in terms of damage than the entire crypto market.

So yes "there will be blood" but you'll see all of the DEXs and other mechanisms eventually implement the same techniques that NASD and the stock market implemented to fight it: limits on price movement, kill switches (probably automated), market pauses etc.


possibly when you are depending on transactions being verified on two different chains but one can do child pays for parent or can be overwritten on a smaller blockchain you could end up with a "blockchain race condition"


As an elaborate real-money PVP system, Etherum is amazing. As a means of doing relatively normal business, being sniped, frontrun, or exploited is hugely off-putting.


True, but the article was about a situation in which they were retrieving money that was inadvertently available to anyone. That's not normal.

Any well-written smart contract has protections against front-running. For about a year I audited them for a living, and front-running opportunities are definitely something we looked for.


Sure, well written software has no vulnerabilities.


We never guaranteed there were no vulnerabilities. My point is just that there are simple ways to defend against front-running in particular, and it's common practice to do those things.


In order for money to be both real and useful it should be secured by unencumbered interest in durable real property.

The simplest way to circulate commercial paper for daily transactions is the Benjamin Franklin paper money system which involves appointing public loan officers throughout a nation to issue equity loans to anyone in possession of unencumbered interest in durable real property which they are willing to pledge as collateral which the public can auction in the event of non-payment.

This way money is placed in circulation so that the interest paid for the first use of legal tender is publicly collected and immediately spent back into the economy and so that the total quantity of money expands dynamically in proportion to the aggregate quantity of physical durable capital.


Competing theories say that the main value of monetary tokens comes from the government's monopoly on violence. What I mean is that governments ask taxes to be paid in tokens that they issue (pounds, dollars etc) and they threaten you with jail / physical violence if you don't pay. Governments then issue these tokens and pay people in order to employ them. Under this model, money is devoid from the value of the asset backing it (in the case of fiat money, no such asset actually exists).


Why? This is unnecessarily encumbering the utility of money.

Real and Useful: people can use the money as a store of value, medium of exchange, and a unit of account - and enough people believe in it.


Because allowing new public legal tender to be created on security of fictitious capital such as speculative land values and deposits of credit created by other banks is accounting fraud, transfers wealth from the poor to the rich, creates speculative bubbles in financial asset markets, promotes disinvestment in the real economy, decreases demand for labor, inflates the price of land relative to wages for unsupervised labor, and worsens inequality.


The only reason inflated valuations based on speculative hype, i.e. your 'fictitious capital', are able to redistribute wealth from the productive economy to rent-seeking interests is that parties taking irresponsible risks are bailed out by government programs that socialize losses. These programs are sold to the public as making the market safer for consumers:

https://www.nber.org/papers/w22223


There is no way of distinguishing between a "real" and "speculative" land value.


This is primarily an issue for contract writers[1], of which there are relatively few. You get similar kinds of automatic exploitation on exchanges of all kinds too (stock, currency, futures, etc), though I think it's fair to say Ethereum makes it (quite a bit) more complex and more automate-able on average.

[1]: transitively it affects users too, but it's a bit different either way.


I thought Ethereum's primary aim was to be an unstoppable world computer that runs any code where the fas fee was paid, not money. Bitcoin aims to be peer-to-peer censorship-resistant electronic cash---and at this point its protocol has far higher levels of tested security.


Many of these transactions are not using ETH the currency, just Ethereum the network. Ethereum has many tokens such as stablecoins (USD pegged tokens), governance tokens (capital assets), synthetic assets, even wrapped versions of Bitcoin.

Ethereum is still a "world computer", but it's a world computer for high-value transactions, which are generally financial.


How so? Ethereum requires a computer, and it's far cheaper to compute on your computer than compute has on your computer.

Ethereum is an unstoppable world chat room (ledger), maybe.


Transactions on ethereum get processed from the mempool in order of who wants to pay the most gas to have their stuff processed.

And yes, ethereum has more potential for problems, it's a much more complicated system than bitcoin. Their current goals are proof of stake (getting away from energy wasting mining) and scalability. Bitcoin is great for what it's great for, being digital gold, but it's pretty far from replacing Visa, ethereum actually has a shot at that.


