At the time of this last getting traction a few days ago, some people were sad that the title of my article and the discussion that resulted focused more on the bug instead of the bounty (which my article gets into near the end as part of some high-level thoughts on ethics), which is maybe why I am suddenly seeing this appear here again this morning (as this news article is instead focussing on the bounty angle)?
FWIW, the $2M bounty--which was actually listed as $2,000,042 (as they wanted it to sort higher on the list at Immenufi, lol)--was potentially (none of us realized this at the time I "won", and I am honestly still not 100% sure of it now, though I haven't yet come across any counter-examples) the largest single bug bounty payout ever (...though, by only $42 ;P).
So, while I knew that this had been offered in back channels, I failed to realize that this was not only confirmed to me in e-mail as well as publicly announced: Boba (one of the forks of Optimism that was affected by this same bug) has additionally extended to me their maximum bug bounty reward of $100k, making the "updated total" awarded for this bug (so far ;P) $2,100,042 (which more firmly might be setting a new record).
Still not alot of money compared to what banks spend sorting out problems today.
So I was the coder for a payroll system for those paid out of the channel islands, in 2008, day after boxing day I was asked to add 3 more digits to the payroll system so a trader could be paid a bonus. That system moved alot of money all around the world.
Yeah a prize like this will be close to 50%. If you’re w2 remember that your employer covers like 25% of your tax burden. So when you self employee or win an award like this you end up paying that tax plus the tax your more used to.
Really cool to see Saurik posting here casually. You’re work on Cydia when I was 12 years old is what got me into programming in the first place. Nice work!
Wow, really cool to see this. I remember your name from seeing it in Cydia all the time when I was 11 and had my iPod 2 haha.
Congrats on the bounty, glad to see you don't plan on blowing through it mindlessly :)
With a worldwide diversified ETF portfolio you should be able to live off of this amount of money indefinitely.
> Polygon is paying out a bounty of $2.2m in stablecoins to Leon Spacewalker and 500,000 MATIC to Whitehat2, which according to current market value is worth $1,262,711. The $2.2m exceeds the maximum value of Polygon’s critical bounty in recognition of the severity of the vulnerability.
I'm not sure if this was discussed in the previous thread, but does the bug allow the creation of real ETH coins, or it just increase the counter in the Optimism database (or whatever system they are using)?
Optimism is a blockchain quite a bit like Ethereum, so the "database" mental model might be a bit confusing for a frame here (as it isn't like they are some centralized service), but no: this doesn't let you directly create ETH (which would be much much more devastating); it only lets you create something we might call "OETH", which is Optimism-specific.
The native currency on Optimism (used to pay gas, like ETH is used on Ethereum) is effectively ETH; but, as it isn't Ethereum, that ETH on Optimism has to actually live on Ethereum: it gets locked into a contract there which acts as a repository/reserve for all of the ETH being used on Optimism.
When you deposit ETH in this reserve on Ethereum you get credited the same amount on Optimism in the form of cryptocurrency IOUs (which we might call "OETH"), and you can later withdraw that money back to Ethereum, whereupon the OETH is destroyed and ETH is unlocked from the reserve contract.
The bug here (which I go into detail in in my post-mortem, along with another / different description of how these "bridges" work) was in the VM used for the smart contract behaviors on Optimism, which would mean you could arbitrarily replicate OETH (the IOUs for ETH).
For avoidance of any doubt: you couldn't use this bug to create an arbitrary amount of ETH/Ether, but the issue is that a lot of people call the money on Optimism--which is normally backed 1:1 with ETH--"ETH". (There is a discussion about what it should be called in the Ethereum chains database; I personally think what we need is a terminology for describing the full path whenever you have "ETH via an indirect path".)
But you could drain out all the ETH in the Optimism reserve by asking to withdraw, since you've fooled the network into thinking you own an arbitrary amount of OETH? Which would keep working until the main L1 Eth network rejects transactions for transferring ETH it doesn't have?
All the balances and stuff are public on the blockchain. It only takes one person to write a script to verify that the locked up amount matches the number of tokens out there. and when it doesn't, alert.
That then means any attacker will have to be very quick with their theft, and if so, there is still a good chance whatever coins they get will end up blacklisted or the transactions reversed by a sufficiently large army of upset users who fork the eth network or the L2 network.
The folks at Optimism would certainly hit the pause button on that withdrawal before it escaped, if there aren't already limits and automatic controls in place. It takes 7 days to withdraw L2->L1 via the standard bridge.
(They have administrative controls for now during development, at some point they're supposed to turn it completely permissionless...)
You don't have to use the standard bridge though; I've withdrawn in less than five minutes using the Hop bridge/network, which I think just involves an additional fee to a middleman (my L1 transaction for it shows it spending ~0.02 ETH). I can't speak to what additional checks that protocol may have that would have prevented conversion of excess OETH though. Here's the FAQ for it:
Edit: O...kay? Apparently the parent of this comment is aware of alternate, much-faster ways of withdrawing L2->L1, and what their constraints are, but still elected to leave those out and imply the one-week lag was a binding constraint?
(Would have posted as a reply, but my comment rate is getting throttled for some reason.)
That's very interesting! Thanks for explaining! Let's assume some people would have wanted to bridge OETH back to Ethereum: with the potentially increased supply would it have meant that all the ETH on optimism could have become potentially worthless?
I do not expect to make any major expensive lifestyle changes as a result of having more money (and to the extent to which I have already been being paid better recently due to working on Orchid, I have only barely done so and usually only quite temporarily), which I realize disappoints some people who had wanted me to post a concrete picture of something expensive I purchase to help motivate others to reach for bug bounties ;P.
(FWIW, I maybe should at some point buy a car--as I currently waste money on renting one; pre-pandemic I was using a combination of ZipCar and Lyft, but both services suck now--but I can't imagine myself buying a pointlessly extravagant car; and, sadly, now is a bad time to buy a car anyway... which I think is related to the ZipCar issue: I imagine they might have sold their fleet? Maybe ZipCar will return in force when prices rebalance.)
Not sure it's actually applicable. That Reddit comment is about poor people winning lots of money by chance, not smart people earning lots of money by working. The risks are very different, not to say that the scale between 2 million and 170 million is way bigger than you seem to think.
Not the guy you replied too, but I don't think he was implying that poor people are stupid. It's more like people who work for their money and earn it step-by-step are better suited to manage and grow it further. Earning money gradually gives you leeway to slowly adjust your lifestyle to your upgraded monetary status.
I'm not sure this is a sound analogy, but imagine someone picking up cigarettes for the first time and building up tolerance over time as they go from one cig a day to two, three, four and so on. Now, compare that to someone suddenly smoking 10 cigs per day. The latter person is more likely to get wrecked from the side effects.
Edit: I checked your profile and saw that you're the co-founder of Industry Dive, damn. I love your newsletters and websites!...especially Payments and Banking Dive.
For most people, gambling isn't a financial decision, it's an entertainment decision. The value of thinking about winning (regardless of how unlikely it is) is worth the $1 cost of a lottery ticket, so labelling gambling a "stupid financial decision" is like labelling owning a TV while poor a "stupid financial decision"... but poor people deserve entertainment as much as rich people.
I'd argue that for most gambling, it's not a decision, but an addiction or false hope financial decision. Those that treat it as a entertainment don't really gamble that much money.
Not sure if that's true by number of gamblers, but my gut says it's mostly true weighed by the amount of money gambled away. I say mostly, because we don't count rich kids / oligarchs wasting money for fun, who might dominate the value chart.
Time to trot out my favourite paraphrase of Babbbage: I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a statement.
Suppose another ape and I are out enjoying the State of Nature, and we both should have a round troy ounce of silver in our pockets, with heads and tails as an agreed convention. Suppose I were to say to the other ape, "on whose face does Fortune shine her rays?" and we were to flip both rounds, such that whomever showed heads had the better of it: were it both of us, we would exchange, but one head and one tails, well, one ape will leave the gamble richer and the other skint.
Tell me toolz, how should you prevent this encounter without committing a human rights violation? Show your work, please.
Why would I prevent this encounter? Did two adults consent to behavior they both felt benefited them? Who are you or I to suggest our ideals are better than theirs?
All I've said is that you, nor I, should be responsible for making this behavior possible - you seem to have misinterpreted my intent completely if you think the absence of a right is the same as a mandate against someones ability to participate freely as they wish with other consenting adults.
I feel like the difference is that companies are generally intended to be a concerted effort of one or more individuals, as opposed to an actual roll of the dice.
Like without getting into nits, you can actually directly effect the direction and value of a company, but you can't affect the roll of dice or the output of a random number generators.
Risk in and of itself doesn't imply the entire thing is gambling; that said, investing by itself would be way closer to gambling in that context, imo
Are you being sarcastic? I said it is not a human right - no one should guarantee anyone the ability to start a business as it isn't societies responsibility to pay the cost of some individuals risk tolerance.
I'm saying the opposite of what you seem to be implying. I'm saying anyone can gamble or start a business, but it's no ones responsibility to make sure they have the option to do so.
Most people who are the poorest are usually the ones who know exactly where their dollars are going. They can tell you exactly how much a carton of eggs and milk are.
I don't assume nor do I have to assume anything about someones intent to know that gambling is stupid. Entertainment can be had in so many forms today that even the poorest of the poor in developed countries can have choice paralysis from having so many options. Gambling is a stupid waste of resources, if you enjoy doing stupid things I have no moral/ethical qualms with your choices, but it's still stupid.
Haha yes. I have only played the lottery, maybe, 10 times in my life. But it is fun sometimes, and in my state the money goes mostly to good causes anyway.
If I'm about to be evicted or declare bankruptcy, does having $1 really change anything? Meanwhile, does having a small chance of staying in my house change anything?
It's easy to say "well, lotteries have a negative expected payoff". And that's true, but it can still have a less negative payoff than a payday loan or having your car repossessed.
That's a generalisation and it's invalid like all generalisations.
That said, it's more likely that someone whose life ended in poverty is not as smart as someone who can live comfortably. IQ generally correlates with income (you can google a few studies).
There are surely tons of reasons that can push smart people into poverty (bad health, poor environment leading to poor choices) but that shouldn't obscure the general trend.
That said, I think over a certain IQ, other traits of your personality or the environment will have the predominant effect in determining whether you'll end up poor or not.
Similarly, over a certain amount of money, I'm sure there will be more variance. Making 5k more than your peers doesn't mean you're smarter than them - and the fact that you're all able to earn a living and save some money means you're all smart.
No, but they usually don’t have great money management skills due to not having said money to manage. It’s not any different than warning first time farmers about all of the ways running a farm can go bad.
That's not what I said either. Again, the Reddit thread is about people with a small amount of money winning a large amount of money. A person like Saurik working for a bug bounty and getting paid for it is not nearly the same scenario.
> Whittaker wasn't a typical lottery winner either. His net worth at the time of his winnings was in excess of $15 million, owing to his ownership of a successful contracting firm in West Virginia.
That Reddit comment is not about 'poor people', though it's true the scale is a bit different.
I come from a poor family and now my family is no longer poor because of my work. I wouldn't say I'm smarter than the average person, but somehow I'm luckier. But with that said, I don't seem to be even smart enough to realize what unconscious bias you're referring to, care to spread some light for me?
I was in jail with a guy who was a total mess. Nice, but seemed pretty mentally-disabled.
One day a new guy came on the block. "Wow, what is George doing in here?" "You know him?" "Yeah, I know him. He is one of the greatest musicians I ever met. He can play any instrument like a savant. I knew him a few years ago, just after he inherited $4m when his father passed. He ended up getting in drugs and everyone would hang out at his house." "Wow, who was his dealer?" "Who was his dealer?! EVERYONE was his dealer!"
I'd been keeping George in coffee, because he didn't have a single cent on his commissary account (which is rare in jail, even the worst criminals usually have someone out there). Poor George had snorted or injected $4m of drugs and everyone had sold them to him and partied with him until all the money was gone and George's brain was cooked and he went around shaking his fist at the sky until he was arrested. And not one of his hundreds of "friends" would put a cent on his account.
Interesting: I knew a guy that came into a lot of money. A serious lot. And he found that he had a whole entourage of new friends. Fancy house, gurus, admirers, tons of interesting investment proposals most of which he accepted. And when he died and the accounts were made up it was all gone. Everything. Not a single person around him that did not in some way take advantage of him. I still have a hard time getting around people not being able to deal with their money, especially because in this case it was quite hard earned. Some of the hangers on still haven't recovered from the fact that their 'source of funds' has dried up.
I wish he'd get a chance. The system just isn't set up to deal with cases like sad old George. I did see him get released, but then got re-arrested, which isn't uncommon for someone who's mental health issues are being untreated. I bumped into him at court and he told me that he'd been playing guitar and touring with Taylor Swift while he was briefly out, and I went along with it because it really cheered him up to have someone listen to his tale.
Boy do we have the strangest hang ups over people getting lucky. Your link is mostly spinning an untrue story. It’s only a tiny collection of anecdotes, and it’s cherry picking and mostly not true.
This bankruptcy thing is a myth that seems to have been made up and won’t die. I’ve looked into this in the past and the only stats I could find that back it up are based on small winnings, not large winnings, contrary to your redditor’s claims, and the bankruptcy rates were temporary. Get this: the bankruptcy rates went down 2 years after winning between $50k-$150k, and then 3 years after that they returned back to normal. The returning back to normal from a low point was cherry-picked and reported widely as bankruptcy rates going up. Misleading, right? Here’s the Florida study this misinformation was based on: https://eml.berkeley.edu/~cle/laborlunch/hoekstra.pdf
Funny. This exemplifies the HN community and its distaste for startups. It’s because everyone here performs total population averages. Perhaps it’s likely that most HN members do behave as a total population average.
One relies on solving a problem and providing a service. The other one relies on having the ability to go to a convenience store and fork over the cost of a lottery ticket. Not even in the same reality.
I would tend to look at your use of car services more like spending money you can now afford, to deal with cars only temporarily and reap only the benefits, rather than being stricken with the albatross of ownership.
That said, I do concur that Zipcar sucks now, compared to what it was. I've still never used Lyft or Uber, so can't comment on those. Oh wait hold on, I did try once to gift some Lyft rides to someone via the website and was literally unable to successfully give Lyft money. Still, I would say it makes less sense now to buy a car (even electric) than at any other point in history.
> I can't imagine myself buying a pointlessly extravagant car; and, sadly, now is a bad time to buy a car anyway
Get a fun car that can be a hacking project :)
I was suggested a police car by a friend. They are cheap at auctions, more or less well maintained (tax payer money) and have interesting internals (check sites like https://www.dippy.org/upgrade/dipcop.html) especially for electrical circuits where a police-taxi-module lets you hook up to other functions.