You do realize that replacing "ethereum" with "the stock market" or "the USD" in your sentence pretty much yields another truism, right?


Why? Those are the places people do normal business. Extremely efficiently.


> being sniped, frontrun, or exploited

All of those and more will occur to you if you try to professionally trade large public markets


I can't imagine running (or investing) in a software-based company here without also having an automatic model checking layer for verifying all runs + 24/7 monitoring for disabling any live contract. If you're going to put $10M+, years of your life, and who knows how much customer money into this, why not spend $500K of it so you're running with the blockchain equiv of CI testing? You'd be able to deploy faster, with more confidence and less stress, and fewer of these weird midnight Europe phone calls.

Viable model checkers for basic software contracts existed since the 80's, and the modern incarnations are insanely powerful (Z3, ...) + quite approachable (Rosette, ...). They're used to tackle software verification problems magnitudes harder than "money can only go from here to there in this tiny software contract": race detection in distributed file systems, bugs in hardware circuits, security holes in big javascript libraries, etc. I think of these same not-very-secret tools every time I see one of these articles, and yet the engineering fails keep happening.

A few teams deploy tech here, including built on the above, but it seems like most do not. I'd say mind-blowing, but at this point... mind-numbing?

I do appreciate the author being frank about how bad the status quo is.

EDIT: To give a sense of this -- the same people will talk about meticulous cold storage key exchanges with someone always being there to watch, driving into the desert for bootstrapping secrets, and then for their actual operations, deploy unverified contracts.


I hate to be that guy but you are vastly underestimating the challenge of formally verifying these software systems. Blockchains are highly adversarial, open source, and doing a lot of innovation. Innovation which means that nobody has ever tried to verify that type of system before.

Model checkers can tell you thinks like 'there are no underflows' and 'these two pieces of code are identical', but if you want to know whether there is no arbitrage or front-running, you're well past the capabilities of the state of the art. It's not merely a matter of spending $500k on CI and auditing.

And then you've got a separate issue, which is that the space is super competitive and moves extremely fast. If you spend 6 weeks getting your new contract audited, you may well miss the window where people will care about the project you launched. I don't think this is a healthy culture, but it is one that many teams are trying to compete in. And therefore they ARE willing to bet millions of dollars without taking any time to audit, because the expected value of deploying faster is higher than the expected value of deploying more safely.

For projects that are comfortable moving more slowly, formal verification IS a big focus, and the cryptocurrency industry has been a material driving force in many security related technologies such as reproducible builds (Gitian), reproducible bootstrapping (Guix), and software verification methodologies.


For background, I've built verifiers for harder languages, reviewed papers for crypto systems, seen the inside of crypto operations & crypto security startups, and help build software for adversarial, investigative, & high performance scenarios. I'm not an expert in blockchain stuff, but I'm also not unfamiliar with the software challenges.

* I would agree that paying consultants to audit contracts is prohibitively expensive. It's the equivalent of paying pen testers to do your unit testing & security engineering - that's a costly way to do your basics

* I disagree that model checkers can't check for stuff like front-running. It's not textbook, but close: the first papers on model checkers were specifically temporal logic for stuff like ordering issues. That was ~35 years ago! Contracts are similar in size, and both computers + solvers have gotten exponentially better. For my day job, we do TLFOPS for $0.20/hr, in Python.

* Reproducible builds, bootstrapping, etc. are real... but the 20%, and skipping the 80% I'm talking about. Verifiable VM IRs + verifiable contract lang subsets + contracts verified against them. Yes, we've seen sw supplychain attacks against some projects. More than that? Buggy contracts, buggy contract libs, & buggy blockchains.

I get that crypto startup people don't know this stuff, but you can hire 1-2 devs (= $500K) that can. Even if verifying against full abstraction is likely out of reach due to the security mess that is the ETH VM & friends, chiseling out subsets and running the model checking equiv of fuzzers isn't hard. The status quo of not doing it makes it look like an industry of folks not running unit tests before pushing to prod. (See: article.) It's not that hard. As more money gets into any company here, my expectations go higher, even if that industry's haven't.


How do you check for front running? What if your checker tells you that you can't fix it just by changing your own code?


I'm unclear what level you're asking this at.