And the laptop mount is a geek dream: your laptop right by you, charging, which doubles as a make-do coffee table at the drive through :)
I want to convert an 80s-style car to powerful electric someday, cyberpunk style. Z31 300ZX probably. If I had a lot of money like that I'd build a big garage and do things like that.
Unless you live in the sticks, you probably aren’t “wasting” your money by using rentals and Lyft.
The problem with a car is for most people it’s their most expensive or second most expensive capital asset, yet has a very low utilization rate (often less than 5%). If interest rates rise their op ex in servicing it (fuel, insurance, loan interest) will exceed that!
A few years ago I sold all my cars. I found I only drove at all a few times a week at most (walk/bike instead). Like you I switched to ridershare/rent and it was fine. My motivation wasn’t really to save money but just eliminate the hassle of having all those cars.
Don't forget the property tax. Also, some of those are fix-er-uppers, and basic remodels are $100k's out here.
Edit: Don't want to sound too negative. This is a great windfall. Simply sticking it into an investment account should pull in financial independence/retirement by 5-20 years, depending on his age.
Hopefully, he will just keep creating interesting things, or even maybe use that as a seed to make his next idea come true, so we can all benefit from his cool hacks!
Some people want to learn to live on the cheap to drop out, or to fatFIRE (which is another way to do the same). Personally, I love working and doing interesting things, and being with other people and society itself!
So my personal plan is the opposite of fatFIRE: work until I die regardless of what happens on the side, because I enjoy what I do, so stopping what I do just because something happened on the side would be like punishing myself, then waiting to die out of boredom?
Doesn't seem like such a bright idea to me. Maybe it's different (if you don't like modern society, or maybe other people, or the idea of work itself?
Historically, 4% withdrawal rate is likely to last you at least 30 years with funds invested.*
Currently people are pessimistic about stock market returns going forward so it could be lower (3-3.5%). And even lower if you want it to last longer than 30 years.
The key is risk. Funds are definitely not risk-free. If you rely on funds to produce cash, chances are that, when 2008 happens, you get to spend a few years living on ramen. Sure, they might recover eventually, but in the meantime you have to sell the car to keep the lights on.
It sounds about right to me. The person replying to you is assuming you don't want to spend any of the $2 mil and only live on interest and being very conservative. 5% a year historically makes sense. Years where you don't get that return, you can spend some of the bank to make up the difference. Other years you should get a little extra to add to the bank. During a drought maybe you reduce expenses. But you should still be able to target 100k most years, unless you get really unlucky. (We currently happen to be living in a time where I think you could get really unlucky, 7.5% inflation and all that.)
> Not even close. There's no reliable way to get a fixed income, and inflation is very high.
The market historically has been going up, so at least historically it's been reliable to get a fixed income. I don't think $2M is sufficient to retire very early, mostly because of bad years and that your initial capital loses value over the years, but it can generate a nice income and most people can have something on the side that generates some extra money as needed. With $4M I would be more comfortable retiring at 40 let's say, depending on cost of living of course.
> least historically it's been reliable to get a fixed income
"Fixed Income" is more about structurally reliable and consistent returns, rather than historical average returns.
An outlier bad year can easily wipe a huge percentage of capital invested in stock--but the younger you are, and the more buffer you have, the less likely this is to be a problem. But don't mistake that for fixed income!
Fixed income usually refers to interest rate products, and as mentioned above in this thread, the inflation-adjusted rates have been pretty bad. Pretty much since the start of Quantitative Easing, I believe.
You mean in bad times when interest rates are higher, you can safely get that much from a million bucks. How during boom times when (at least these days) interest rates are cut to the bone, you’ll have to play the market for any kind of decent return (and take risks associated with).
I'm not rich but I talk to a lot of finance people for work. It all depends on the degree of risk you're willing to accept, and it has less to do with booming than with central bank rates.
You could buy an annuity from an insurance company. A quick Google search shows that $2mil should buy a 40 year old about $70k/year for the rest of their life.
That would be an incredibly awful deal for a 40yo, since it’s not inflation adjusted, so in 10 years you’ll be kicking yourself for having converted real assets into fixed nominal returns.
Annuities really just work well if you are 80+ and want to insure against longevity risk.
State-issued debt from eurozone countries or the US is essentially risk-free. Any of them defaulting would mean they effectively stopped to print cash, at which point one should probably start growing their own chickens.
The highest in CA is 12.3% for anything over $625,370. Most here would be paying 9.3% which would bring the total to a little over a million, so yeah, about a million is right.
Damn, we don't even get healthcare for all that and the billionaires in the state have ways to pay $0.
If this is a reward or payment for services, it is taxed as regular income, not as an investment. The FICA tax (SS/Medicare) will either be payed by the payer (shown on W-2) or the payee as self-employment tax when filing a Schedule C.
Dude that is karma points accumulated throughout your life. Proud that you won! I may have used and enjoyed for FREE some of your software while jailbreaking or bricking mobile devices in my university dorm room (Beijing, 2014). Stay blessed!
Wow, what a find. And save. Very well deserved reward too.
Wondering (some of it aloud), how long was the vulnerability present in the code? Is it possible to know if someone was actually using this exploit to mint OETH's? How would a disconnect of this sort show up? Regular reconciliation (hourly, daily) or perhaps there are other methods.
It existed since November. It is not only possible but I did such a search (and found one such transaction, from a developer at Etherscan, who had seemingly noticed something awkward but not realized it was broken). Search my post-morten for "etherscan" and it should come up!
Hah! When I added SSL to my site a few days ago, I really cranked those settings hard trying to optimize for "security" on the Qualy's SSL Server Test. Do you know what the most secure cipher suite you actually support is (and are you sure the issue isn't that you aren't merely using a particularly-out-of-date copy of Firefox)?
If his browser doesn't support any of the ciphers you have enabled, that's a problem with his version of Firefox and/or his default TLS library. These ciphers have been around for years and are supported by even some pretty old browsers.
Your TLS config is good for now, unless another padding oracle attack comes along and makes those CBC ciphers weak again, or some other vuln.
(your cert is expiring next month btw, might be a good opportunity to set up LetsEncrypt)
Seems to be because of Fedora hardened policy and your site might be supporting SHA1 for use in signatures. One of the three changes with the default tweaks policy that probably makes sense https://fedoraproject.org/wiki/Changes/StrongCryptoSettings2...
When I set the crypto policy in Fedora to Legacy, which lifts those restrictions, I can visit your website.
Chrome doesn't have this problem in Fedora because it ships with its own SSL/TLS specific things bundled (or something along the lines, didn't care to get deeper in the topic).
Interesting! I had went out of my way to add support for TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384--because I consider older versions of Safari critical for my audience--but the way I did that dragged in TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA; I've gone ahead and filtered out SHA1 (so maybe / hopefully this will help).
I can confirm this issue. It’s related to Fedora’s crypto-policies which are more restrictive than Firefox. In this case it seems to be caused by the SHA1 DigiCert root in your cert chain, not by your nginx settings.
Edit to add: It’s possible to run update-crypto-policies --set=DEFAULT:SHA1 and avoid enabling the whole LEGACY policy
Ah... OK, well, I'm not going to mess with that in the near future (sorry) :(. If it makes you feel any better (or worse!! ;P) my personal website didn't support SSL at all until this past week. I might reconsider the certificate chain I use in another month or so when I have to update my certificates anyway.