-- Modeling: You start with basics like using the small universe assumption to bound checking to X transactions. I'd expect most front running to show up as small cycles here, so the typical case is a super small X. Later, you might get into a time cost semantics to better tune what you consider interesting, but almost no one in the crypto space is at the level of modeling maturity. I'd predict a team's time is way better spent building up a stdlib of contract checks, verified contract helpers, & whitebox attack heuristics/guides.

-- Modeling II: Also, in verification, it's way better (ex: realizes more of the ROI) to verify the program has the properties you want ("money goes from a->b without getting stuck"). You can dream up individual attacks and model those one by one ("front-running where ..."), but then you potentially miss some, or some aspect of one. That's basically the difference between verification and testing. You still do stuff like check sample scenarios & individual attacks, but that's more about testing the verification conditions & model fidelity.

-- Fixes: A good (while still cheap & easy) checker gives you summarized examples of attacks. Likewise, it makes it interactive, so you can tune what you consider in/out of scope. More R&D-level verifiers suggest patches (verification and synthesis are two sides of the same coin), but that's not necessary. If your idea sucks or the attack is unavoidable, the verifier isn't the problem, and if you decide to still proceed with the now proven-bad idea, you can at least now price the risk in.


In the article the attacker simply pays a higher fee to have their call executed first. How does verification help you in this case?

It sounds a bit like it would just tell you that your design sucks and you need to change it, but that's not really helpful if it does that for all designs you can come up with.

I'm not convinced you can spend 500k and make the problem go away. If it turns out the problem can only be fixed by changing the underlying platform, rather than your contracts, you will spend years talking to stakeholders and advocating for the necessary changes. Which you still have to come up with yourself. Unless your solver somehow finds the correct solution?

Another reason why that budget is suspect is that you'd have to develop most of that from scratch. There certainly isn't an existing set of mature tools like there might be for verifying properties of C++ code.

Unless you make the problem go away, you are not going to be better off hiring people. Front runners let one know there is a problem just as well as a verification consultant.

Proving that an attack is unavoidable might at least save some time. Proving that a specific solution doesn't work doesn't really help you find the correct one (?)


A couple things here didn't make sense to me:

* $500K / develop from scratch is too expensive:

Nope! I actually hedged by ~10X :) In reality, I'd advocate building successively better verifiers as more & more money flows through, with the first solid prototype being $20K-$50K.

One good MS/PhD student in the verification community can build a decent toolkit over a summer (= $20-50K). The reason is that tools like those I mentioned earlier are intentionally language-agnostic and part of 15+ year movement of building out lightweight generic toolkits for this stuff.

Think of it like a CI system: you get most bang for the buck by building out basic unit tests early on, and as your system becomes worth more $, get into integration testing, and one day, chaos engineering. Same for different levels of verifiers.

* Some problems are inherent to all designs...yet you're better off hiring people? That doesn't make sense to me. What are the expensive per-contract outside people going to do if they can't fix the bug? That's worst of both worlds!

When a verifier flags the issue, if a team can't figure out a fix, at least now they can now mitigate the risk (e.g., shut it off, only put in so much money, get insurance, hedge/diversify, monitor for the exploit happening, ..).

My broader statement is verification tech is increasingly accessible and building out some of it for an org deploying contracts is similar to a utility co building out monitoring or a software shop building out CI. Not for the weekend coder, but should be basic engineering for a professional shop.


If you can't fix it maybe you shouldn't deploy it. It's like knowing you have a bug that will result in a 50/50 chance of losing customers money. It would be irresponsible to deploy code like that.


There should actually be a big market for formal verification tools: malicious users can use them to find and exploit buggy contracts.

I imagine this will happen after the low-hanging fruit (the front-runners described in this article) is gone.

Providing formal security proofs may be forever out of reach, but if the tools get expressive eventually it'll be a battle of who can throw the most CPU at the solver, to the point where no cost incentive remains.

Either way, it will spur developers to use these tools before their attackers do.


Runtime Verification (no affiliation, just know some people who have worked with or for them) are working on tools and providing services for things like this

https://runtimeverification.com/


> the same people will talk about meticulous cold storage key exchanges with someone always being there to watch, driving into the desert for bootstrapping secrets, and then for their actual operations, deploy unverified contracts

Although they, or their predecessors, didn't necessarily do the former in the first few years of Bitcoin. Lots of exchanges, including the very biggest, were compromised and robbed.