Though it's pretty weird that I wasn't sure whether you were referencing geohot's (another infamous hacker, mentioned in the article) rap songs at first: https://soundcloud.com/tomcr00se
Not sure why it's a thing for prominent hackers to have aspirations to become soundcloud rappers.
I’m glad you seem to be happy with your payout, but can we talk for a moment about how much you got? For an exploit like this, especially given how much effort was put into it and how much the market rate of a security engineer like this would be, plus given how much this could be worth on the exploit market, $2 million is literally pennies. This could’ve easily been a bug worth hundreds of millions of dollars. I guess Optimism is lucky that people like you are willing to do “the right thing” even if you’re not being compensated fairly for it, but exploits like these are going to keep happening (and we’ve seen a bunch in this space already) unless bounties go up to match their true value.
If we choose to value everything we touch by way of "the next highest bidder might have paid $X for this" while fully ignoring their intentions (and so allowing black market sales to be in scope for the implied auction), I think you won't actually enjoy the society you end up with :(. Like, as a security researcher yourself, it might feel interesting to posit the exact addition of value we protect per incident, but I think the ramifications on how other work gets valued as well as what adverse side effects result from this mental model are scary.
It is thereby really only "required" (for the world to function) that there is sufficient monetary motivation for people who don't want to spend the rest of their life feeling either the guilt or stress (even if merely due to the ramifications of people finding out) of having done something "wrong" (which I put in quotes as I feel the "code is law" argument that can result at this point isn't actually that useful in a discussion of morality) to bother to then go out of their way to help (as opposed to not searching hard in the first place, looking the other way instead of reporting, or merely hoarding the bug as a parlor trick).
And so like, while I totally see how this bug could easily be worth at least tens of millions of dollars to someone, it isn't clear to me that finding and reporting this bug should imply that I would need to be paid (and "by who?" is a then a hard question to answer even if we think this, one which might bleed into "and how?" a bit as the first answer is probably awkwardly decentralized in scope) the tens (or even hundreds) of millions of dollars that that hypothetical black hat might have figured out how to extract (which I make a bit theoretical as profiting from crypto hacks is harder than people often assume, something I touch on in my article; I think you might have to go for extortion, and even that didn't work for the Wormhole hacker)... most people simply aren't of the moral constitution to be black hats (which is probably a good thing).
(In this case, the main lingering ethics question related to this bounty that I come back to occasionally is that there are projects--such as Metis--that forked Optimism and now compete with it using Optimism's own code and vision... projects that (in the case of Metis) are actually of similar size to it (based on "total value locked", which is imprecise but probably the best measure here for potential impact: Defi Llama lists Optimism at $344M and Metis at $347M) which are still relying on Optimism to motivate the security efforts for their platform... it feels at least awkward to me that they should get a "free pass" here simply because their listed bounties were lower than Optimism's? Like, even if you don't think I should get money from them, maybe they should be helping compensate Optimism?)
Really exceptional response. A surprising number of people aren't aware of moral constitution, practically, even though this was a core topic for at least the last few hundred years. Interesting times we live in.
This post openly advocates being an accessory to fraud to maximize profit.
The true value of exploits is NOT the cost of the damage they could do, because that externalizes various costs to the perpetrator: evade law enforcement for the rest of your life, lose access to friends and family, become a high-value target for traditional organized crime, etc. For many people that is a net negative, even for a 9-figure payout. And that is a good thing, I think.
Yeah... and as the person in question who found and exploited this particular bug ;P, I can definitely state that I would not feel comfortable betting the rest of my life on my ability to safely launder a giant pile of crypto back through to fiat (and then, further, keep that secret for the rest of my life, which shouldn't be downplayed).
I am much happier being able to get a bunch of clean money and then be able to give talks on the subject at conferences and get a lot of "street cred" in the tech community for my effort than spending the rest of my life wondering if there's someone from a real-world mob out there trying to hunt me down to recover the $100M I "owe them".
Yeah: I definitely agree with this, and I think it is an endemic problem to discussion of ethics in technology: we tend to focus on "but I could"--which sometimes ignores the law but even when it doesn't tends to then get bogged down arguing the exact boundaries of the law--without instead trying to judge people on whether they "should" (maybe based on the ramifications it has on other people) or "would".
I just think it is also worth noting that, even if we do accept the false dichotomy, I would not be an effective criminal... which seems to continually disappoint some people ;P. (I'm sorry to be such a let down! lol)
> If you don’t play ball in certain parts of the world, you end up in a river. The price tag is just different.
Aside from the problems of this statement being a completely vague and unspecific and extreme hypothetical, isn’t there a problem with switching from talking about incentives to talking about threats? Being threatened with death isn’t the same as being offered money, and this ground has been well covered by philosophers who point out that there are things wrong with “admitting that” as you call it. Calling it a price tag seems misleading at best. There’s further a massive problem with suggesting a person’s ethics might be based on what someone threatening them with death wants them to do, no? If the action isn’t something you are choosing to do, and isn’t something you would do if not threatened, for any amount of money, then why would you consider it your actions or part of your ethics?
If you say so. It’s the same thing, even if it’s more comfortable to believe it’s not.
It helps to frame it this way, because once you accept that you’d do that, you’re more likely to accept you would do something unethical for a billion dollars if it had no consequences to you. And from there, it’s a binary search to determine exactly what your price is.
Would you be able to say you wouldn’t lie to your wife if it meant you’d walk away with a billion dollars? Certainly this is contrived, but all examples in this territory are contrived.
Yes, but that's not what we're discussing, because then I can counter with:
"Would you sell your mother or your children at any price?"
And I hope - admittedly, that's speculation - I know what the answer to that would be.
So this is now an absurd discussion, whereas it started off from a rational point of view: there exist such people whose ethics can not be corrupted. The fact that you believe this is not the case says nothing about people in general.
You are asking what I would personally do. But it’s better to think of limit cases that everyone would do — such as lie to their wife for a billion dollars. Since it’s guaranteed you fall into the bucket of “everybody”, that means you can locate your ethical price tag.
It’s helpful for people to do this mental exercise. At least, I find it comforting knowing my own price tags in advance.
I had to scroll up and re-read to make sure we were on the same page.
Since you’re misquoting yourself, it sounds like you don’t want to have this debate, or you may not have realized what you said. But “The whole assumption that ethics have a price tag attached is faulty” is not at all the same thing as “ethical people exist.” It’s not a pedantic distinction; one is debating whether people will take compensation for acting unethically, even if they feel they’re the most ethical person on the planet — I think the answer is “yes” — whereas “ethical people exist” is a point no one could disagree with.
It’s a bit unexpected for you to omit your “price tag” words and then continue with my argument.
But we’re past the point that readers are having a nice time reading this. If you’d like to continue, I’m happy to do so, but we need to restrict ourselves to a high caliber of debate, if only for HN’s sake.
If you ever do want to probe deeper into the question of ethics vs cost, I think it would be interesting. But since you keep talking about me rather than the idea, the interest feels one-sided.
Three different people have now made the same point in three different ways and you simply ignore it, consider the possibility that you are simply wrong about something.
Ethics problems typically do not lend themselves to be translated into a caricature of the market economy. The habit of assigning price tags to stuff can help if the original problem is cost related, but it tends to be a crutch when things of a more principal nature are discussed, which would have a valid meaning absent such things as money or physical rewards. As long as you keep framing it like that you won't get further.