Maybe there's a cycle where particularly terrible outcomes help to create a new consensus on basic safety precautions.


You can validate your contract all you want, but if it matters in which order executions matter, you're still subject to the whims of the underlying blockchain.


That's something you can verify and fix, or decide to otherwise include in your risk calc.

But yep, after looking at the hoops verification folks are having to jump through to run safe contracts on insecure blockchain VMs, maybe doing something else with your $ can also make sense.


This was as much fun to read as some of the classic Eve Online war stories.

Thank God it's just a game.


I know next to nothing of ethereum or how it works, so the whole thing read like a cyberpunk caper that I couldn't put down. I imagine the author on his Ono-Sendai deck.


I see I'm not the only one. Most blockchain stuff seems like an incredibly dull game of Fantasy Stock Exchange, but this was more like Eve Online.


They have nothing on the current financial system, like banks being able to block you because you sell adult sex toys or someone being able to pull money from your account whenever they want because you once gave them your card details to buy a $5 sandwich or having to find a merchant relationship just for people to send you money. These are nonstarters that would get laughed out of the room if pitched today.

You're just used to the stupidity, so it's easier to scrutinize the new things. But there are people out there who take those downsides seriously. And sure, you're always trading old problems for new, different problems, but it's nice to have the choice between those trade-offs for once.


As an outsider looking in, though, it seems that banks are getting better at this, while crypto is getting worse.

There's a bajillion fintechs helping the banks sort out their UI issues and make it friendlier/better.

Bitcoin is still basically unusable for everyday transactions, and the endless stream of wallet provider hacks is not convincing anyone that it's secure. As TFA says, the hazards for normal folks playing in this pool are getting worse. If the miners are frontrunning your transaction every time you want to get paid, what's the point?


The fundamental problem of ownership still isn't (and won't be) solved by the existing banking system. Money that you actually own, that you can do whatever you want with (for better or worse).


this isn't a fundamental problem for anyone who isn't caught up in this weird ideologically libertarian crypto cult.

Virtually nobody wants to 'actually own' money or do whatever they want with it, they want to buy groceries, pay rent, or put it in their bank account.

If people wanted to actually own stuff they'd buy pinephones instead of samsung galaxies.


Well until a few centuries ago nobody wanted to have electricity sent into their houses. The masses don't care until it becomes part of life. It's always the quirky pioneers that care first.


> basically unusable for everyday transactions

Why is this the acid test? Buying a coffee is a solved problem so why is blockchain tech expected to address this use case?

> the endless stream of wallet provider hacks is not convincing anyone that it's secure

Does the endless stream of point-of-sale and credit card hacks make you question the security of dollars, euros and yen?


> Does the endless stream of point-of-sale and credit card hacks make you question the security of dollars, euros and yen?

No, because my credit card company gives me my money back when there is fraud.

Crypto promoters always paint the irreversibility of blockchains as a feature, but it always seems like a risk to me.


It's just a different approach with different tradeoffs. Credit cards push the fraud risk and fees on the merchant. Crypto can push it to the user (and in the process reduce the fees incurred).

I would be happy to have a way to pay merchants I trust online with and remove the ability to reverse the charge if I was financially incentivized to do this (with the money the merchant saves on fees).


The ability to reverse a charge isn't just about helping you if you are cheated by a merchant, though. It is also about if your credentials are compromised and used by someone else.

Sure, you might be happy to give up your ability to get a chargebacks against a particular merchant.... but what about against a thief?


It's a tradeoff - in a number of cases, I would be willing to accept that risk. I already do with cash.


Sure, but the more articles like this I read about crypto, the more it sounds like carrying cash at 3am in the worst part of town....


Mine doesnt. I can only block my card and sue. No chargebacks possible. For me any crypto is basically just as good, yet even more secure.


Or get a different credit card?


What about when someone creates a loan in your name or steals your tax refund or your real estate down payment?


You can remedy all of those things in the current system.


The banking system deals with it by just reversing the transaction so the end user of the system, the consumer, doesn't care. This ends up screwing the merchant most of the time, causing the price to be paid by higher prices, but people don't seem to care.