That’s a very interesting question. Thanks for that.
The way I view it is that it’s important to seek out yours ahead of time -— to game out different scenarios, and to consider whether you would do X or Y if forced to choose. That way, when you’re in a situation where you feel like compromising, you’ll remember your limits.
In other words, I was less tempted to act unethically in the moment than I would have been if I’d been surprised by the opportunity.
This is especially important in scientific circles. It’s often trivial to falsify data, and the rewards for doing so are generally high. It’s also not always an active, conscious decision; it’s easy to make small mistakes that have favorable outcomes for yourself.
The exercise has helped me steer far away from any of those. I’ve watched peers fall into a trap that I’d label “scientific hype,” i.e. claim that you’re doing something impressive when in reality you’re nowhere close. This is a very easy mistake to make, and if I hadn’t mentally found my boundaries ahead of time then I’d have been vulnerable to making the same error. Or I may have stayed silent when my peers were doing something naughty.
Positive and negative consequences are not the same thing in ethics.
Compare “kill this person to save your son’s life” with “kill this person to earn $1 million.” They’re not equivalent, even if both might be metaphorically referred to as a price.
On the contrary — the decisions you have to make to avoid negative consequences are often the best test of your ethics. Consider how many people would’ve been punished for speaking out against what plantation owners were doing in the 1800’s, for example.
The illusion that they feel different is extremely powerful. It’s worth resisting. It helps uncover all kinds of ways that we contribute to unethical behavior, if only through inaction.
The concept of having a price attached to your ethics is essential. Without it, people fool themselves into believing they’re above temptation. In my experience those same people tend to be the most vulnerable to it.
> If you don’t play ball in certain parts of the world, you end up in a river.
OP branched here: "it's not as if the choices were 'commit crime / get bounty'."
Any example relevant to OP's branch cannot end with the subject in a river. The very fact that you are discussing it proves we've jumped to the other branch of the conditional-- the one where the choice is exclusively between `commit crime / get bounty` (by threat of death in your example)
How are you going to turn that into actual goods and services though? You'll still need to go through an exchange with KYC and AML and the IRS will still be asking questions.
IRS doesn’t care as long as you pay taxes on the money.
KYC and AML? Just lie that you mined the monero on a now defunct pool. I have a plenty of coins that I genuinely acquired in such manner and haven’t had issues selling them. The bank only cares about hearing a vaguely consistent story, they aren’t cops.
The KYC stuff will only become a problem if you get caught via some other means, because lying to the bank is a crime.
> IRS doesn’t care as long as you pay taxes on the money.
Lol, you never actually handled the sums the submission is about right? The IRS will definitely ask questions about where the money you spend come from, if you end up on their radar. And if the answer is not satisfactory, they will grill you on it.
IRS isn’t going to do a deep dive into your purported monero mining activities unless you go out of your way to give them cause to do so.
And even if you did, there’s no way for them to ever prove where your monero came from unless you fucked up during either the hack or the swap to monero.
Even if the IRS suspected that you’re lying to them, how could they prove it?
Again, depends on the amount of money. Sure, there is not gonna be a lot of action from the IRS or any other government entities for $2 million. But when we're talking about $100 million, you start to ruffle some bushes. So they will start to dig where it comes from. If you describe that you got $100 million from mining Monero, you're gonna have to show proof that you have the equipment to actually get that, over the timeframe you're claiming you have mined. If it doesn't match up, they'll dig deeper.
But yeah, I'm not claiming it's impossible to clean stolen ETH. The only claim I did was that the IRS will definitely start asking questions if you go from a declared income around average in the US to a declared income around $100 million from one year to another. To believe that they are just gonna accept "I mined it lol" is a grand delusion.
Yeah, you probably don’t want to cash out $100 million at a time. That is obviously going to draw attention.
But $10 million a year? Perhaps much more if split over a couple of jurisdictions? No problem.
In the end this was about stolen $100 million being worth more than totally legit $2 million. I firmly believe that it would be downright easy to safely cash out $2 million a year from the stolen $100 million.
> To believe that they are just gonna accept "I mined it lol" is a grand delusion.
Unless you keep evidence of your crimes sitting around, at some point they’ll have to.
Assuming you use monero correctly, no amount of forensic analysis will be able to go back from your funds to the original crime.
And besides, the “early miner” story is hardly incredible. Many people have recovered huge sums of money from old hard drives.
> If you describe that you got $100 million from mining Monero, you're gonna have to show proof that you have the equipment to actually get that, over the timeframe you're claiming you have mined
This isn’t really a problem as long as you claim to have started mining early enough, fairly basic hardware would probably suffice.
Land will be harder (though not impossible) to purchase with crypto. next, find a construction company ready to accept payment in crypto. Mansion attained. Perhaps, buy said mansion in Keene, New Hampshire where more crypto users live.
Swap to monero, buy an NFT from yourself, convert to fiat, pay taxes. Now your money is clean, taxed, and you have an explanation for where it came from.
No, money laundering is never this easy...I see people on internet forums always suggesting stuff like this; Swap to monero >> NFT (or whatever else) >> clean money...Sounds good in theory but in execution, you'll likely make a mistake along the way and get caught
The mistake has to be in the early stages, it should be impossible to get caught in the “cash out monero” stage.
Even if the government figures out that you have unexplained assets, that isn’t the same as getting caught. Having unexplained assets is generally not a crime, and monero can make it impossible for the government to figure out where you got that money from.
In past threads I’ve heard about exploit brokers and how their rates are typically much higher than bug bounties. If Hacker News commenters know about these avenues I’m sure bug hunters can find ways to cash out for more money. Calling it unclean is stupid anyways, since the company clearly isn’t paying enough for bugs in their own service…this is the same kind of thinking that leads to “responsible disclosure” and all that junk.
It's not just any white hat hacker, it's saurik who was behind the original jailbreaking tools for iOS and the creator of Cydia, the unofficial app store back then. He is also now the "CTO" (if the term applies) of a well-known blockchain-based VPN, Orchid.
Edit: He has a great write-up about the vulnerability and its discovery on his blog:
I think the simplest explanation is that it's a VPN system with a "blockchain based" payment system such that anyone can be a user or a provider without have a central intermediary. I haven't dug into the specifics yet, but that's my high level understanding.
CXO titles in organizations do not exist without a board of directors. Businesses otherwise simply have members, managers, employees, contractors or vendors, or volunteers. You can pretend you're a CEO/CTO, but if you answer to no board, you're not.
> Owners of an LLC are called members. Most states do not restrict ownership, so members may include individuals, corporations, other LLCs and foreign entities. There is no maximum number of members. Most states also permit “single-member” LLCs, those having only one owner.[1]
TIL, thanks. I would have assumed those are called "owners", so thought you meant "members" in the fake sense of employees, as ISTR some large American corporates (Walmart, Amazon?) using it. Though I notice now that you actually mentioned employees, too, explicitly; I must have totally missed that.
I remember walking down the main street in my hometown on my way to drink at a bar and seeing saurik and some friends at a bars all with their laptops out and hacking on something. What caught my eye was a terminal open and a Vim session. I walked up and we all chatted for a bit. Back in the day you didn't run into that very often where we lived so it was pretty cool to see. That boosted my conviction for my choice of IDE and I started bringing my laptop out to the bars in the evenings as well. Years later my friend and I built a business and pretty much all the code was written in the evenings at one of those bars. You can be social and code at the same time it turns out, and coding prevented me from drinking too much while I was out. No real morale to the story, just an anecdote I wanted to share. That said, congrats on the bounty saurik!