And most people don't store value in currency long term, they typically store value in assets such as precious metals, securities, or real estate. Cash has a purpose of exchanging value in the modern economy, nothing more. It is manipulated by design to bring stability to the economy to allow for a more favorable business environment.

I think crypto has a place in the world... but it's not as a general purpose currency. Using anything but a fiat currency for commerce is way too unstable for long term sustainability.


> Why is this the acid test? Buying a coffee is a solved problem so why is blockchain tech expected to address this use case?

Wait. If everyday transactions are not the use-case, then (excluding speculation and money laundering), what exactly is it?


There's finance stuff which is mostly large organization to large organization. Everything from escrow, loans invoices, to things like RFPs and supply chain management.

Then there's the NFT/Unique items section which is for gaming (God's Unchained/Magic the Gathering where each card is owned digitally and can be traded freely with others or used as collateral for a loan), media (You own a movie but can use it on any service), and art (Tokenized art is a big craze right now).

The big ones down the line are new methods of organizing and collaborating. DAOs allow for decentralized corporations and governments. There's a lot of cool stuff here.

There's more but payments are really just a tiny use case of crypto. The big stuff like decentralized applications which might replace Google and Facebook with privacy preserving neutral platforms built for everyone to use.


> neutral platforms

Most internet platforms used to be "neutral" - or significantly more so than today. The current discussion in society is about the problems that too much neutrality can cause.

However your stance may be on those topics, this very same discussion will extend to decentralised communication networks as well, should they ever go mainstream.


> The big ones down the line are new methods of organizing and collaborating. DAOs allow for decentralized corporations and governments.

Ok, dumb question: How would such a decentralised government keep itself from being overrun by, say, the Russia troll army, or any other actor with enough resources to take over a majority of it?


Identity is a huge topic itself with lots of projects doing fundamental research and experiments but essentially if it's a traditional physical government then it would work like it does today where you would use your government secured ID to vote. Not much would change. If it's a digital government then it would probably be using an identity based on built up history of actions and financial settlements and connections to other highly verified accounts. Ethereum has a project called POAP (Proof of Attendance Protocol) which is a way of identifying that a real person attended a specific event or performed some important action. These POAP badges can't be faked and are already being used for things like being able to vote on certain dev polls if you've attended a Devcon.


> If it's a digital government then it would probably be using an identity based on built up history of actions and financial settlements and connections to other highly verified accounts.

Not sure if I understand this correctly. You mean, an account will be considered "genuine", if it had a long enough history of activity?


Sort of like a credit score matched with landlords who vouch that you rented from them before. The longer that history the harder it is to fake and also the harder it is to just be the same person with multiple accounts. These systems usually have some component of a social graph where people will interact with and vouch for other people and having more and higher quality connections (more verified, connected to someone you know personally is real) gives you a higher legitimacy rating. It's usually up to the organization to set the minimum bar of how verified someone is to be considered unique.


Except you don't need a cryptocurrency to have decentralized applications or neutral platforms.


Blockchain addresses the fundamental societal concern of trust. It addresses accountability and transparency, removes middlemen, and maybe down the road will provide a currency use case. Yes, it can act as currency but that is the use case with the worst odds.

When it comes to currency, your coffee is not the target right now. Getting rid of entrenched monopolistic behavior is the best first step: wire transfer fees, Western Union, transfers that take days to process, objectionable government-defined illegality, banks freezing your funds, etc.


Have you ever used a browser wallet? I have yet to see a banking ui that is even close as fast and comfortable as metamask is. And i regularly try more modern banks.


> the endless stream of wallet provider hacks is not convincing anyone that it's secure

Does the endless theft of money through central banks' intentionally inflating the money supply increase your faith that government fiat is secure? Hacks against centralized wallet providers don't count as security weaknesses in decentralized protocols such as bitcoin.

Perhaps the current danger with Ethereum-based DeFi is that its far too centralized, and typically (but not necessarily) contracts deployed on it are also far to centralized in their design, governance, and security reviews before deployment.


You can as easily blame the previous generations of sex toy sellers for their shady practices as you can banks for responding to it by separating those industries for special treatment. Higher processing fees or outright blocking is just a response to risk.

It's not some moral pillar that crypto is taking a stand against at all, it's just removing all the processes that protect both sides of transactions and distributing those trust mechanisms to those parties instead.


Except that it's not "shady practices" that caused it. It's, man buys porn on credit card, wife questions the man about it, man denies it was him, wife has the charge reversed. Then the bank stops wanting to deal with anything related to the adult industry.

What you need is a payment system that can handle transactions where the seller is honest and the buyer is flaky when the existing one is built around the opposite assumption. And if the banks can't provide that (or the existing regulatory environment doesn't allow them to) then it's good when something else fills the gap.


> You're just used to the stupidity

Those examples you listed are at least an explainable, understandable flavor of stupid. "Hello, bank? I'm disputing this charge" or "Yes, I really bought that stuff".

It's no accident that TFA has Cthulhu in the header -- we're crossing into a malevolent and incomprehensible dimension of stupid. "Hello, void? Robot monsters ate my contract" and you hear nothing but echoes in your marrow.


> They have nothing on the current financial system

Ok, so you have some grief with how the banking system works

> These are nonstarters that would get laughed out of the room if pitched today.

How is this related? No one is pitching building a KYC government regulated financial banking system?


"Better yet, if you happen to know a miner (we didn’t), you could have them include the transaction directly in a block, skipping the mempool—and the monsters—entirely."

ugh. It's not what you know, it's who you know

That said, this looks like a very interesting and rewarding system to hack. But it seems to serve little purpose. The other comments comparing it to Eve Online are spot on


I came here to ask about that specific quotation:

"Better yet, if you happen to know a miner (we didn’t), you could have them include the transaction directly in a block, skipping the mempool—and the monsters—entirely."

In the bitcoin ecosystem, as far as I know, basically everyone can be a miner, right ? If you are running the bitcoin client you are mining and there is no particular barrier to entry to mining ... just run the client and mine.

How is the ethereum ecosystem different ? If they could avoid all of these complications by mining, why didn't they just fire up their miner ?


Its not different. The issue you run into in both systems is that unless you have a large amount of specialized hardware, you will not be able to mine a block in your lifetime.

The number of blocks being mined is constant for the entire mining ecosystem, so you are basically competing with all the other miners to create a new block.


I see - so the protection one could gain from being a miner that the article alluded to would come not just from being a miner, but from successfully mining blocks.

That distinction is needed since, no matter how slow and painfully inefficient I am, if I am running the miner I am, indeed, a miner on the network ...


If you just fire up the client and mine, it will do practically nothing. You will have essentially no compute power, so no chance to ever get the block with the transactions you want included


Its the same in bitcoin ecosystem, really.

But bitcoin transactions are orders of magnitude less complex. So you don’t get these “frontrunners” at all.


Its not just being the miner, its winning the block and including that transaction in the block without it first being included in the mempool and transmitted over the network.


The "purpose" is to be able to trade one coin for another without having a trusted intermediary such as an exchange or escrow.


sounds like a legitimate service a miner could offer for (real) money


I don't see how that would work. Wouldn't that miner have to win the race to find a block in order to help? Seems like this would greatly lengthen the amount of time for a transaction to commit. You'd have to tell your transaction to a bigger set of miners to increase your chances, but that would also increase the chance of your transaction leaking to a front-runner.


The environment described in this article is horrifying and definitely sounds worse than our current financial system. That person just lost $12k to fraud and has no recourse at all.

I agree with the other comments on here. Blockchain/crypto has always made me uncomfortable. I think it's a mix of the slimy get rich quick aspect of it that draws a lot of people and the cyberpunk/dystopian rhetoric around it.

I also think it's telling that even though Blockchain has been this hyped thing for 6+ years at this point, we haven't really seen it actually be used for anything outside of cryptocurrency, which in and of itself isn't used for much outside of speculation. On the other hand, machine learning is used in everything now and makes a lot of stuff better.

It definitely sounds like there's an additional major innovation that needs to happen with this stuff before it's really usable.


> I also think it's telling that even though Blockchain has been this hyped thing for 6+ years at this point, we haven't really seen it actually be used for anything outside of cryptocurrency, which in and of itself isn't used for much outside of speculation. On the other hand, machine learning is used in everything now and makes a lot of stuff better.