It's cool seeing people coding 'in the wild'. I was on a train in Sydney once, and I saw an older man writing some VBA for a Microsoft Access database.
"What are you coding there?"
"Oh, I'm writing an application to manage patients at my dental practice"
"You're a dentist?"
"Yup"
I started my devops career path in 2017 by looking over the shoulder of a woman working on her laptop on the train. She had a tmux session on one side of the window, and a doc page open for something called kubernetes on the other. I googled it, and here I am now.
Wow the only time i have seen anything like that in a bar was the bar everyone went to after a functional programming conference! The only geeky things ive seen “in the wild” are swag (like AWS T-shirts)
Thanks. As somebody with a very basic understanding of ETH, it seemed super unlikely that a L2 would be able to able to mint arbitrary ETH. (That would obviously be vulnerability in the L1)
I can understand the anger at Proof-of-Work cryptos, or perhaps the current somewhat "wild west" state of them, where fly-by-night operations work to separate people from their money, but ultimately I see them as the wave of the future.
Ultimately I think the cryptos that see the most success will likely be those that can be better regulated, which is somewhat at odds with why crypto came about, but without some protection it would be like an unregulated stock market.
My theory is that crypto breaks the hacker ethos. Crypto is about money, including all of the dark and unsavoury parts of it. The largest decriers I have seen are usually technologists. The average punter doesn't really seem to care that much.
If it's "regulated" what good is it? It seems imminent that both the US and China will have highly regulated digital currency soon so that they can retain control and track citizens' cashflow. I think at that point crypto with the possible exception of bitcoin as a sort of "digital gold" will go into a death spiral. Certainly blockchain might survive though.
In case you hadn't seen it, there's a rather well-received video called "Line Goes Up - The Problem With NFTs" (https://www.youtube.com/watch?v=YQ_xWvX1n9g). It really covers crypto in general and treats NFTs as a crypto offshoot. It's 2 hours long but still feels rushed.
Dan's general attitude is that crypto isn't revolutionary and isn't really trying to be. It's not trying to democratize money. It's trying to build a system with the same power dynamics as the current system, but with different people at the top of that power structure. His take is that crypto doesn't solve any of the problems with the existing systems and just creates a bunch of new ones.
My recollection is that he doesn't spend much time on the energy use (he touches on it but IIRC doesn't dwell on it). He does go deep into the "wild west" state of them. His attitude seems to be "wild west" isn't a transitory phase; it's the end state of crypto.
I don't think he says it in that video, but in a subsequent interview, Dan pointed out a danger with this and all deflationary currencies - they reward early adopters and people with a lot of capital. People who buy in late (either by choice or because they were simply born later) have a compounded difficulty in "catching up". He says he's worried about a future where crypto isn't an option and everybody needs to use it to some extent in day-to-day life. Moms and dads - or toddlers - who didn't "get in early" will be at a significant disadvantage.
---
Personally, my main concern is with PoW. It's fine to say that PoS will eventually replace PoW, but that's not the situation right now. PoW is wasteful by design, and that just rubs me the wrong way. It's great that miners tend to use more renewable sources on average than the average utility customer, but they're still using an awful lot of nonrenewable sources as well. I guess I just think about all the other things we could do with that electricity and it seems like such a waste.
My secondary concern is with the hype machine in overdrive. It feels a lot like the dotcom bubble to me - people making all kinds of wild claims about crypto, NFTs, web3.0, etc. Everybody so desperately wants it to be the next big thing because they smell an opportunity to make a buck. But it feels very cart-before-horse to me. It's not clear to me, for the kinds of problems that crypto is trying to solve, that crypto is the best solution to those problems. How many use cases really call for a decentralized, trustless ledger?
This article (https://thecorrespondent.com/655/blockchain-the-amazing-solu...) mentioned a couple of projects that got greenlit due to blockchain hype, yet either don't have anything to do with blockchain or else use blockchain in pointless ways - such as having a small, fixed pool of trusted mining nodes controlled by one entity.
> It's great that miners tend to use more renewable sources on average than the average utility customer, but they're still using an awful lot of nonrenewable sources as well.
And they're crowding out better uses of those renewable energy resources, too.
> Had the issue not been promptly resolved, malicious users on the chain could have exploited the flaw. This means a cyber actor could have gained access to the unlimited generation of fresh ETH tokens.
I am curious, would it be easy to detect an individual who was exploiting this vulnerability?
In my post-mortem I go into this a bit: someone had actually triggered the bug (on accident while debugging the Etherscan block explorer) but it hadn't been noticed by anyone (and the person at Etherscan didn't realize the ramifications). I believe, due to the atypical mechanism used to store the account balance state on Optimism (which is discussed in detail in my post-mortem as this is also what I claim to be the root cause of the bug), it would have taken quite a long time to notice someone taking advantage of this issue if they weren't being egregiously ostentatious with it (and even then it would have taken "too long" before tons of extremely-difficult-or-arguably-even-impossible-to-unwind economic confusion and damage would have resulted as the whole ecosystem is so heavily automated).
There is some discussion about this above, but I'm curious - does the $2M reward count as ordinary income? Would persons on work visas (i.e. H1B) be able to collect without jeopardizing their immigration status? Could you employer consider it moonlighting?
That's not exactly accurate either - if I understand the situation correctly, it's a bug that allows counterfeiting of the contract's outputs. This could be a higher magnitude event if the counterfeiters could generate more purported liabilities than the contract can cover.
And it will probably be a lot easier to spend that $2M than $100M of exploited ETH that might have to be laundered clean, and still have some risk attached.
The bounty amount was denominated in USD and is being paid in USDC (a stable coin, which is means it is intended to map effectively 1:1 with--in this case--USD).
It can be used in smart contracts, DeFi (such as a decentralized crypto exchange or earning interest), and can be used for very fast transfers between centralized exchanges/services that might not allow actual USD deposits/withdrawals or that require waiting for an ACH transfer to go through. Several cryptocurrencies are good for transferring between centralized services, but USDC will be price stable in comparison. Fees can be a problem though.
The problem is other stable coins are not transparent, and are very likely not fully funded so they can collapse any time. USDC is by coinbase and a little more transparent, thus less likely to collapse in case of mass withdrawal.
Banks or stock exchanges would just revert any bad transactions like they do with most scams, thefts, or accidents. It is built into the current system by design.
They revert the money (if they like you), but usually if money flows one way, something else flows the other way, and they can't revert that half of the fraudulent transactions without great expenditure. Often it's not worth it and they just write it off and the whole economy bears the cost.
I'm not saying it's a better or worse plan than whatever might happen under an alternative system, but just that it's not exactly a clean solution either.
Just imagine for a second if there was a bug in the US Treasury that let anybody order the treasury to print new money and deliver it to their bank account. That would rightly be seen as total incompetence by the treasury and cast doubts on the soundness of the entire monetary system.
But with ETH we have the community patting themselves on the back for it. It’s madness.
You are making a false equivalency when you compare crypto with usd.
Are you sure there doesn't exist such a bug in the US Treasury? They would never in a million years let the public know if an exploit occurred, there's zero transparency
I think your premise is fundamentally wrong there. Say I buy something my credit card but it's never delivered. My bank will reverse that transaction - exactly because half of the transaction never occurred.