Did you know that the Neural Network has been around since 1958 [1]? Machine learning is not a technology that is just 6 years old. The latest AI trend is also not the first or second time that AI has been through a massive hype cycle.

The problem with the cryptocurrency space is that it's financial innovation. And just like financial innovation on Wall Street, this tends to draw out the slimiest people in society, because if you get someone to believe in your product they may well leverage their mortgage and throw their life savings at you. It's crushing to see people do this, especially because pretty much only the malicious projects get hyped up that much.

But that doesn't mean that there isn't any truly groundbreaking innovation out there. Cryptocurrency changes the fundamental scalability of society. A key bottleneck for human society is trust - at some point a system gets large and corrupt, and it becomes difficult to keep bad actors from imparting a large amount of negative influence. But cryptocurrency allows us to design systems that don't require any trust at all. They _cant'_ be corrupted, because a combination of incentives and cryptography keep everyone safe.

As this blog post shows, there are still a lot of rough edges out there, but the technology is innovating rapidly. I do think the hype is probably 5-10 years ahead of the technology, but in the grand scheme of technology (think of how long it too Arpanet to mature, or Neural Networks to mature) that is not much time at all!

[1]: https://www.computerworld.com/article/2591759/artificial-neu...


> They _cant'_ be corrupted, because a combination of incentives and cryptography keep everyone safe.

I would like this to be right but then I ran into

https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3197300

which discusses economic limitations to the incentives for blockchain mining. (One part is that if a cryptocurrency gets too valuable, the value of a double-spend attack could exceed some models of the reward for honest mining. Another part is that if you have unregulated derivatives, you can own a negative amount of cryptocurrency, which means that your financial incentive can be to actively damage the cryptocurrency rather than helping it. Satoshi's paper seems to assume that you can only own a positive or zero amount of bitcoin rather than a negative amount, when arguing why miners are incentivized to be honest.)

(This is also true for the ability to short, or insure, any asset -- you can be financially incentivized to damage it -- but elsewhere this incentive is partly countered by law enforcement investigations of some trades and insurance claims where people profited significantly from accidents, disasters, or scandals. Smart contracts on blockchains let us build insurance and derivatives markets where you can bet against things without identifying yourself. In fact the whole underlying discussion here is about how the person who claimed this particular asset in Ethereum is anonymous and probably can't be punished for doing so, even if we believed that the claimant wasn't entitled to make this claim. That could be equally true if the person were collecting an insurance contract payout. That's potentially fine if contracts can't create new incentives to cause harm, but maybe not so awesome if they can.)


The paper is 2y old - which is a bit of time in blockchain space - and yet, no one has performed this attack successfully in the wild. So, either everyone is just loving Bitcoin and wouldn't harm it for profit, or it's not so easy (hint: you cannot short Bitcoin for hundreds of millions, it's not liquid enough).

Also, this is strictly about PoW, the ETH roadmap (and this is where we are coming from in this submission) is moving to PoS where attacks are potentially way more expensive.


> you cannot short Bitcoin for hundreds of millions, it's not liquid enough

That seems like a great explanation, but the paper's argument is definitely not that cryptocurrencies can't exist or can't work, just that they have a limited range of levels of adoption where the incentives will continue to point in the right direction. In the paper's model it seems that Bitcoin has just not reached that level, right? If you could double-spend or short enough value in it, the incentives would reverse.

> PoS where attacks are potentially way more expensive

I don't think Eric Budish agrees that PoS verification is categorically immune to this. The very last sentence of the paper mentions that it "will be interesting to watch [PoS] research develop, and see whether or not it constitutes a valid response to the critique in this paper".


Just a thought - is negative proof of stake a thing? Could you incentivice everyone else to sabotage the system by "shorting" it?


This is a reasonable response - I definitely think blockchain is interesting but like I said, it's in need of some major additional refinement before it becomes practical.

>But cryptocurrency allows us to design systems that don't require any trust at all. They _cant'_ be corrupted, because a combination of incentives and cryptography keep everyone safe.

This article definitely doesn't describe a system that lives up to that ideal at all. Which is why it's so scary - when you remove manual oversight you're essentially saying "Hey, if you can hack this, you win!"