The way that the credit card system works in the US is fundamentally biased towards consumer protection, because that's an explicit policy objective. The same with the Direct Debit guarantee in the UK, or the various laws which limit the maximum exposure due to fraudulent use of payment cards.
And when exchanges break trades, they undo the entire transaction - you don't end up with one party out cash or shares.
The lack of agility shows up when I buy something with your credit card number. It gets delivered, and then the bank reverses the transaction because they later learn that I'm not you.
Now I get a bank-subsidized thing and you're not missing any money. It creates a drag on the whole economy, because instead of doing productive work to get the thing, it's often easier to play games with the system.
The fact that credit cards use a symmetric key to authorize spend is a glaring flaw. The technology to fix it (asymmetric key cryptography) has been around for decades. But instead of fixing it, the credit card companies just keep writing off the instances of fraud.
In the situation you describe, the one who is "out" is the merchant. In the card-not-present situation, the merchant has the option to use tools like CVV and address validation to reduce the risk in the transaction, and always has the option to decline a transaction that seems risky.
That seems, to me, like a sensible risk balancing approach. In the cryptocurrency "all sales are final" world - you're the loser. I don't really see that the economic drag is larger one way or the other.
AFAIK the use of symmetric key cryptography in card capture and payment processing is not in any way a significant factor in payment card fraud - where do you get that information from?
Whether it's the merchant or the bank that's left holding the bag often depends on the particulars like whether it was a chip or a magstripe transaction, but the larger point is that in card-not-present scenarios you can't pay once without also exposing secrets that allow whoever gets them to make subsequent transactions without your permission.
Better would be to have whatever secret authorizes spend (private key) be separate from the account identifier (public key) and to push money, rather than sharing a symmetric secret which authorizes whoever has it to pull money.
"Do you think that a bank or a government would've handled fixing such a flaw as well has optimism did?"
It's irrelevant. We don't use 'algorithms as ownership' in the real world. We use social agreements like contract law to undo problems.
"All tokenization schemes are ponzi scams including USD, it's just that some use violence to stay relevant, and other use bug bounties."
We use the law to maintain civil infrastructure. Yes, if someone wants to murder you or someone else, or launder billions, we'll use violence to stop them.
An algorithm that is effectively used as a Pyramid Scheme is not going to save your from anything.
It can take years for contract law to get in front of a judge and be enforced, often the damage that can be done in that interval is significant. So I think they timeliness is indeed relevant.
As for your murder comment, I'm not saying that violence is strictly unnecessary, just that the coincidence of "we have the guns" with "we issue the ponzi tokens" is probably not the only way to enforce the law.
> the coincidence of "we have the guns" with "we issue the ponzi tokens" is probably not the only way to enforce the law.
Not "the only way", perhaps, but AFAICS the only way that makes sense. Sure, "the law is an ass" and "the querns of law grind exceedingly slow" and all that... But still, it's the worst alternative except for having no law, right?
So if you want the rule of law, the law needs to have the biggest guns. And why would anyone want anyone but the law to issue the tokens of lawful commerce?
Not yet, but I don't think that we're too far away from using USD, GBP or any fiat currency as a unit of account at the POS and letting software handle ensuring that the buyer loses whatever assets they want to pay in and the seller receives whatever assets they want to be paid in.
But that's orthogonal to how quickly the maintainers of these tokens can make changes in response to threats.
Over a decade later and I still cannot use any of them at the restaurant or without waiting in the queue for the transaction to settle and paying more for the fees than the goods itself.
It took 100 years for steam engines to start outperforming horses, why is it so damning that crypto isn't yet outperforming fiat after a decade and change?
Please stop using "crypto" and "fiat" as if they were opposites. "Crypto" is just as "fiat" as any Royal Mint; it's just that the fiat-ers[1] are different people. They just want to muscle in on the "make the tokens that everyone else's transactions are counted in" business niche, because they reckon the makers can always somehow skim a bit off the top.
___
[1]: lit. "makers": "Fiat" is Latin for "let there be made", a form of the verb "to make". It's a cognate of modern French "faire", Italian "fare", etc. (Related words are "fact" and "factory".)
Bitcoin has a system built on top of it called Lightning, which allows for millions of cheap transactions per second inside of payment channels. Only the opening and closing of channels requires a transaction on the blockchain.
It is, all Lightning transactions are valid Bitcoin transactions. Strike merely uses the Lightning network, similar to how Coinbase uses the Bitcoin network. Coinbase and Strike aren't available everywhere, but Bitcoin and Lightning is.
I agree the government would be way worse at dealing with this flaw - but they probably would have just reversed whatever exploited transactions they needed.
Or even just printed some more money to make everyone pay at the latest.
To be fair we should be weary of both systems. Crypto isn't something sustainable in the long run. USD isn't a ponzi scheme, it is backed by commerce. Crypto isn't the multi sales and trades of goods are what dictate the value of the currency.
I think it's a bit pointless to argue about whether cryptocurrencies are Ponzi schemes or not.
What I would say is that most cryptocurrencies have no fundamental value, and are therefore bubbles. I don't know what the term is for when someone deliberately creates an asset bubble with the intention of profiting from it. It's something like a very long-form, deliberative pump-and-dump.
I agree that the majority of cryptocurrencies are vaporware at best and deliberate scams at worst, but to claim that "All cryptocurrencies and 'DeFi projects' are ponzi scams including Orchid" is outright wrong.
Tokens are used to have a stake as an indexer (data provider) and to pay for query fees (data consumption), and if indexers tamper with the data they lose their stake.
It was released last year and has a long way ahead to mature, but it's an amazing product and tokens/blockchain is essential to its decentralized nature. Simply put, there is no way to accomplish this if the network didn't adopt its own cryptocurrency.
Again, this can be done without using a blockchain.
Just like all the other coins, the only use case is burning up the planet by using Ethereum, BTC, etc, racking up high fees and being used by speculators while everyone else who invests in the ponzi scheme lose their money when it all crashes.
>Again, this can be done without using a blockchain.
How so?
I won't bother with the rest of the post as it's your usual crypto bad spiel that has absolutely nothing to do with the discussion we're currently having and has absolutely nothing to back up its claims (as do the rest of your posts, which I'm surprised aren't flagged/dead yet considering their low quality, but I guess HN is ok with them since they're anti crypto), but I'm curious to see how you would build a decentralized system that lets developers build data indexing programs, allows anyone to join the decentralized network as a data provider to run those programs, and lets consumers query that data from the network while also ensuring that the data is valid and hasn't been tampered with by the providers without blockchain/tokens.
You thought wrong, since nobody in this space actually cares about the technology.
Like all the others, most people are just speculating on the token price, asking if it is a good investment, etc. You would have to be lying to yourself to believe that people care about the technology.
Could you tell me why does this project needs a token attached? Even if we were to look at the price, the painful truth is that most (if not all) people who invested lost most of their money on this shitcoin, and this is excluding the punishing gas fees so it could be even worse. I hope this doesn't include you as well.
As I said, querying blockchains can be done without the need to attach a token to a project. BitQuery is an example of this without trying to burn up the planet with Proof of Waste.
If you are in support of the Graph you are also in support of the ponzi scheme.
And there is no human coordination mechanism without the freely convertible currency
Blockchains provide the open source rails of all the account management and distribution, easing development costs. The infrastructure is already built compared to alternate ways of attempting to do this
I was looking into Helium yesterday due to news coverage. "Proof of coverage" is a bunch of hot air, sorry. It's not resistant to Sybil attacks and GPS location is easily forged. Seems like a scheme to push hardware units that will topple once the token value runs out.
Sort of, Helium no longer sells hardware and the community votes on third party manufacturers to be approved for authorization on the Helium network. This has helped distributed hardware delivery more than any single organization was prepared to do, with the semiconductor and supply chain issues.
There is definitely an opportunity to sell overpriced hardware into the community then.
There are some other antenna-blockchain systems out there that look more like "schemes to sell hardware", such as Match X. There is a big and burgeoning market for these "passive income" things, people install hardware to earn a cryptocurrency.
It is definitely worthwhile to sell the hardware if you can.
> Why do I have to pay more fees to swap tokens on decentralised exchanges making them unusable
Wait for ETH 2.0. It's a really difficult problem to solve. In the meantime though, use Polygon (or other side chains). Swap tokens for a cent or two.
> how exactly is DeFi decentralised
Take a protocol like app.uniswap.org or pooltogether.com. If you have an internet connection, no one can stop you from using these protocols (and many other protocols). No arbitrary rules imposed by governments or companies. Your funds are your funds, there are no arbiters (just tens of thousands of Ethereum nodes which are responsible for settling transactions).
> What is the process of getting your money back from a hacked DeFi project?
Use protocols that have been around for a long time and have hundreds of millions, billions, or even tens of billions of dollars locked in. That decreases chances of you losing funds. But it is a problem, I agree, hopefully somehow we will make it better.
> Why do I have to pay more fees to swap tokens on decentralised exchanges making them unusable
So I still have to wait at least 2023 (2025 or 2026 for a realistic possibility of merchant adoption) for ETH 2.0 to be used?
I don't think merchants would want to wait for something that is not complete and unregulated.
You do realise that ETH 2.0 has nothing to do with lowering fees? So all the DeFi apps using it will still be unusable anyway.
> If you have an internet connection, no one can stop you from using these protocols (and many other protocols)...(just tens of thousands of Ethereum nodes which are responsible for settling transactions).
Aren't most of these Ethereum nodes and DeFi exchanges on AWS like dydx? It went down a few months ago no? [0]
That doesn't sound decentralised to me.
> Use protocols that have been around for a long time...That decreases chances of you losing funds. But it is a problem
So I can't get my money back then? I see DeFi hacks everyday and not getting my money back doesn't help either.
Makes robbing a bank less attractive for criminals and instead target DeFi projects.
ETH is not the only chain out there. Transaction fees on Polygon and Harmony average between $0.001 - $0.02, and have all the things you'd expect from DeFi like Uniswap, Curve, and Aave.
The decentralized part of DeFi is the smart contracts. If you can interact with the contracts without any centralized help, then how exactly is it centralized in your opinion?
In other words: ETH was an insecure blockchain and once compromised, there is no legal or operational recourse, with the implication that issues could indeed exist today. House of Cards.
From the bounty: "The Summary On 2/2/2022, I reported a critical security issue to Optimism—an "L2 scaling solution" for Ethereum—that would allow an attacker to replicate money on any chain using their "OVM 2.0" fork of go-ethereum (which they call l2geth)."
No - sorry - ETH doesn't get a 'pass' on this.
The 'Rest Of The World' is tired of the Crypto Scam Delusion masquerading as something reasonable and watching these critical failures getting swept under the rug.
This issue demonstrates that critical failures will exist in the wild (and it's wrong to suggest that they won't come up in the future - they will) creating an existential flaw for systems in which there is no intrinsic remedy. Forks by 'completely arbitrary central powers' entirely defeat the purpose.
Just last week we had the FBI arrest criminals laundering literally billions in Crypto.
It's a tiring fraud absorbing enormous amounts of attention and energy for no apparent benefit but entertainment.
The concept is currently fundamentally flawed, it belongs in 'side project' territory for now, not in the mainstream.
By definition an "L2 scaling solution" is not the Ethereum blockchain.
Ethereum itself clearly is a secure blockchain given the fact that it has not been exploited directly ever, as far as I am aware. Smart contracts running in the EVM obviously have exploits galore, but that is different from Ethereum itself being vulnerable. Just like it is different when the Java Virtual Machine itself has an exploit (uncommon) vs when a program that runs in the JVM does (very common).
You can of course argue that the lack of inherent soundness / correctness in Ethereum smart contracts makes the entire chain less useful since running smart contracts is kinda the whole point, but then you should make that argument rather than saying dumb things like:
This was a critical success for Optimism's bug bounty program, if anything? No one got rug pulled. Optimism's liquidity could have been drained in the worst case, and still ETH L1 would remain unaffected.
I think it speaks to the reality of a development process lead by humans in uncharted territory. Figure it out, audit it, test it for a long time, eventually cross fingers and blow the fuses. After that, either it successfully becomes a permanent public fixture, or maybe there's a small chance it implodes one day, who knows?
Certainly anything that's absolutely mission critical should not live on these L2 networks yet.
"I think it speaks to the reality of a development process lead by humans in uncharted territory."
Yes, exactly, and that's why we can't have distributed systems with 'no central authority' - if those systems are inherently and always faulty there needs to be intervention of some kind by an 'authority'.
There is no such thing as a trestles system, the whole thing depends on webs of trust.
I guess we’ll find out Soon(TM). Trustless computation is the plan. Maybe it’s possible to build a system that’s correct/antifragile enough, when you restrict yourself to some hundreds of lines of code tops?
This is like saying that because someone is able to write buggy money transference software that lets users change their own account balance within _that buggy software_ that your personal bank is now insecure.
I expect that my bank is not perfectly secure. And when it fails, there will be ways to redress the problem, i.e. account insurance, bank refunds, legal recourses etc..
Blockchains have 'no way out'. When there is a problem, it breaks everything. Recently, there was a grift on ETH and to overcome the problem, there was a massive fork, which is enormously hypocritical because it implies that there are 100% 'Central Authorities' with ETH, who are unarmed, unrestrained by any regulation or oversight, policy and probably any legality. Etc.
The only way for Blockchains to maintain their ideological integrity is if they are 'perfect'. But they are not 'perfect' and require 'maintenance and oversight'. Ergo they are self defeating their own purpose.
Ultimately, it's a ruse or will mostly be used as such.
Ethereum has forked to roll-back hacks in the past, likely for something as big as making ETH from thin air they'd do the same with even less hesitation.
Yes, and they can do it for whatever reason they want. One might argue therefore that ETH is centrally controlled, and with considerably less oversight and reasonable oversight than, for example, most central banks.
Funny how that "consensus" seems to be defined as "among those who have the most". So how is that any more decentralised, any less of an oligarchy, than the old system?
https://news.ycombinator.com/item?id=30289240
My (I'm the hacker) article / post-mortem this blog post is referring to:
https://www.saurik.com/optimism.html
At the time of this last getting traction a few days ago, some people were sad that the title of my article and the discussion that resulted focused more on the bug instead of the bounty (which my article gets into near the end as part of some high-level thoughts on ethics), which is maybe why I am suddenly seeing this appear here again this morning (as this news article is instead focussing on the bounty angle)?
FWIW, the $2M bounty--which was actually listed as $2,000,042 (as they wanted it to sort higher on the list at Immenufi, lol)--was potentially (none of us realized this at the time I "won", and I am honestly still not 100% sure of it now, though I haven't yet come across any counter-examples) the largest single bug bounty payout ever (...though, by only $42 ;P).