>That person just lost $12k to fraud and has no recourse at all.

The original person lost $12k by a mistake of their own, namely sending it to the wrong place. I wouldn't call that fraud. That this money is then in a weird unintended limbo and can be picked up by anyone who noticed, and someone tried to whitehat get it and give it back, and they failed, does still not make it fraud IMO.


> The environment described in this article is horrifying and definitely sounds worse than our current financial system.

It's a different system with a different set of tradeoffs. I don't think it's accurate to just call it "worse".


"That person just lost $12k to fraud and has no recourse at all."

Did they ? Why is it fraud ? If you kill my orc in WoW and steal my gold, is that ... what ? Theft ? Fraud ?

Are liquidity bots fighting over broken ethereum contracts more or less abstracted from reality than WoW gold ?


Yes but actually no.

The problems described in the article are very particular to the Ethereum cryptocurrency and its implementation of smart contracts.

So, you "feel uncomfortable". I too, felt bad about the described situation, and that's a reason not to use Ethereum's smart contracts.

But cryptocurrencies are already useful outside smart contracts, and IMO it is a mistake to confuse both.


A car breaking down in the middle of the street sounded worse than horses at some point


I used to think the same way about blockchain, but I then saw a presentation about self-sovereign identity and I think it could be blockchain’s killer app.

This is being spearheaded through the UN and the ID2020 alliance.


Is that presentation about self-sovereign identity available online?


> Because I’m a professional DeFi thought leader, I had never actually deployed a contract to Ethereum before.

As a developer that uses the EVM quite often, this had me laughing out loud!

That matches my experience with pretty much everyone!

And yet there are still the people doing things I could never think of doing and doing it very quickly. I want to get to that place.


Curious what do you use the EVM for?


Sell shovels during a gold rush, just like I did for mobile apps a decade ago.

That turns into open source contributions in packages that affect far more than EVM.

And some truly lucrative knowledge and utility. Except people want to debate utility whereas nobody batted an eye at mobile even though people only use like 5 of the hundreds of apps they have. (People made fun of apps getting big checks but it was all in fun, or congratulated individuals developers making 5-6 figures from app stores, but mention a dapp on a blockchain and everyone looses their minds)


Makes me think of the book Accelerando, where sentient viral corporations and Economics 2.0 posthuman intelligences running amok in virtual space, trading uploaded human constructs as currency.


I wonder how these bots perform the shorting. Do they take the modified instruction and increase miner reward to make it more prioritized than the original transaction? Such a bot would be hard to counter as if you set some reward value, even if it's extremely high, it would take it and increase it by 1. Even if you saw that value yourself and increased it yourself, they could counter your counter by inceasing again, the process continuing until everything is eaten up by miner rewards.

If you have multiple such bots, would they fight over the loot, increasing the reward until it's all given to the miners?

Are there any logs of rejected transactions that existed in the mempool? Is there evidence of such fighting?


Well, gas prices are insane right now so no doubt bots are bidding them up. Gas prices hit 250 gwei or so 2 weeks ago. $150 fees for some of these contracts and arbitrage aren't abnormal.

Here is a $188 transaction fee - looks like they were trying to "mine" compound from a $5 million flash loan? https://etherscan.io/tx/0x0d5def630cd20a1a24389982e99801e011...


They farmed $4140 before tx fees and interest, so they made about $4k. Not too shabby...


Curious, you seem pretty well informed about Ethereum, blockchain, etc. Do you work in the space?


Wish I were, but I am too old to work in a start-up, and I have family to feed so I won't work for $30k/y. I am just spending all my free time reading up on the stuff - to me, it's the most interesting tech revolution since the early web of the 1990's


Yes to all your questions. See http://frontrun.me/ for some logs of gas auctions.

There is/was also so-called "back-running" where bots spammed many transactions with the same gas price as a target transaction: https://github.com/ethereum/go-ethereum/issues/21350


So, with front-running on Ethereum, am I understanding correctly that what is happening here is that bots are being used to look at buy and sell orders on decentralized exchanges and then sending their own tokens with a slightly higher gas price to get in 'front' of the detected order?

What is the point of "back-running?"


That's interesting, thank you!


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: