This was a multi-week long social engineering scam targeted at Thomas. Thomas has a Discord for a drone transportation startup, and the scammers proceeded to embed themselves in the community and provide valuable labor such as web design and graphics design in order to earn his trust.
Thomas's wallet is public and advertised on Twitter via his ENS domain. He had $100M+ in aETH, a derivative token provided by Aave when you lend out your assets for interest. The aETH is redeemable for the underlying asset.
The scammers created a fake NFT project associated with space and drones, and proceeded to give Thomas a free one, but asked that he stake it (or deposit it into a smart contract), to earn yield in the form of Armstrong ETH, a token they made up that had the same acronym as Aave's (aETH).
The catch was that when he went to stake his NFT, they asked for an approval for spending aETH from his wallet. Approvals such as this are normal when interacting with smart contracts, since the contract has to be "delegated" responsibility over the tokens in order to move them. However, what wasn't normal is that the approval was actually for Aave ETH.
If he had only looked at the front end of the scam site, it wasn't obvious what was going on. However, a quick glance at Etherscan revealed that he had signed off on an unlimited spend approval for Aave ETH.
Luckily, he had done so on a fresh wallet and not his main wallet that has $100M in aETH. When the scammers tried to get him to stake a second NFT from his main account, he got suspicious and discovered the truth.
This scam was specifically targeted at Thomas, and orchestrated over multiple weeks, for the specific assets in his primary wallet.
Couple takeaways:
- divide your assets across multiple wallets. New wallets are free. Don't put all your eggs in one basket.
- use a hardware wallet or an audited battle tested smart contract such as Gnosis Safe for storing significant sums of money.
- always verify your transactions
- avoid associating your public identity with your main wallet / vault address
- be careful, scammers are getting more creative and advanced in technique including standing up professional front end websites to give the appearance of legitimacy
I'm surprised anyone reading this story wouldn't conclude that the real takeaway is to just not engage with cryptocurrency at all. This ecosystem is so convoluted it just turns me off at every level.
That's precisely my take away since I saw what ETH's instruction set looks like and what sort of languages these smart contracts are made of. It's a giant pile of flimsy garbage propped up by a frenetic gold rush.
To think that any of this would then be used to build a trustworthy ecosystem for non-developers to use, seems delusional to me. And building a VTOL taxi airline on top of it seems like it puts the cart 3 miles uphill from the horses.
I woke up this week to dozens of comments on a video from a speaker at SaaS Connect 2017 (previously known as The Small Business Web Summit) to learn she was arrested and charged by the DOJ this week for laundering $4.5 billion in crypto. https://www.justice.gov/opa/pr/two-arrested-alleged-conspira...
Billion!
Since this is an allegation, we must presume innocence. However I still cannot imagine what planet would entrust 10 figures to her control. Witness her rap.
It's worth noting that those 4.5 billions had a value of 75 millions or so when they were stolen. It's also worth noting the "heist" happened in 2016, so before that talk.
I think there is value in being able to write up an online contract (code) that is able to manage money for two parties without needing to go to a bank or some third party to act as the middleman.
It's the same thing as reading the terms and conditions.
Human transactions can 'easily' be undone in a court of law, and yet are still so painful to undo as to necessitate a trusted escrow agent in many of them.
This is making it so there is no "undo", and no escrow agent. There's value, for those looking to take advantage of others.
There are trade-offs with every financial system, and ways of using each in a way that mitigates its disadvantages.
Smart contracts on a general computing platform can enable anything, including the reversible payments and reliance on trusted third party delegates that you see in traditional banking, so as a consequence of this maximally expansive design space, I assume they will eventually lead to a financial system that offers a much better set of trade-offs than that of any other financial system.
Taking a high-velocity ride in a cage of aluminum? I don't want to engage with that at all. I am so surprised that safety measures such as airbags and seat belts are discussed. Obviously cars are too dangerous to exist.
I don’t understand at all how wheels move and what is that round thing near my chest and what do with it. Maybe it’s the fifth wheel. Or why fuel is needed, I can’t even find a mechanic who will look under the hood for me if I can’t. Also since my last car could use my ATM card and sign my cheques I had to be extra careful when turning on the ignition and had to see the gps log whether it drove to my bank when I was taking the afternoon nap.
There was no service warranty and guarantee with the car at all. I had to hire an entire division of technicians and engineers to use it. I think few lawyers and auditors as well.
In fact it felt I also needed a PhD in all things automobile to use my car.
Most importantly I can’t see in front of me at all. Front is opaque. I just drive hoping I don’t run someone over or something doesn’t run me over and my car.
Not that this legitimizes crypto, but early cars were not understandable by ordinary people. They were loud and finicky, and toys of the rich who had the time and energy and money to spend on them until the technology matured and mass manufacturing brought their price way down.
I’m curious, does anyone know Thomas, or how did they amass 100M in ETH? The websites provide absolutely no identity of anyone involved (as is very common for crypto). The Twitter account is 4 months old.
No mention of the person or the Arrow company on the internet previous to this episode seems to exist. Other than looking at the chain records, how should we believe that any of these stories are true?
I know of Thomas through the Rocketpool community Discord (a decentralized Ethereum staking pool). He's a regular on there. And I'm one of 90ish members in the Arrow Discord. It's a super early stage startup that's still in the conceptualization phase. I don't know how he got his capital, I don't know his background. But he's been an engaged member of the RPL community and seems genuine in his interest for drone transportation. A lot of this is still available in the Discord chat history.
when he invites you to get in on the ground floor of an amazing opportunity, I suggest you take him up on it. He's rich so it definitely won't be a scam!
My impression of him is that he's a decent guy who got targeted by scammers who knew he was rich. I've participated in the ground floor of plenty of opportunities. Some of them work out, some of them don't. But the ones that do more than make up for the ones that don't.
There's a more general takeaway, and it's one every developer discovers for themselves, sooner or later:
- People don't read what's in front of them.
I've seen this emerge in a vast array of fields. No matter how much we highlight specific details, for all our efforts in red-flagging irreversible actions, folks will often blitz past a confirmation dialog, nag screen, or notification message, without internalising the details or the risks. For those in financial technology, as in this specific example, irreversible actions also extend the attack surface for fraud.
Even the brightest minds can be lazy (some might even say it's a feature, not a bug) and one should never rely upon the opposite. We consequently face a design choice, for all irreversible (or hard-to-reverse) actions, the most common options being:
a) allow a grace period;
b) redesign, if possible, to make it user-reversible;
c) build a forcing function for diligence[1]; or
d) expect support tickets about that feature.
The default is (d), and the helpdesk won't thank us, since the workload generally scales linearly with growth at a high opportunity cost.
I like the takeaways, though I'd also add an additional one, that you should use systems that have reversible transactions. That way, when you fall victim to fraud, you can use the court system to recover your losses.
You're mixing up reversible transactions and court system. If someone defrauds you in an irreversible transaction, you can still sue that person for damages if you know who they are. Similarly if someone defrauds you in reversible transactions, you can't just wave a wand and get your money back. You can sue them if you know who they are, or you can request a reversal from your bank/cc provider (may or may not be honored) but you're not completely safe. Most fraud happens in fiat and there are real victims out here.
> Most fraud happens in fiat and there are real victims out here.
We had multiple threads about base rate error on HN just yesterday!
Most financial activity happens in fiat, and so of course it stands to reason that most fraud is also done in fiat. The real question is whether the legitimate-to-fraudulent ratio is higher in cryptocurrencies than in fiat.
See also: the "Chinese Robbers" fallacy[1] -- just because you can find a ton of examples of fiat fraud, doesn't imply its worse -- without context it only implies its the most common form of currency.
It's certainly under the category of base rate bias but it's a specific subcategory (think of it as the rhombuses and squares relationship). In this case the term is used to focus on the fact that it's not just one example here (or two or three), you can provide thousands of examples of currency fraud and the fallacy is still a fallacy
> Most people think of stereotyping as “Here’s one example I heard of where the out-group does something bad,” and then you correct it with “But we can’t generalize about an entire group just from one example!” It’s less obvious that you may be able to provide literally one million examples of your false stereotype and still have it be a false stereotype.
"Base rate" appears multiple times in that article and is a pretty core concept in the rationalist movement. Memorably illustrating a concept is not the same thing as not knowing the technical term.
How would one "accidentally" wire transfer millions of dollars? At $10k in America, KYC and AML laws force banks to step through extra layers of verification to wire such amount. It's virtually impossible for someone to accidentally wire millions, which would likely involve a mandatory in-person meeting with the bank customer to verify their credentials and purpose.
If somehow you get through an in-person meeting with a bank branch manager to unwittingly wire millions of dollars, and the topic of how much money you're wiring and the exact purpose of wiring such a high amount isn't brought up, and you somehow still accidentally wire millions of dollars away without anyone ever bringing up the amount and purpose of the transaction, then I'm sure you'll still be able to recover that money back because banks are required to actually validate transactions of that size with KYC, AML, etc. laws. Only cryptocurrencies allow one the ability transmit this amount of money in seconds.
> At $10k in America, KYC and AML laws force banks to step through extra layers of verification
Isn't that only for cash transfers?
> which would likely involve a mandatory in-person meeting with the bank customer
At least at Chase and Fidelity, wires can be done over the phone with no limit.
> to verify their credentials and purpose
I've never seen a banker really help to verify wire instructions, as in contacting the intended recipient. Normally they just ask the sender if they've verified the instructions, if they understand that the wire is irreversible, etc.
Of course when it gets to the bank's wire department, they make some attempt to block suspicious wires. But they're guessing based on limited info, as they don't typically contact the sender or recipient.
> I'm sure you'll still be able to recover that money back because banks are required to actually validate transactions of that size with KYC, AML, etc. laws
From what I've heard, fraudsters will (indirectly) transfer funds to e.g. a Nigerian bank and cash out there. It doesn't always succeed, but it does sometimes, or wire fraud wouldn't exist.
Yes, the banking industry won't do much to prevent Aunt Senile from wiring $80k to Nigeria, although I doubt they make it easy. Hell, I couldn't even phone-authorize a wire of 8k to buy a car two states over, but I guess that's just my bank. Had to bloody pay for the car on credit card, no joke.
But the scenario in the OP is only possible in cryptocurrencies. You can't put a button on a website "Click here to send a JPEG through email for $3.50*" with the fine print "*and also 100 million dollars" and expect that to ever work out with the legacy banking system. Only in cryptoland could someone ever accidentally yeet 100 million dollars in a few seconds by visiting a website and clicking a button.
It's a fair criticism. But the reverse is also true, in that money is frictionless to raise and coordinate in cryptocurrencies, such as the $45M attempt at buying a copy of the Constitution (which failed, but people simply got a refund), or the $56M that was raised for Julian Assange's defense last week.
I'm able to work with total strangers, raise money, sell products, contribute to causes, commission art work etc, etc, hold those funds in a smart contract treasury and encode rules to govern the spending of those funds.
Safe guards do exist for the aforementioned issue. Number one is not holding significant sums of money in a single wallet, unless it's a multi-sig that requires multiple parties to agree to transactions (like Gnosis Safe wallets, which store $100B+ in assets and are battle tested at this point).
The value of the PEOPLE tokens on the secondary market proceeded to increase nearly 10x in the weeks following the dissolution of the DAO. Even though market cap is declining, at $327M mcap, it is still many multiples of the amount raised.
PEOPLE tokens in circulation are still redeemable for the underlying ETH, but the monetary premium has increased as a result of the dispersed liquidity to so many holders (16K+) as well as the novelty of retaining the token for a failed, yet valiant effort.
I recently bought a house. My title company made a BIG deal about fraud. Basically, people figure out you're in the process of buying a house, pretend to be your title company, and give you their wire info instead of the real info. You wire a giant pile of house down payment to the bad guys, and they walk. You will not get that $ back.
Those are all intentionally sending money; you just have had someone tell you the wrong account. Which is just as easy with crypto. And, just like with crypto, you can always reach out to the party you are trying to send money to via another means to confirm the address.
When I purchased a house, I Googled the recipient, confirmed the certificate, Googled the number found on their website separately to confirm it was listed elsewhere as belonging to the company I expected it to belong to, called it, and got them to tell me the account details for the wire transfer, confirming it matched what I had been sent. Which, to their credit, their instructions also told me to do. And I initially sent the down payment, confirmed they received that, and only later in the process sent the remainder.
While there still are some ways to beat that (compromise the recipient's infrastructure, change the website, lock out the recipient from their email, insert into the email exchange, get a wire transfer done before the recipient can proactively call the target to warn them), it's a lot harder to pull off than "find a target that won't read the code very closely".
It's rare that buyers of houses and property are that thorough. On the contrary, my friend recently bought a plot of land for which the sellers did not own the title. The title company, who's only job is to verify this, completely missed it. The fake sellers made out with tens of thousands of dollars and the real owners, who are from Germany, are still haggling with my friend and trying to get her or the title company to pay for their lawyer fees, and she still doesn't have title to the land!
At least with crypto, the chain of ownership is transparent and can't be faked. So validation is cheap and easy to do.
>> At least with crypto, the chain of ownership is transparent and can't be faked. So validation is cheap and easy to do.
In theory. The devil is in the details; does everyone know how to validate the chain of ownership, even the most non-technical of users who must rely on the system? If not, you either will never be mainstream, or you're reliant on a trusted agent to validate on your behalf (sorta like a title company!).
And if you screw something up with crypto, there is no way to address it. The complaint of "dealing with lawyers and trying to get someone to pay for it" is a feature, not a bug. Worst case, it's no different than the crypto outcome; best case, you have recourse.
Where is the land mentioned? Is there no land registry there? In many jurisdictions, titles to land are registered through a government operated registry where would-be buyers could look up information on the situation of the land rights.
AFAIK you don't need to be a title company to do this, any buyer could do it themselves.
And what if you don't know enough about land law to make sense of everything? That's when you need companies to do it for you.
Is checking the chain of ownership of cryptocurrencies easier than land? It depends whether you're talking to a real estate lawyer or a NFT seller.
I'm neither, and I don't see the intrinsic difference.
Man, BoA sure lets a lot through. I couldn't even wire 8k without my physical presence - this was during COVID lockdown of all things as well! I know nothing of buying a house, but when I bought another, more expensive car that required a loan, the bank went through the whole rigamaroo calling a bunch of people to verify all the details (after all, I was going to buy their car with their money) - took nearly an hour to actually get the money after being approved for the loan days beforehand with all their internal busywork. All for something that, what, might have covered half of the wages for the day of the employees working there at the branch office after three years of interest? I think I'll be staying with my tiny, irrelevant local bank after all!
I worked at a financial institution, no way you could open an account, deposit some spare change, and then withdraw 900k after a few weeks especially in America. Compliance would be all over that account, which is probably why they got the money back anyhow because the crooks would have a lot of talking to do after getting that much money in their account. KYC and AML is required for both sides of the wire transfer.
This is just saying “that’s what you get for playing with crypto you degenerate”.
The fact is wires can also be irreversible and you cannot use the court system as a blunt instrument outside your jurisdiction. The value transmission medium isn’t the problem here.
> This is just saying “that’s what you get for playing with crypto you degenerate”.
No, it isn't. It's a reminder that we have all of this financial structure for a reason. The person you're responding to didn't make any light of the potential victim or call them a degenerate.
In traditional finance, you (Joe Shmoe) can't just wire someone ~100M USD, regardless of jurisdiction. There are controls, most of which have been written in blood or tears. Cryptocurrencies will also grow those controls, and we will all rightly question its value when it inevitably does.
You ever heard of asset forfeiture? There's two sides to everything. Not really "owning" something is great if you're the victim of fraud, but has its downsides when you become a target and someone wants to arbitrarily capture your wealth
But it's also not a disgrace for traditional finance: it's a disgrace with respect to the latitude our justice system gives to individual LEOs and a sign that the government is willing to extrajudicially punish people instead of pursuing justice through the courts.
Put another way: assert forfeiture is not some kind of "gotcha" against traditional finance in favor of cryptocurrencies. When law enforcement seizes your bank account, they're going to seize your cryptocurrency accounts too. And if you (unadvisedly) attempt to hide those assets, then you will be making their job in court much easier.
I'm all for the legal process and there is a legitimate way to seize assets. But asset forfeiture is not that. It's only enabled because it is trivial and is done outside of the normal legal process. It doesn't help that the beneficiaries are the very people that can initiate the forfeiture.
If someone goes through the legal process and is found to be guilty and their assets are seized that's fine. But if someone is pulled over, found to have some drugs, gets their car and cash on them possessed and is forced to go through a lengthy process that free up that money, then that's different.
In any case: the really egregious examples of civil asset forfeiture are the petty ones: the government stops someone for the crime of DWB[1], and seizes all of the property they have on their person (including, sometimes, the car itself.) It's a disgusting crime, but one that doesn't typically extend to the victim's bank accounts or other financial resources, unless there's a larger case being pursued against them. And so, once again, it's not clear how cryptocurrency improves the state of affairs: either you're carrying a hot wallet around with you for your day-to-day expenses (in which case you're subject to the same seizure), or it's roughly equivalent to a traditional financial produce and isn't subject to a spurious seizure (but might be subject to a larger one).
Forteiture scenario 1: cops take your cash. It's on you to sue them and prove to a court that it's legitimately yours.
Scenario 2: they take your hardware wallet, then they must prosecute you and prove to a court that the money is not legitimately yours, to get the key. IANAL, but am I wrong?
The answer to this probably depends on your local jurisdiction, thanks to America's unique system of legal devolvement.
Instead, I'll point out that the answer does not matter: from the moment that they have my hot wallet instead of me, I can no longer use it. It doesn't matter to me whether they can actually liquidate it or not. And, as I pointed out earlier, I'd harm my own case by attempting to liquidate my assets with a separate copy.
My main point is the change from presumption of guilt to presumption of innocence. If they are effectively able to freeze it (but not transfer) before the court ruling, that main point still holds. Your claim was that crypto makes no difference, or worse.
I'm not saying technical solutions make the rule of law unnecessary. But they can defend against some violations of the rule of law, depending on the parts of the justice system that are still just.
People effectively defending themselves against a national disgrace help towards getting the disgrace fixed.
Then you missed the point of this whole thing. Some of us would rather die with the keys then let the State steal funds from them. Cryptocurrency is the first technology that lets you take wealth to the grave and keep it there.
Look: if you want to clutch those hashes to the grave, more power to you. I think the Federalist Papers' authors wouldn't know whether to laugh or cry, but that's the wonderful thing about this little American Experiment of ours.
But don't delude yourself into thinking that any meaningful number of people, even cryptocurrency believers, share your position. It's all fun and games until the Men with Sticks show up, and most people understandably tuck tail at that point.
If I'm going to be made a coward in the eyes of a few LARPers, I might as well pay as few middlemen as possible in the process. But that's just me!
Next you're going to tell me that the blockchain isn't made of Lego blocks!
> You'd be surprised.
Given the aggressive spread of custodial services, I don't think I would be. The average cryptocurrency user (even enthusiasts, true believers, &c.) is not a dyed-in-the-wool Burkean. Less prosaically: easy money comes with loose beliefs.
Try getting your money back when getting scammed via venmo or PayPal - rarely any better, and if you’re selling you’re more likely to get scammed with those services than crypto.
I have done multiple clawbacks via payment processors. In each case, I escalated (vendor -> processor -> my bank -> CFPB) until the dispute was resolved to my satisfaction.
In nearly all cases, no separate restitution was required: the processor or my bank was able to reverse or halt the ACH transaction before the money settled. In the handful of cases where settlement had already happened, they were able to countermand the transaction.
Yes but, not sure this is a fair comparison. Doesn't ACH transactions take 1 to 2 business days to settle by design, as they are processed in batch and go through an intermediate clearing house ?
Venmo/PayPal/Fedwire transactions should be able to settle in real time, which can be more convenient at the expense of easy reversability
Venmo and PayPal are, to the best of my knowledge, settled via ACH if you use a bank as your source of funds. That's what I've always done, since it provides the greatest amount of personal control over my transactions.
If you use a payment card (debit or credit) with a payment service, then they might use either the payment card's network or ACH, depending on what the card issuer supports.
I’ve had a PayPal failure, a PayPal success, an apple pay failure.
It’s definitely not a guarantee. Most of the Venmo type scams where people “accidentally” send you money and ask you to send it back or pay for an item with bad funds are not reclaimable from those services based on TOS. In those cases you’d be better off with BTC.
> when he went to stake his NFT, they asked for an approval for spending aETH from his wallet. Approvals such as this are normal when interacting with smart contracts, since the contract has to be "delegated" responsibility over the tokens in order to move them. However, what wasn't normal is that the approval was actually for Aave ETH.
I'm a reasonably technical dude (senior data engineer at GAMMA/FAANG/whatever we're deciding to use nowadays), yet I don't have a damn clue what this means. And that's not an indictment of your communication. How on earth could I expect my wife, my brother, my parents, my kids, any of my friends, etc., to understand this?
On the other hand, all these people understand the concepts of bank accounts, credit cards, fiat currency, etc.
I'm open to learning more and having my views changed, but I'm so far convinced that there's absolutely nothing about crypto that is a simple, reliable, demonstrably real solution to a problem that isn't already handled by our current financial instruments.
It is a specific technical detail of how ERC-20 tokens work. Your wife/brother/kids etc make transfers online from their bank account without knowing the technical details of how that transfer works.
Ideally wallets would have better UX where concepts like this could be handled safely and in an accessible manner. I think crypto isn't really ready for general consumption yet.
This discussion tells me once again that crypto today is similar to you have access to the backend systems of the bank and you can write database commands in sql that change things in your account records. It's insane low level access system. Transferring ownership of money via a webpage that has a source and destination on your bank webpage is understandable at a certain level. Is that the right source, is that the right destination. But you can put in 100,000 instead of 1k or 10k by accident. That's very different than if you click the 'ok' button it runs say random javascript like commands that the destination of the money wrote up.
You can't ever expose that level to end users without it being an endless fraud source for people.
Does Thomas actually have $100M of assets in a single wallet? Or is it spread out over, say, ten wallets?
I’m interested to know whether the con artists could have realistically nabbed $100M, or if there was effectively never any chance of that due to other precautions. I would hope it’s the latter, but crypto’s strangeness stopped surprising me.
Fabulous comment, by the way. Easily one of the top ten in the last month. Thank you for the breakdown.
There’s no advantage, just laziness. A wallet like that shouldn’t be easy to access and should never be used for for anything other than funding their other hot wallets.
There are reasons, firstly tax advantage in that there is no capital gain from selling the cryptocurrency; the other is that you don’t lose your position on the cryptocurrency, ideally over time you can increase your borrow as the underlying collateral increases in fiat value.
One can also use the borrowed funds to speculate on other cryptocurrency, as a collateralized margin loan.
Many lending systems offer incentives too, where you can be paid to borrow.
In this case, liquidity is pooled across the Aave protocol. There's no difference in the interest rate for someone lending / borrowing $50M or $50. It's easier, but you should probably never have more than 10-20% of your portfolio in a single wallet. And probably should shrink that down even further as your net worth grows.
For somebody with $100M+ I find it strange how excited Thomas got about the prospect of some strangers setting up a meeting with some random founders. With that much money would it be that difficult for Thomas to set up a meeting with them on his own?
Yes, isn't it interesting how people who own crypto valued at hundreds of thousands or millions of dollars rarely act like people with that much money, get involved in the kind of business deals or social engagements that people with that much money do, etc.? It's also interesting how many of the assets they tend to purchase are themselves part of the crypto ecosystem. How many people, given $300k, would go and buy exclusive access to an online monkey avatar?
He might have the wealth, but he is nouveau riche. He probably doesn't have the connections and hasn't experienced enough of the rich people world to see what those connections look like. He probably (subconsciously) thought this was a start of that sort of thing.
Yes, and I think he just set himself up as an even bigger target, because he's revealed that he has personal, immediate custody over $100m. His next attackers are likely to get much more personal and direct.
To be honest, if they got this close, it’s only a matter of time before they take it all. He should strongly consider cashing out and leaving only an amount he is willing to lose in ETH.
Hell, given my distaste for crypto, if I were more unethical I may even attempt such scams, but I’d balance it out by donating the stolen money to environmental initiatives to combat global warming (after giving myself some fair compensation, I don’t have the skills to get away with hiding $100+ million).
It’s like the televangelist. Money affinity scamming. You need to conspicuously show your wealth on chain so people think God (vitalik) made them rich.
Unless you flex with your $100M in aave on your main with an ENS name, how will your victims know you are rich and worthy?
If I had $100M, I find it hard that I’d care that much about things. I barely give a fuck now and my net worth is only 1/58th of that. I’d probably just build a passive income stream and chill the rest of my life.
Which might not actually be that much in some parts of the world. For real. A few million is nice but that doesn’t even get you a house in nice places.
The 4% rule is fairy tales, especially post pandemic economy. we will be working more for less as time goes on.
Then couldn't you just move somewhere else? I live in the Netherlands, near amsterdam. It's one of the most developed places on Earth (more so than most of the US) and my yearly salary is only 100k USD, which puts me in the top 1% on my country.
> hot ass babe to pleasure me and raise nice children
Boy, are you in for a nasty surprise. But don't come crying to us, old men who warned you that what you really should want is a nice cabin near a lake with plenty of fish and an absolutely plain ass woman.
You think you need more than 170k per year to own a yacht, travel the world and dress fancy? I'm guessing you haven't actually done any of these things before, then.
Outside of silicon valley, 170k per year is a huge amount of money. Especially if you're going to travel outside of North America and Europe.
"The catch was that when he went to stake his NFT, they asked for an approval for spending aETH from his wallet. Approvals such as this are normal when interacting with smart contracts, since the contract has to be "delegated" responsibility over the tokens in order to move them." - this is a bit surprising - I thought the way to let a contract move tokens was just to send them to it? Approving a contract to move everything from a wallet works like sending everything from the wallet to the contract - it omits the step where you choose the amount that you trust the contract with, why is this the 'normal' way?
> scammers are getting more creative and advanced in technique including standing up professional front end websites to give the appearance of legitimacy
It seems like this is becoming the minimum standard for scam operations. For example, there is currently a BTC phishing scam going around that tries to convince the user they've accidentally received an email meant for someone else, which just happens to include a link to a million dollars worth of BTC. The website looks legitimate, albeit amateurish, to the point that it could even be convincing to another web developer. The rest of it is much like the OP's scam.
It starts with an email from the hacked account of a real bank manager in an Italian town, and is addressed to a real self-proclaimed stock market "guru" from the UK, now living in the US. The email states that 19 BTC has been deposited into an account that was created for them on a site called Coinlux, and they provide the username and password for the account. The Coinlux name was even used by an actual company at one point, so searching for any of the names or details surrounding the scam generates very real and convincing results.
Upon visiting the page, you're presented with a moderately professional-ish looking site that asks which fiat currency you want to use and lets you login. You're then prompted to enter a phone number to "secure the account" which, surprisingly, initiates an actual phone call from a number in the UK using a Twilio-like service. After confirming the verification number, you're allowed to view the account, which has some realistic dummy transactions in the history and other features that make the site somewhat believable (it even has a fake chat system and working account recovery).
After initiating a withdrawal of any amount, it provides a warning that you should make a small test transaction first (of 0.0001/$4), to ensure that you're sending to the correct BTC address -- after all, you wouldn't want to send 19 BTC to the wrong place and lose it all. It takes much longer than a normal transaction (likely because the scammers are manually initiating them), but it does eventually go through, and they've now succeeded in convincing the user that there is real BTC in the account and you can actually withdraw it.
However, if you try to make a larger withdrawal (or a second one at all), you're now presented with an error stating that you're not withdrawing enough, because of a "minimum withdrawal amount" defined when the account was created. This minimum amount happens to be 19.01 BTC, or 0.01 more than is in the actual account currently. So you've successfully withdrawn ~$4, but you have to deposit ~$400 if you want to access the entire 19 BTC.
As if it weren't obvious enough at this point, checking the address[1] which sent the 0.0001 makes the entire scam plain as day. This means that anyone with any amount of tech knowledge is probably not susceptible to the scam, though I do think that certain personality types could get caught up in the excitement of potentially "stealing" a million dollars. On the other side, non-techies will likely fall for this in droves, and the transaction history on that address does show there have already been successful victims -- though this particular person's scam has been massively unsuccessful so far, and they may actually be in the red overall.
It is quite elaborate, well-planned and a lot of time has surely been invested, so the very underwhelming results must be devastatingly demoralizing -- which I think is probably the best outcome of any scam.
Thomas also mentioned in the thread that it seems "Space Falcon" is a real NFT project. The actual domain ends in .io though, and somehow the scammers managed to acquire the .com domain and I'd imagine they'd then only need to replicate the frontend UI instead of coming up with an all-new one. Still very sophisticated for sure.
I can get behind cryptocurrency and stuff, but the idea that anyone can write a contract that says "I get to do what I want with your money" and then build their own custom, one of a kind UI with no way to limit what the user thinks the button does for you to sign such a transaction, it's got to be the biggest, most massive security hole I've ever seen brushed off. You want me to put the title to my house on it? You want code to be law?
This shit isn't ready for the mainstream, and some of these architectural decisions are indicative of engineers who are in over their heads (but that's almost all code nowadays, even mine).
They build a mechanism that enables me, at the click of a button, to give away control of my fortune, and they designed the system so that anyone can design whatever interface they like to get you to sign any transaction they like. It's laughable. I'm in disbelief. And this is web3? No thanks, I think I'll stick with bitcoin or whatever, keep it simple. At least I can tell what a bitcoin transaction does without having to learn a programming language.
> it's got to be the biggest, most massive security hole I've ever seen brushed off.
Well said. This goes hand-in-hand with the victim blaming that goes on in cryptocurrency circles. Any time a story like this appears, defenders come out of the woodwork to insist that it's the victim's fault for doing something or not doing something else. Even the linked Twitter thread is full of replies from people suggesting that the author was "asking for it".
Crypto seems to appeal to people who like to think that they are smarter than the average person and therefore will succeed by self-managing their finances right down to the private keys. Adding smart contracts to the mix basically opens up a can of worms that makes it unrealistic to actually control every detail of your money unless you strictly limit each contract to a separate wallet and only transfer funds into that wallet before activating the contract. That's honestly a good strategy if you're sitting on $100mm+ in cryptocurrency and the transaction fees are negligible (as was the case with the Twitter user). However, when transaction fees are $10/each or more, the average crypto user isn't actually doing anything of the sort. They're clicking the buttons and hoping for the best.
> Crypto seems to appeal to people who like to think that they are smarter than the average person and therefore will succeed by self-managing their finances right down to the private keys.
I've been calling them Dunning Krugerrands for this reason, and I suggest others do as well.
This isn’t how it works. With ERC20 you “approve” tokens. That allows the specific contract you approve to spend up to a specific tokens at that specific address. Things that a random smart contract cannot do:
1) Spend more tokens than the amount you approved.
2) Spend any other tokens besides the specific type that you approved. (E.g. can’t steal your NFT or USDC)
3) Spend tokens at any other wallet address even if you own those other addresses (and creating a new address for a specific purpose is trivially easy)
In addition the only approve() technology is already being replaced with the modern EIP-2612 standard. (USDC already implements it.) In this workflow instead of pre-approving a contract, you sign a specific transaction-specific message. With EIP-2612 you know exactly how much you’re spending on each transaction and there’s zero after the fact risk.
I'm very much aware of how ERC20 contracts work, I've written them.
I'm glad the standard for approval of control of wallets is being deprecated for one with more granularity and security, and I hope it solves this problem.
But that is how it works. The idea that I have a wallet as an extension in my web browser, and people can deliver me any transaction they like, with a "yes" button decorated however they like in the form of a web app, it absolutely does mean that I need to know how to read solidity to be safe and that I must audit every transaction I'm interested in signing. And an engineer would take that for granted, but if that's the standard UX, again, this isn't ready for grandma, not even close.
What ethereum should've done was be a little more slow moving with adding features and maintain mist so that a standard UI feature set could be expected by users.
I have seen contracts approve your entire supply though without mentioning it. That would allow the contract to come back at any time, with no user action, to take more coins out.
Just be wary of "Approving" contracts before using them on DeFi apps. That first approval confirmation is the most important as you're basically handing them that much coin and trusting them to give it all back.
Haha, I was never on board with crypto and this is far worse. It's like fast tracking the usual crypto scam.
Also this guy seems rather green in term of internet scams,
> Scammers are getting smarter. Before now, the best scam I've really encountered is basically "hi this is tech support please share your private key so we can help"
When it comes to code, we’re all in over our heads. I can reason about significantly more complexity than most developers I know and it’s still laughable how little complexity I can manage.
When I heard about Ethereum this was my exact fear. Programmable money sounds like a terrible idea from the perspective of business owner. Does this mean I have to check every transaction I enter to run arbitrary code with full access to my wallet? That is of course assuming the code isn't able to break out of any other protections there might be and pay for the ETH I'm getting with my data.
No, no, of course you don't have to check every contract you engage with. At least, not with the help of my conveniently-IPO'ing DAO wETH unwrapper leaser startup. We'll take care of the heavy lifting, you sit back, relax, and pay us no mind (really, please, do not look behind the curtain). We're a Series F company filling the totally coincidental grift-shaped hole where Ethereum left off - contact our sales team on Discord if you're interested!
> Does this mean I have to check every transaction I enter to run arbitrary code with full access to my wallet?
No, for the same reason you don't check the code on every website you visit, if you want to be even more secure then just stick to blue chips like aave, curve, etc you can see how much is sitting in popular defi contracts here: https://www.defipulse.com/
You also don't give an ethereum contract full access to your wallet, you need to approve access to however much you want the contract to have access first then you get a second prompt to allow the contract to run.
You're talking like one accidental misclick and all your money is gone.
If you're super duper paranoid you might want to look at something like argent wallet (https://www.argent.xyz/) which lets you do common trades, defi, staking etc from within the app so you don't have to worry about random contracts and there's no seed phrase so no need to worry about that either.
> You're talking like one accidental misclick and all your money is gone.
This is literally happening right now all over the place. Just go to any reddit cryptocurrency sub and do a search for "free token scam." People are finding free tokens in their wallets, trying to spend them and having their wallets emptied.
I don't check code on every website I visit because websites can't just empty my life savings with no recourse.
It boggles the mind that someone looked at money and thought "you know what, this is too simple, let's shoehorn in a Turing complete programming language - that'll fix it!"
Please explain to me how embedding a Turing complete programming language inextricably from a currency adds anything of value that is not offset by the pitfalls of regular users needing to not only know how to code but understand the entire ecosystem that the currency interacts with.
If you are always concerned about the pitfalls of your stupidest user, you will make a product that is only suitable for stupid users.
When you stop worrying about that, and can actually start to deploy advanced technology for your advanced users.
You can weight your argument however you want, all technology will fail some class of user. Me, I’ve been playing with this and various tech for a decade now and the sky is the limit for where this can go.
Okay, but you didn’t answer my question. I’m not talking about the "dumbest user" - I’m talking about a regular person who is currently paid in dollars and understands how to use a debit card. What benefits does making money programmable provide that is not offset by this person having to take time out of their day to audit every transaction and understand how the code making up the transaction interacts with all of the systems it touches?
You got me. The tech is useless, it’s actually a giant fraud perpetrated by public traded corporations to steal our precious fluids. The miners are actually watt vampires. Numbers don’t actually exist, it was a trick invented by the ancients. Blockchains just convert pudding into breakfast. Enjoy meat juice day!
You don't have to be so defensive. Clearly there are issues with things like what happened here. It's like interacting with the website of your bank by sending assembler programs to transfer money. People won't be able to understand what it's doing.
Yeah. And to take it one level further, a language that let's you lock up / burn a coin in any fashion other than a very explicit Burn() command is equally reckless. The platform needs to provide guardrails for developers too.
Think of all the scams happening over TCP/IP every day! They built this thing where anyone can pretend to be a bank website? No checks or security? It's laughable. I'm in disbelief. And this is the web?
I never said I expect ethereum or web3 or whatever to be entirely scam free. I said that having the ability to send anyone any transaction and to their eyes have it look like any other sort of interaction they like unless they can read solidity and audit the code themselves is a very very large security hole.
This was an absolutely fascinating and chilling story.
The thing that struck me about it is the scam didn't work for a few reasons:
1. He typically had a practice of not using his main wallet for things like this.
2. He got wary and actually read the smart contracts.
This is a level of technical competence required that's going to mean most people have to offload this to a trusted intermediary. And then what's the point of all the decentralization ideology? Because we just re-invented banks.
>And then what's the point of all the decentralization ideology? Because we just re-invented banks.
There's nothing wrong with centralized services built on a decentralized network. Take a look at the web. Sure you can use a centralized service like facebook to make a facebook page, but if you want you can host your own website.
Sorry, but that's exactly what is wrong with the web, and what we strive to "fix" about it when we build decentralized alternatives to centralized infrastructure.
It is a systemic failure that most users must "fail over" to a centralized service to publish on the web.
The conceptual improvement enabled by blockchain is that the data layer is a neutral plane and this theoretically gives users portability. But, to say that centralization is fine because it has happened on the web and that was also fine is rationalizing a bad thing as good actually.
no it's not a bad thing at all. it's not a systemic failure, it's division of labor and people need to stop being willfully ignorant of economics. Lawyers are good at reading contracts, Facebook is good at running servers. Medium is good at publishing your things and getting you ad revenue.
sending http and json over the internet is just as neutral of a technology as the blockchain. the reason people build centralized services on top of it is that we're collectively better off by specializing.
As a writer you're better off writing your content full-time than running a server, becoming a smart contract expert, casual coder and server administrator. no technology on earth is going to change that fact and it's why people buy their bitcoin on coinbase and their nfts on opensea.
No-one is better off concentrating power in a centralized authority with the scale and (lack of) accountability of Facebook.
Specialization doesn't come into it, although it is worth observing: your comment presupposes that in order to benefit from specialization, one must subject themself to exploitation.
I'll be the first person to agree that there's plenty of wrong with Facebook, but many people are better off because they have access to platforms like Facebook even with their flaws. If you've ever seen online small business in a lot of developing countries, a significant amount of money they make is through online marketplaces.
they don't stay there because they are being exploited, it's because centralized platforms reach many customers and automate away a lot of the problems that you'd have if you had to set that infrastructure up yourself and pay for it.
If you're a creator you stay on Youtube because you get a sustainable income. They can do that because they're centralized. If you run your own peertube instance and pay more in server costs than you make in ads that isn't a solution.
And these simple economies of scale will always exist regardless whether your software runs on a server or a distributed blockchain vm.
To the extent that you are saying that specialized services can be built upon a generalized infrastructure and that people can benefit from that, I agree!
But, the commenter I take issue with said that it's good actually that we are just re-inventing banks on top of the blockchains, and the evidence that they offered is that it was good actually that we invented Facebook on top of the decentralized web.
Actually, Facebook is bad. It's not bad because it offers a service that people clearly need. I think we can all agree that an easy publishing on-ramp is great, and that it should exist. Facebook is bad because its creators use it as a tool for mass manipulation and exploitation of its users, and the web as we know it facilitates this through a combination of its flaws and missing features.
Facebook has created some useful services, but that doesn't mean we want to build Facebook again on a newly conceived network infrastructure. In web3 we see a latent opportunity to design new infrastructure that improves on the flaws and power imbalances of the previous one. But, if we seek only to re-invent the exploitative institutions of the past atop a new substrate, then frankly it's a waste of (most) people's time (I'm sure some VCs and early adopters have a lot riding on it, though).
The purpose of decentralization is solely censorship resistance. It has nothing to do with consumer protections, consumer education, or easier to check software.
Cash has pretty decent censorship resistance. It's when going digital that it gets difficult because you either need a centralized clearinghouse to prevent double spends (Visa, PayPal, etc) or a BFT consensus algorithm ("cryptocurrency").
I'm fact when discussing both privacy and censorship resistance I often cite cash as a target goal.
The amount. A real example is CNY, which is limit to 100 yuan notes, deliberately to make it hard to move large sums.
1000 USD bills exist but are very rare. 1000 euro note exists but I think that’s on the way out.
Your point that cash is censorship resistant is good, yes and we need to make sure it remains, however the physical limitations are defacto censorship.
Technically, $500, $5000, and $10000 also exist in private collections. They were last printed in 1945, and stopped being issued in 1969. They're worth far more than their denomination to collectors, understandably.
Also, technically, $100k bills exist. They, however, were printed during the Great Depression and intended solely for transfers between federal reserve banks, and were never circulated. It's illegal to hold them privately, though there are some museums and things that have one.
How is it censorship? Moving large amounts of cash is impractical due to physical constraints, but is still possible. And there are legitimate concerns at play for those limitations.
Decentralization can't provide consumer protections regardless of what regulators do. The one thing it can do is resist censorship and things indistinguishable from censorship, like software failure.
"She tells me a bit about her metaverse project, Space Falcon. I'm not really sold on it, but I'm not really an NFT person so I didn't have any reason to think it was a bad idea either.[...] It seems kind of like a get-rich-quick scheme, but again, that's kind of how I see a lot of NFTs. With all that she's doing for Arrow, there's no harm in showing a little support."
The real takeaway from this is that it's dangerous to break your moral compass and sense of reality to the point where you think helping out people who are pushing an obviously fraudulent business, is ok and normal.
Yeah it's pretty ironic that a "legitimate" NFT venture and a project invented solely for social engineering are indistinguishable even for someone who presumably knows a lot about the crypto space.
Sure, NFTs and crypto in general may be get rich schemes at the core, but a lot of people do believe in them, so a charitable view would be that HE saw it as a scheme, but he thought that perhaps SHE believed in it.
And FWIW I'm not sure "fraudulent" is the right word. NFTs are not a fraud, you usually get what you pay for, a mediocre jpeg, and perhaps a really primitive game.
And to be fair, what are the odds his VTOL company will ever produce anything either?
I don't see it that way at all. The NFT vector is arbitrary. The point was to drain his accounts and nothing more. If a less suspicious method was available, I'm sure the scammers would have taken that one.
Is there any case of NFT that is not some combination of get-rich-quick scheme, Ponzi scheme, search for a bigger fool, FOMO-powered stupidity, extracting money from naive people or satire of NFT?
And NFT part adds anything substantial and is not replaceable by regular transfer (either transfer of money or BTC-like)?
It’s degrees of suspension of disbelief. Software is just tricking sand into to thinking.
I have no issue believing that an imaginary consensus stored ledger in thousands of computers all secured by massive amounts of energy and limited to 21M units over 100 years might be valuable.
The ability for people to copy this software idea? Not valuable. The ability for people to issue new tokens on existing chains? Not valuable. The ability for people to post and sell jpegs, Not valuable.
Only original ideas are scarce. It’s the first step vs the n-th step.
> I have no issue believing that an imaginary consensus stored ledger in thousands of computers all secured by massive amounts of energy and limited to 21M units over 100 years might be valuable.
It's not "secured" by energy. You can't convert a Bitcoin into the original amount of power required to produce it, which is the defining quality of a financial security.
It's more accurate to say that Bitcoin's value is retained by the ongoing commitment of power into the network. But that correctly suggests that the network collapses without a perpetual source of electricity, which is not the kind of positive connotation that I think you meant to supply.
It’s a little more nuanced, while some component of maintaining hashrate/energy, it’s best be be thought of as a point in time expenditure given the network size, participants and technology available. Once a block is minted at a given difficulty, it can never be undone (with a negligible probability), as a chain reorganization would need to put in more energy than that to undo it.
It’s a conversion, abstractly. Probabilistic finality at a given level of technological and economic resource exploitation.
The wonderful thing about economic value is that, for better or worse, we get to decide what has it. A large number of people have decided that Bitcoins have economic value, and it's not particularly salient to my arguments as to whether that's true or not.
The rest of what you've written doesn't really concern me, because all I was interested in was pointing out that Bitcoin doesn't securitize energy.
Okay. In what "literal" sense of the word is Bitcoin secured by electricity? The need for electricity seems to be Bitcoin's greatest practical liability, since the entire network depends on it.
I think that fits more into "ridiculous economic Chinese finger trap" than "security feature." It's similar to calling gold's physical weight a security feature, but at least there's a consistent and non-economic relationship between how much gold you have and how hard it is for someone to pick it up and walk away with it.
(It's also not immediately obvious that "more electricity" is needed to attack it, since a handful of extant larger pools could just conspire as-is.)
> Larger pools doing that would be subtracting energy from the honest side, and adding it to the dishonest side
Why would that be the case? It isn't necessarily zero-sum; the more realistic scenario is that the remaining honest participants ramp up their energy consumption in an attempt to prevent the attack.
But that's still only the most boring of the many, many latent threats to Bitcoin. Solar flares and electronic warfare strike me as more interesting.
To be fair, most human technology is vulnerable to these. The nice thing about a distributed ledger is that as long as one copy remains it can be bootstrapped back to full form. One Pi sitting in Africa could do it. Try that with your banks SQL db backups, which all tapes disks and ssds were erased in the solar storm.
“Technology” is the operative word. Cash works just fine.
Once again: the bar for cryptocurrencies to clear isn’t to be “as good as” traditional finance. They have to do better, given the additional middlemen and costs they shoulder on all of us.
You’ve failed to demonstrate that they clear that bar: a single surviving backup of a distributed ledger isn’t distributed in either the trust or failure senses, and is thus no better (and possibly worse!) than us trying to piece the world’s financial system back together from everybody’s paper receipts. Oh, and the whole “cash” thing continues to work.
I think SV libertarians saw the scam of world finance and thought, y’know what if we could get in on this too and then we would never have to innovate again.
I own one. All the blockchain domains are a dream come true for squatters and scammers. I'll take the oversight, stability, accountability, and mutability of ICANN and the current registry/registrar system every single time given the choice.
The registrars are obligated to prevent fraud and abuse. If they fail to do that job you can appeal directly to the registry. If the registry doesn't do anything you can appeal to ICANN.
All of them are within the scope of the legal system, so if you send a police report demonstrating fraud to a registrar or registry and they fail to act you have some recourse. If their inaction results in increased damages they've opened themselves to liability and you could sue them. The possibility alone is enough that everyone has published polices detailing how they deal with those situations. As long as you follow the rules you can get a domain taken away from a bad actor. It's not easy, but it's possible if someone is doing enough harm.
So yeah, you can host a scam on a normal ICANN domain. It's what happens afterwards that matters. In ICANN land you get one chance to run your scam because the victim can make an appeal to authority to have you shut down. In blockchain land it's tough luck for you.
As an example, this [1] looks like PayPal's wallet. What do they do about this [2] wallet which owns paypals.eth (alongside sqaree.eth, chasebanks.eth, etc.)? They have two choices AFAIK. The first is to pay whatever the owner demands for those domains. The second is to take the risk of the owner selling those domains to someone that wants to use them for phishing.
There are exactly two winners in the blockchain version; the domain squatter and a would be scammer. In the existing system a high value domain owner like PayPal will have an established procedure for dealing with bad actors that infringe on their trademark and dealing with typo squatting like that is probably as simple as sending a template they have to the corresponding registry.
The NFT part keeps track of who owns what domain. It would improve the situation by getting rid of the questionable organization running things presently. (See: the .org scandal)
Obviously the NFT would "keep track of", but you have to be more specific.
And changing the organisation is a completely separate question from which database technology they use. IF you just switch from SQL to NFT the organisation will not suddenly become less corrupt, or whatever the issue with them is.
If you're asking for the implementation details, there's a group trying to do it right now. You should look them up if you're interested.
>IF you just switch from SQL to NFT the organisation will not suddenly become less corrupt, or whatever the issue with them is.
It's true that it won't make the managing organization less corrupt - it will make them nonexistent. That's the idea behind decentralized decision-making. The people running the database don't have to have the power to change it or bend the rules: that's what this whole crypto thing is about.
How would you be able to get rid of the organisation? So many people talk about various crypto use cases but they can almost never explain how it would work.
From land deeds to insurance to domain registration to in game assets etc etc, people have all these wonderful ideas. It would be interesting to one day have at least one of these ideas explained.
It's literally whoever owns the keys listed as the registrant owns the domain. If you lose your keys you lose your domain. You have no recourse if someone squats on your domain, uses a lookalike domain for phishing, steals your domain, etc.. And for the privilege of having a judgement proof blockchain with no oversight you get to buy your domain from an early adopter that's squatting (investing) and you get to pay fees every time you blink.
All the crypto bros printed (mined) a bunch of monopoly money (coins), invented assets (NFTs), bought (allocated to themselves) all the assets (NFTs) using their monopoly money (coins), and want us to buy into these crappy systems with real money so they can sell us the assets (NFTs) while still being the landlords (transaction processors) that charge us rent (fees) on everything forever.
> It's literally whoever owns the keys listed as the registrant owns the domain.
Sure, but even so, how is this implemented? Presumably some organisation needs to uphold this connection. Simply "owning" a domain, in the sense that you "own" an NFT, is not very helpful, you need some kind of actual control over it. Presumably a server is needed to forward the domain to your IP, and someone needs to run that server, right?
There is a smart contract that supports features like domain name resolution and transfers. The data and code needed to resolve the domain to your IP would live on the blockchain, so effectively every node in the network is hosting it. The smart contract could be totally immutable; nobody would have special permissions.
The resolution would work by executing some "lookup" smart contract function on a node (you could run your own local node for lookups, or use a public node similar to hitting your ISP's or Google's DNS server).
None of this is really cutting edge, it has been possible for a long time now.
We all understand the first part. Storing information on the blockchain, that's easy. But where almost all use cases fall down is in interfacing with the real world.
In this case it sounds like that is solved though. I know very little about the structure of the internet, but it seems you are saying that instead of asking a DNS server, every computer would ask the blockchain to resolve the domain name, correct? But wouldn't that require every single device that connects to the internet to "update its firmware" or something? Or could this decentralised DNS somehow emulate the old fashioned kind?
Right exactly. I think from the perspective of devices (say your laptop) it looks pretty similar to the current system. You give it the IP address of a "DNS server", but now it's hitting an Ethereum node who is doing the DNS lookup. There is danger there that the node could lie about the state of the blockchain, so it does need to be trusted. The paranoid can always run their own node and be 100% sure.
I do think you could expose the same interface as traditional DNS but backed by the registrations in the blockchain. There are browsers that will resolve Ethereum Name Service domains today, but I'm not sure how that's implemented (probably lookups on a public ETH node).
The important improvements IMO are on the registration, transfer, renting of the names rather than the lookup side which doesn't look dramatically different except that other code running on the blockchain could do the lookups too.
My domain is secured by the ministry of telecommunications of my local government. To transfer ownership of my domain requires a hard copy of a random code snail-mailed to me by the ministry. It's literally tied to my legal citizenship. That's the opposite of "questionable."
That has some obvious downsides. It probably doesn't matter for you personally but being able to take someone's domain away for political reasons isn't ideal.
Ownership as a concept is backed and secured by law (and enforcement), an inherently political system in democracy. It's the most ideal system successfully practised around the world today.
The next best thing is securing one's property by practicing personal violence, and as I've no interest in shooting anyone for mere robbery, I'll take political ownership any day of the week.
If my very countrymen (and women) collectively decide I can't have my domain, then so be it. The obvious upside is that while they do uphold my ownership, it's as secure as any of my earthly possessions. Stealing my domain amounts to stealing my mail, which is a crime.
Not everyone in the world has access to a government that will uphold their ownership in a just way. Like I said it this likely isn't valuable for you personally, you are not looking past your specific situation.
We're talking about domain name registration right? No reason why it would need to be more expensive than the current system. The argument is that ownership is upheld in a totally programmatic way. Just is a value judgement, not sure about that. It depends on what you value. Available globally yes.
What's "totally programmatic"? Is that where programmers never make mistakes, protocols never have bugs, users always remember their secret keys, read and understand the code they're running, on the computer they wholly own and trust, with perfectly functioning hardware? And somehow resistant against the $5 wrench attack and state-level seizure?
Protocols have bugs, yep. Audited and battle tested protocols, less often though. For example, there are hacks every day where people exploit smart contract bugs, yet there are contracts securing billions of dollars that have not been hacked. Both can be true at once. Something like this wouldn't be widely used without lots of iterations to iron out issues like that.
$5 wrench attack is easily thwarted by splitting ownership across multiple geographically separated people, easily doable by giving control of the domain name to a shared contract. This would require lawyers in the current system!
ens.domains just sounds like selling plots on the Moon, or names of distant stars. It only matters to those who buy in. Current system domains are cheap and work fine for most people. If your local government is oppressive and won't let you own a domain, you can't really solve that political problem technologically.
My understanding of smart contracts is that it's like a distributed virtual machine of consensus. A single program that runs on all the networked computers, all executing the same set of functions on the same set of data producing the same result. But it's slow and expensive, because it's "trustless", and it turns out that trust is very valuable and embedded in our traditional methods, and people get scammed left and right because they think trustless means they don't need to trust, but that's a lie.
I think parent commenter might feel the same way I do, which is that when I read him say "eh, a scam but she's helping us, no harm in me voicing support" my sympathy for him diminished significantly.
If you don't know much about NFTs but think they're kinda scammy, maybe you shouldn't default to "support / lend your reputation to them."
To restate what the twitter user was saying: "It seemed like this was a get-rick-quick scheme, but this person could be useful to my goals, so I decided to overlook that"
I guess you can argue that get-rick-quick does not necessarily imply scam, but it certainly reflects poorly on a person to ignore their doubts because the source of the doubts is useful. Its not a unique problem to NFTs, its a similar problem that a founder might face when, say, entertaining an acquisition by Meta.
So I don't know anything about crypto, but stories like this make me think that crypto can never become mainstream. I have been programming since 1970; I worked for major computer companies; I was a computer science professor; I have apps on the App Store. In spite of all of this, I have not the foggiest idea, even after reading the thread, how someone who offers to give me something can use the gift to steal from me. Surely this says that the world at least of ETH (whatever that is) is really really broken!
According to this talk about NFTs, an NFT can contain code and the execution of that code can be triggered to do unsafe things.
at 1:22:50
Smart contracts are just code, they’re software,
there’s no reason they can’t be viruses or worms,
the primary limitation is processing power.
But, also, it’s a virus that someone can drop
directly into your bankless bank account
and just wait for you to activate it.
And, yeah, that’s right, there’s no
offer/confirmation step in sending
tokens back and forth, someone who knows your
wallet can just drop stuff right into it,
so, like, pin that somewhere in your brain.
FWIW it doesn't seem that's what happened in this case. It seems the NFT was just part of the attacker's ruse, where they told a story about some NFT staking dapp they launched. Then the malicious dapp asked for permission to transfer the victim's aWETH tokens. This is just part of the ERC-20 API, unrelated to NFTs.
While it's true that NFTs can be sent without permission and can contain code, users normally invoke contracts via (hopefully trusted) dapp websites, such as app.uniswap.org. Invoking code from an NFT I found in my wallet is possible, but not part of any normal/legitimate workflow that I'm aware of.
I don't think the NFT is very important here; basically the scammer's website asked the victim's wallet to sign a message, using the private key that holds their ETH.
It looks like the message in this case would have given the attacker permission to transfer the victim's aWETH, which represents ETH that has been deposited into an Aave lending pool. These transfer permissions are something all ERC-20 tokens support.
Typically users will only sign messages sent from trusted websites, just as they would only install software from trusted sources. Or they can sign a questionable message from a separate wallet which doesn't hold much value, as the victim did here.
Granted, this isn't a great situation. It can be hard to know which websites to trust, and even trusted websites can be hacked and then send malicious messages to unsuspecting users.
Basically it was the smart contract[1] that came with the NFT where the victim is essentially executing foreign code that gets granted access to their digital wallet. That's the reason the scammers were so insistent that he did it on his main wallet (i.e. where the funds were)
[1] Think of these as being similar to Word or Excel macros embedded in a document... nothing bad ever happened with them, did it? ;-)
It wasn't just giving something. The NFT was given, but this in itself does nothing. The victim was then asked to stake that NFT. To stake an NFT, the smart contract that does the staking needs access to your wallet. This too is normal. Except that the permission prompt asked for approval on another smart contract by means of a misleading name.
There's nothing broken here. A smart contract is just a piece of code that moves money. You better be sure about what it's doing before you allow it to run. There's blue chip smart contracts that are proven and thoroughly audited, but anything else you need to read the code. Same as reading a contract before you sign it.
This kind of thing always reminds me of one of those articles that used to pop up from time to time about some massive coup in EVE Online. I wouldn't have any idea what they were talking about or why it was showing up on my radar, and moreover, it would be clear that the money, time, and energy required to begin to have even a neophyte's understanding would not be worthwhile.
I'm still not convinced that Ethereum isn't just a strange RPG that people who don't really want to play are accidentally getting involved in.
> but stories like this make me think that crypto can never become mainstream.
We had illegal p2p sharing where you could download a virus from bad people and then Jobs came along and made iTunes which set the standard for streaming. I am sure someone will come along in the crypto space and make crypto easy for the rest of us.
People wanted easy access to music, itunes provided that service.
Right now with the world of crypto is confusing to the average guy, so hopefully in the future someone will create a good UX and the underlying to protocol for instant decentralised payments.
> Right now with the world of crypto is confusing to the average guy, so hopefully in the future someone will create a good UX and the underlying to protocol for instant decentralised payments.
So... Napster and LimeWire?
You can't break cryptocurrency's weakness for this kind of adoption without dropping decentralization. Same conclusion that iTunes came to. People wanted downloadable music, not a specific implementation detail about how that music is delivered.
The subtleties of crypto are inscrutably intricate, but for simple transfer between two parties, Coinbase exists and its UX is easy enough. Of course, it's the opposite of decentralized, which defeats the point.
and how are you going to pay when the bank closes your account because you broke their terms and conditions. That is where you need decentralized payments.
Note; dude has $123M in aave wrapped ethereum that he almost granted a scammer access to.
Scammers ripping off scammers.
Why would you waste time with open source aircrafts. Aircrafts are a regulated thing. Nobody wants to fly in your science project. Put some of that 123 million into starting an actual company. DAOs are bullshit.
The aircraft and/or taxi service might be legit but all the crypto around it is useless complexity at best or a complete scam at worst.
If you legitimately wanted to develop an aircraft taxi service, you do not need to involve crypto in any way. Even if you wanted to accept it for payments it's an auxiliary component that merely accounts for it and converts to fiat at some point.
The DAO or whatever crypto bullshit is intertwined with it is absolutely a scam.
"legit persons" are always materializing out of thin air with $100m+ and a "legit project" that is just a content-free web page. I will definitely be surprised when "thomasg.eth" uses this publicity to generate interest in his "legit project" and then rugpulls
Did you take a look at arrowair.com? Everything about that screams "art project". None of it makes sense. There are extreme engineering, economic, and legal challenges to doing have of what they are proposing, so the first thing they are investing in are their crypto projects? Because crypto crypto future future?
I don't necessarily think the author is a scammer, but the whole project is the equivalent of "I'm going to launch a rocket to the moon" and then the first thing you do is open a nice website and launch a new token.
He didn't grant them access on his main wallet which holds the amount you describe, he granted them access on a different wallet that didn't hold those assets. Thus "nearly" in the title.
I had never heard of DAOs before this and am struggling to wrap my head around it. It seems similar to any other venture with shareholders, except the shareholders need to reach consensus for any sort of financial transaction. Is that right?
So the DAO is blocking this guy with $100M sitting around from just hiring an actual designer for his air taxi project?
Banks in my country don't have a reasonable API. There is CODA, but it's restricted to business accounts too ( and you have to pay for it).
Additionally, accountants make a huge part of the workforce. So I don't think it will be possible in the short term to "replace them" by traditional means.
I still fail to understand how the smart contract metaphor of "here is some obfuscated code from a third party, please give it access to all your money, kthx" has managed to survive at all. I mean, really, no one saw this coming?
It's just the Trust Problem all over again. Decentralized reliance on automatic software still requires trust that the authors of the software won't scam you. It all comes down to trust. And I trust banks, mostly. Who in their right mind trusts contracts someone sends you on Discord? And yet...
> Who in their right mind trusts contracts someone sends you on Discord?
Exactly. That's where the gullibility is really visible... This is basically a steroid version of "I am Nigerian royalty and I need you to give me money" emails. Your first instinct should always be skepticism.
Totally agree. I heard recently discussion of putting deeds to homes on the blockchain, but having recently purchased my first home, I am 1000% okay with the paperwork and oversight and honestly friction that goes into it. The amount of regulation seems to make it very difficult to get totally ripped off, which is great since so much of the process was so opaque to me.
> Who in their right mind trusts contracts someone sends you on Discord?
No one.
> It's just the Trust Problem all over again. Decentralized reliance on automatic software still requires trust that the authors of the software won't scam you. It all comes down to trust.
It does, but you get to decide who you trust rather than being forced to trust one of a small number of large institutions. If you want, you can delegate your trust to a third party who will be responsible for vetting anything you interact with.
You can also choose to trust yourself or other members of your community.
This person shouldn’t trust themselves since they are too willing to go along with people who say positive things about them.
And if you trust the wrong people? Per the linked twitter thread, the author trusted the scammers! They only avoided the scam because they were competent to read the contract code for themselves. Is that the standard you want applied to all transactions? Does that seem likely to lead to good outcomes?
Yeah it isn’t trusting people so much as trusting code written by people. Generally something you want to do only very carefully and when you have no other choice. Or have some proper centralized framework of safety engineering to make mistakes harder.
To be honest i don’t really trust banks to value my economic well-being so I have almost all my money in a credit union. But as a software engineer I really don’t see how you can trust code, even stuff developed under NASA style care has bugs. Especially where the framework isn’t doing any rate limiting or safety checks.
I don't trust them. Just last week, GoFundMe rugged a bunch of funds sent for a legitimate political protest. They can snap their fingers and freeze your funds and hold it indefinitely, without a warrant.
I admit that the Approval UX for wallets and tokens needs to be improved. Unlimited spend approvals should always be flagged in the UX. And approvals should be atomic (single transaction only, with a clearly listed cap, by default). There are some EIP proposals addressing this, but they will be a ways off from standardization.
A private company intervened in the sending of money between private individuals. You can arbitrate that all you want, but it doesn't change the fact that they shouldn't have that power in the first place. GoFundMe is not politically neutral.
These scammers went to impressive lengths. They say that often the secret of a magic trick is to put in far more prep work than anyone thinks is reasonable. Con games work the same way. In this case, the effort is worth since the target has something like $175 million in a wallet. The payoff is massive.
Worth noting, though, that for all the fancy footwork the point of failure for the scam is him being willing to work with his main wallet rather than a one-off, and when he showed hesitation, they got too impatient. Good security practices were still the answer.
> when he showed hesitation, they got too impatient.
This seems to be the common factor among scams, cons, and social engineering strategies. Rushing people will have them bypass protocol, training, and security practices. It's a universal "hack" for our brains; we do things we otherwise wouldn't when rushed. Security practices are like a rituals, standards of behavior that we just don't have time for right now.
"The funds are only available for the next hour"; "You will be prosecuted if you don't do X"; "Per the CFO, we need to spend these funds before end of day."
I do wonder if they were more patient and said to themselves “let’s build more trust over the next three months” if they would’ve been able to get him to use his main wallet?
Great story though. I never realized these smart contracts could be so obtuse and malicious. That needs to be fixed.
Yes - they could've just kept churning out more NFTs for him to "stake" and catch him off-guard when he used his main wallet by accident or maybe even give him legitimate returns (that they bankroll) to convince him to use his main wallet intentionally to get higher returns.
The lengths they went through were mind-boggling to me until he mentioned he has 9 figures sitting in a public wallet. Then it made a lot of sense. At first I thought he had maybe a few hundred thousand, partly because he was happy to accept the free help from a stranger.
It's still pretty impressive how competently these scammers were able to discuss and deliver the VTOL work, the Space Falcon game, and entrepreneurial strategy.
A good rule of thumb is if somebody you've just met introduces you to someone with an exciting new NFT project that they want your help testing, you're probably being scammed.
While NFTs probably have some useful purpose that will emerge eventually, for now you should consider any proposal or offer that involves the term 'NFT' as having about the same value as any offer involving the term 'Nigerian prince'.
Well, yes and no. They are clearly all-in on crypto (and who wouldn't be, if I made 100 million on tulip bulbs I'd probably be all-in on tulips, too) but they do state in the featured thread that they "aren't really an NFT guy".
Certainly not a great look to have >$100 million in an asset sitting in a single account of any form, though.
> The aWETH that I approved was not Armstrong ETH, but rather Aave's aWETH. On my main address, almost all of my ETH is sitting in Aave...
Just one example, but this entire thread is Greek to me. What the hell is “staking an NFT”? I am feeling so left behind by this crypto nonsense. Is this what getting old is like? (I’m not yet old)
My really basic understanding after reading very slowly is he got some crypto asset from scammer, and he needed to approve lending it out to get some sort of crypto interest on it. But approving the "lending X out" action apparently looks exactly like the same as the "give Y away" action if you don't look closely at the contract.
Maybe it's just ignorance, but the whole system seems like a mess to me.
In the same way as if you lend cash to someone, you have to read the contract you're both signing attesting to the fact they owe you that amount, or they can just disappear with the cash.
"Staking" was definitely not invented by this protocol as a term, and is not really related to the consensus protocol, barring the fact that you lock up ("stake") some underlying token in a smart contract. Various protocols offer staking as a way to lock funds, which might distribute a pre-existing token allocation to the people staking as a form of interest. This could be done for a myriad of reasons, like getting a governance token in exchange, or in order to limit the liquidity/dumping of new tokens. I can't say that I were too well versed on what has been happening in the defi space in the last year, but it's definitely not a new term.
Generalizing, anytime someone is giving you a “gift” but is putting expectations on how you receive it (in this case the wallet destination) that should be a huge red flag.
Most people who invite me
over for a sandwich would be insulted if I entered their house, took the sandwich they made me and left. In fact, I probably would never get invited over again.
true, but if they invited you in and told you had to go stand on a very specfic place in the room, facing a certain direction and to only start eating when they said so, that would be very suspicious and likely result in you opting out.
Do you trust your doctor with your medical history?
Do you trust your pizza delivery guy to deliver you pizza's that aren't poisoned?
Being skeptical is sometimes a good idea, like when it comes to "online research" or "alternative medicine". But having zero trust in even the most basic human interactions sounds like hell.
Unsolicited pizza, no trust. No keys for neighbors.. no way.
I don’t trust most Doctors either, and you probably can’t trust any medicinal organization with keeping records confidential, plenty of examples of breach of that trust.
The number of people who'd do something like this is miniscule. Human society is built on trust for a good reason. We know that rules are imperfect and trust our fellow humans to do the right thing. They don't always but most of the time, the average person will.
Who is we? I don’t trust my fellow humans to do the right thing. Average don’t matter, what matters is, are you offering me a sandwich? Is it poisonous? Would you tell me if it was?
Location and culture plays a factor. If the average stranger in New York City or Miami, Florida offered me a free sandwich, I would be skeptical. If I were visiting a small town that wasn't known for a negative reputation, I wouldn't automatically decline or be as skeptical when offered a sandwich.
I don't understand why in the world Thomas wouldn't directly communicate via phone and video chat to any of these people first before doing serious business and potentially traveling across the country for random anonymous folks on Discord.
Social engineering is so much easier when you engage in faceless, voiceless communication. This could've been shut down so much more easily if they put a real human being to match the messages. When things actually matter, I need more than just a Discord avatar and a handle to identify someone.
But what are you checking with a call? That just seems like creating a false sense of security since there is virtually no additional “useful” information that is being sent over the audio channel above and beyond what is in text.
I'm checking to see if this Linh Nguyen that some random Discord user referenced me is the Linh in front of me on Zoom. A phone call isn't ideal, but it's still better than nothing. At the very least, there's one more identifying factor though that may help with spotting any scams, but yes, it can be false sense of security if you rely purely on it.
If I'm John Doe and I made some merge requests to your open source project for a couple of weeks, is that alone really enough to potentially meet me in some city far from yours? That's essentially what the author was prepared to do.
Scammers have plenty of time to practice compared to the average person, and the face to face nature can make people more susceptible due to a false sense of trust / thinking that they can judge character over video.
OTOH it'll probably be harder for non-native English speakers to pull off a phone/video call considering that a lot of amateur scammers have telltale bad grammar even over text
"Discord" by itself is a pretty big red flag to be honest. I would personally not engage in any business or industry where that is the main communications platform.
This highlights how scary it is to interface your savings with these “smart contracts”. Most people have no way to know what they’re actually going to do; the tiny slice of people capable of investigating can hardly remain vigilant at all times. Like, if you ask me to log into something with my bank account, all alarm bells would go off; if you ask me to stake this, approve that with my eth wallet, well, just another weird smart contract thing, right?
This kind of scam just wouldn't work on BTC. You're passing tokens around. At fanciest you're time-locking wallets or using M of N signatures. You're not like, installing arbitrary code in your bank account.
I find ETH very technically interesting but it feels like it's full of sentient foot-guns.
Scammers ripping each other offer on discord. Today it’s apes, next week it will be houses. I can’t believe they can convince people to lend liquidity to bridges, myself.
My fear is it just becomes another side show. Ethereum is going to become ebay. Yeah you can trade rare coins but it’s mostly just trash changing hands and clogging up the mail system.
We should make it blatantly clear and public that we will not he bailing out banks, pension funds etc that will inevitably get burned on some crypto scam.
I would rather make it clear that the cryptoeconomy will not bail out fiat currencies when they fail. The first government to get a fat stack of Bitcoin probably wins. Game theory intensifies.
Someone else already commented on this, but doesn't _everybody_ just realize that this is way too complicated and error prone? Signigning a token (whatever that means, I never saw so much nonsensical jargon in my life) gives a random person possible access over _all_ of your money??!! And this _by design_ can't be audited by a central authority that guarantees against scams.
If I had to read the source code of all my wire transfers, I'd probably just barter my services for some milk and bread, it definitely seems smarter.
Imagine Bill Gates stored all his money in cash in a room in his house.
That's probably more secure than crypto, where click of a button can siphon it all away. At least with physical money you have to be able to carry it, and physically present to steal.
I'm sure there are strategies like using multiple wallets etc, but overall it will never be mainstream if you put the onus of security on the individual. Literally just typo-ing an address can disappear all of your money.
A couple of things shook me about this - firstly I guess is the amount that was up for stealing - 100M just "sitting there" seems crazy - how many other multi-multi millionaires have their wealth just sitting in one bank account?
Second scam is the wrong word. A confidence scam originally mean the mark had to bring a suitcase of cash to give confidence to the scammers that he had the means to join their get-rich scheme - and of course he would walk away with a suitcase of old newspapers.
But this is almost a new kind of crime - he did not present or move his money, he did not give away any keys. it is the very mechanism of money transmission that is the issue.
SWIFT is rarely seen as part of crimes - but crypto is pointing towards a new world. Imagine "permissioned blockchains" ie Bank Of England coins, this would still be a real viable scam. Proving you did not mean for people to take your 100M and rapidly move it would be a slow process. Stop orders would be a common place activity, potentially holding up long chains of transactions.
Even without permission-less crypto the move to a digital native currency is a long process
By virtue of converting the ETH to AAVE wrapped ETH, they're earning interest by loaning out the underlying ETH. Who is taking out loans and paying interest for ETH I have no idea.
Plus, even without the AAVE wETH, they expect ETHs value to accrue faster than any other asset, so there's no cost to letting the money just sit, as opposed to your USD in savings depreciating over time.
Onlyowner modifier means the contract creator can call this function and transfer all the funds from the victims wallet (if they have previously approved).
Tokentobeapproved is a variable declared in the contract. It will be pointing at the aWETH contract, which is the claim token for ETH on aave, a money market.
Until it's in a bank, he doesn't have $100m. Not that it wouldn't have sucked to lose his potential millions but they are hypothetical value right now.
I'd have diversified. Some cash, some ETF, some property. A lot of tax, now or in the future. I wouldn't complain about the tax, even after there's enough for a lifetime. (And yes I know both property and ETF can decline in value, but here's the thing: when you see their book value it's a damn sight more real)
Remember, unless I am very mistaken he didn't put $80m of real money in, to secure an amazing 20% ROI which out in your real world would be normally exciting. So the net effect of fees, gas, AML, tax even taking 50% makes him as rich as croesus compared to most people for very low initial input.
Do we know what real world $ went in to bootstrap?
(I know this story is mostly about the social engineering, which is of course the real problem)
Some friends and acquaintances keep bugging me that I should get into crypto... but I would be too scared of loosing it all in one day, be it to a scam, sending to an non-existing address, loosing my hardware wallet etc.
Tbh I would feel safer having 10k in cash (at home at least) than in crypto. At least the attack vectors (fire, burglary) are known and tangible.
Imagine founding a startup, working your ass off living off ramen for a few years, every day worrying that it all might be for naught, and then through a combination of skill, determination and luck you do make it and your startup is worth a few millions... and then suddenly you make a small mistake and lose all your shares!
Since NFT's are subject to heavy criticism of their existence, a lot of people are developing extra things you actually can do with them. The market is interested in that being done right, so its interesting to be a part of projects that are trying. This extra thing required Thomas sending the NFT to another service they developed. Smart contracts in Ethereum Virtual Machine environments (EVMs) have to be primed to recognize asset. So there is something called an Approval. When Thomas interacted with this contract it did the approval for the NFT, and also an approval for aWETH a token associated with that project.
aWETH is the ticker symbol for a token that project created called Armstrong ETH. The namespace for ticker symbols has many collisions as there are many tokens. So people aren't too worried about that, a token's ID is its contract address which does not have collisions.
In this case, this was the actual phishing attempt.
Their project did indeed use a token called Armstrong ETH, but their approval was for aWETH which is Aave Eth, an asset collateralized by liquid valuable actual Ether. It is also redeemable for actual Ether.
So if Thomas approved the use of their project from his main account, the hacker would have been able to use another function written in their smart contract that leveraged the approval of aWETH (the Aave Eth) to take it all away from Thomas. He has $100m of that.
> a lot of people are developing extra things you actually can do with them
To be clear, the “thing” in this instance is NFT staking: a ponzi upon a ponzi where you buy a NFT and then lend it to a platform, which pays you fees. Platforms can advertise ridiculous yields (200% APY) because deposits go right out the door again as fees to people higher up in the pyramid.
He had $130 million wrapped up in an ERC20 token called Aave wETH (aWETH). ERC20 tokens let you approve another address to spend those tokens on your behalf. Basically, the scammers tried to trick him into approving all of his Aave wETH by creating a fake website designed to make him think that he's approving a different token with the same aWETH symbol.
They're basically receipts for putting money into a lending pool. In this case he's lending about $130 million, on which he's earning interest, and can get his money back by redeeming those tokens.
My apologies for being so ignorant on crypto lending, but I'm not even sure where I'd look up the details of how this system works.
When Thomas puts that money into the lending pool, what happens if the borrower defaults? Did the borrower put up some non-liquid collateral? Did someone do a background/credit check? Who takes the loss, is it split across the pool?
I understand how traditional bank loans work, I'm a little lost how much risk is being taken by the loan issuer here.
Aave's documentation [1] is pretty good if you're interested in doing a deeper dive. But yeah, it's a collateralized loan where the borrower stakes some ETH.
So the idea is that I can take $100 worth of ETH and put that up as collateral for a $75 loan. And if the value of my collateral drops due to the ETH<>USD exchange rate I have to stake more collateral. If I don't (or if the exchange rate moves below a certain point) then my collateral is automatically liquidated at a discount. So in this case, if the value of my collateral falls to $80 the contract will put it up for sale at $75 -- this creates an arbitrage opportunity, so the liquidation will likely happen very quickly.
There are other lending protocols where you can stake other assets (NFTs, other tokens, etc.), but this is my understanding of how Aave works.
Someone comes to you and says "I'll give you X Euro if you let me hold onto your Y Dollars until you give me X Euro back."
You think, well Euro are useful, maybe you need Euro specifically to invest in an European business. So you agree.
But when you review the contract presented it just says you give Y Dollars, so you go "wtf?" and refuse to sign.
Apparently, some people are dumb enough to hand over their cash without reading the contract, and an entire industry exists to fool people into doing so.
He has around $130mm of a token called aWETH, which stands for Aave Wrapped ETH and means he has that much ETH deposited into the Aave app. The attacker tried to trick him into giving their contract control over his aWETH under the guide of being a different, useless, token that they were just trying out.
If he approved their contract to be allowed to control his aWETH they'd take it all.
Imagine if every person you interact with could "be their own bank", and define the logic between your transactions. It's fully transparent, so you can audit it as much as you want to - but still, that's the amount of headache you'd have to deal with, to fully trust the other part.
There are lots of upsides to this, but there's no shame in saying: No, I'd rather not. I'll keep trusting the trust-based system I've been using since forever.
If I understand the gist of the commens so far, he's sitting on 100 million US dollars, and is hoping to build some crypto enhanced flying cars using free labour from volunteers he found on Discord?
> I'm the founder of Arrow, a DAO working to build open-source VTOL aircraft and air taxi protocol.
I don't understand why a startup working on aircraft design is linked to crypto at all. If you have $100M in ETH, the first thing to do is to convert it to USD and put it in a bank, preferably a large one. Then use the money to run your startup. Why would you keep your money in a crypto wallet? Why would you model your startup as a DAO?
If you don't remember which smart contracts you have gave permissions of which coins you can check from debank. And you can also cancel one by one.
It is not possible for humans to use ethereum without interacting with proxy. Front ends always can be comprimesed. When interacting with smart contracts approving spending is most important interaction to be careful about.
Not really, it seems like the usual being extra flattering to earn favours (or worse). The first two messages would have raised several red flags with me.
> He's currently working at Ubisoft and offers to help with 3D design and animation
Like if I worked for Ubisoft I'd have time to do 3D design for free for some other company.
> Like if I worked for Ubisoft I'd have time to do 3D design for free for some other company.
Why is that so hard to believe? It's like suggesting that no professional software engineer would ever contribute code for free into an open source project in their free time. My basic assumption if somebody send a patch to an open source project is not that I'm being social engineered -- it is that they're either using the software or interested in the domain.
The social aspects of the crypto community are very interesting. The "WAGMI" mindset encourages a kind of freewheeling magnanimity where strangers will offer to help people get involved, give away free coin, bail out people who got scammed, etc.
No doubt this is often genuine goodwill, but it's also an effective technique for recruitment (it's longstanding practice for evangelical religions and MLMs), and it creates a situation where a lot of self-interested people looking to get rich quick are mingling in an environment where it's perfectly common to make generous offers with no expectation of return.
It's like going to a tech meetup where there are a lot of people working on startups, and who might buy a few rounds at the bar afterwards in exchange for maybe attracting an interested investor or cofounder, but where there's a chance that drinking a seemingly normal beer might give them access to your bank account.
How much of his ETH was at stake here?? Why did they go through so much effort to target him on the hopes that he would 1. Have a large sum of coins 2. Be foolish enough to reveal said account.
I love that he wasted 2 weeks of these scumbags and exposed them. I hope they can trace their email address and nab the real people.
When it comes to crypto, 95% of the projects are by people who do not understand it themselves and were sold on it by someone whose sole purpose is to broaden crypto's financial reach and who worked tirelessly to make sure it's obscure/redundant enough that you don't understand it unless you're a developer attempting to implement it or seriously skilled at due diligence. They ran their whitepaper through their advisors to ensure it was clear yet didn't give anything away in terms of how it worked or how the authors get their kickbacks.
Financial privacy is a must-have, not a nice-to-have feature. Financial privacy does not prevent one from being able to pay taxes. But it definitely prevents this type of attacks.
Please don't post this sort of generic flamebait to HN. It leads to repetitive, predictable, and ultimately nasty threads. And of all the classic flamewar topics this one is probably the most predictable—just what this site is not supposed to be for (https://hn.algolia.com/?dateRange=all&page=0&prefix=false&so...).
How much purchasing power does that afford? If he wanted to buy an island, pay for it to have infrastructure added, and then also hire security and business payroll, could he actually exchange the Eth to the applicable currencies? I know the numbers line up, but is that amount of liquidity in the system?
Breaking news: "off-ramps" to centralized currencies is centralized.
It's not difficult if the source of your cryptocurrencies is legitimate, while difficult if you have a hard time explaining how it's legitimate. I think the system works as intended.
I'm confused then, are you in support of cryptocurrency? Because what you're describing (the "system") sounds an awful lot like reinventing banks from first principles but much less efficiently. If that is how it's intended to function then why are we bothering with this at all?
And aside from KYC issues, another recently posted article pointed out that when a single individual tried to unload around a 1500 BTC (%0.03 of the coins in circulation at the time) it caused a liquidity crisis that crashed the market by 20%.[1]
In this case the individual in the Twitter thread has an amount of ETH of that magnitude.
Basically because crypto is performing the job of a speculative asset it results in the liquidity issues that you would see in things like company stock.
[1]: https://blog.dshr.org/2022/02/ee380-talk.html?m=1 (see footnote 11. The gist is that this sale put enough pressure on the order books that a lot of leverage positions cascaded into selling as well causing the flash crash)
> I'm confused then, are you in support of cryptocurrency?
I'm neither. I treat it as a protocol like HTTP, use it where it makes sense, don't use it where it doesn't make sense.
When I say the "system", I'm referring to the system of centralized currencies. Banks have always wanted to know where large sums come from, and where they are going to, as the government will ask them questions about it and they like to be prepared.
> And aside from KYC issues, another recently posted article pointed out that when a single individual tried to unload around a 1500 BTC (%0.03 of the coins in circulation at the time) it caused a liquidity crisis that crashed the market by 20%.[1]
Not sure what KYC issues you're referring to. They are only a issue if you're having a hard time explaining where the money comes from. If you have a legitimate source for your funds, it's a couple of emails with some attachments to pass the KYC/AML checks that the major exchanges perform. Same thing will happen with you bank, and they normally will accept the same amount of evidence you send to the exchange.
And yes, if you try to offload 1500 BTC on the open market the market will correctly adjust. That's why I wrote about the OTC offers in my initial message, that's normally how you want to offload/purchase a large amount, as it's not gonna change the pricing on the open market, as you manually match buyer/seller.
the world is not anymore the way it used to be, mm mm NO NO No! Bitconeeeeeeeeeeeeeeeect wooo bitconnect! We are coming and we are coming in waves. We are starting and to actually go all over the world. We all built the entire world.
Debatable. GP basically ignores all the interesting parts of the article being posted in order to simply say the usual spiel about how much HN hates crypto. The relevance to the original article is close to nil.
I'm calling them out for that -- perhaps in a way that's too terse, but at least I'm not completely derailing the conversation like they're doing. But thank you for prompting a longer response from me.
I paid off all my student loan debt and bought a house last summer because I got scammed into buying ETH about 2 years ago. Thanks for your insight though.
As a thought experiment, replace crypto in this situation for beanie babies. You managed to buy a bunch of beanie babies before a beanie baby craze started, and sold them at exorbitant prices to other people coming in that were convinced that beanie baby prices would only keep skyrocketing. You took their money, and now I guess as long as they're the bag holders still holding beanie babies when it all falls apart and they become worthless, and not you, it's all good. As long as you managed to make a profit and get out in time it wasn't a scam.
1 is questionably valuable and arguably harmful, 2 is increasingly untrue, 3 and 6 aren't inherent benefits of Ethereum, 4 and 5 aren't true, and 7 is speculative and begs the question.
> 1 is questionably valuable and arguably harmful
If it’s mutable, it’s centralized, so you’re wrong.
>2 is increasingly untrue
That’s also incorrect, Ethereum has become more decentralized every year
> 3 and 6 aren't inherent benefits of Ethereum and 5 aren't true
Yes they are. Ethereum is deflationary and will became three times more inflationary later this year.
It’s about 1.1TB for full sync geth nodes, and growing. Ethereum researchers are looking into statelessness and state expiry which aim to make it even easier to run nodes with little need for space.
People will continue to run nodes regardless of the price of ETH, just like Bitcoin.
ENS is a smart contract protocol, so I don’t see how it’s related.
1. Maybe. It's not so great if you publish something confidential.
2. No one is responsible for anything, you'll never get any support, and one day the decentralized consensus might be to abandon the whole system.
3. It takes 16 seconds for a transaction to post and the average transaction fee [a] is over $2. Cross-country money transfers (assuming you mean international) benefit money launderers and criminals a lot more than me.
4. I never understand this sentiment. Thousands of tokens have been invented to create hundreds of billions of dollars. If the federal reserve told everyone they could print their own fiat and have it accepted at the bank, what do you think would happen? Inflation, right? Think of it another way. If the liquidity for the market is fixed in the sense of the amount of fiat people are willing to bring in, then every token mined or minted is diluting the value of anything you're holding.
5. This is at the risk of losing your keys and your life savings. No thanks. Also, banks act as a backstop for a lot of things people don't even think about. They won't let you wire your life savings to Nigeria without trying to make sure you won't get scammed. The indemnify you from the risk of fraud if you're using a credit card. Money you give them is backed by FDIC (or similar) insurance, so if the bank fails your money is still there.
6. Like?
7. Yeah. I'm sure the super elite that control almost all of the money and assets on the planet are going to sit by and watch as the crypto community anoints themselves as the new rulers of the wealth.
And what happens in this utopia where everything can be anonymous and governments have lost control of the money supply? Does everyone stop paying taxes? Who funds the schools, hospitals, and all other infrastructure? Do you think the rich are going to suddenly become charitable and start funding everything? They already contribute as little as possible, so it's difficult to imagine a world where they'd contribute $1 if they aren't forced to do it?
> The fact that people still don’t get that in 2022 is astonishing.
We don't get it because it doesn't make sense. It might make perfect sense for those of you that mined millions of (on paper) dollars of crypto currency, but it's not a good deal for anyone else. It's objectively worse in terms of stability and predictability and the best outcome for us is to get a different set of wealthy elite that control everything.
Your arguments are mostly usability. However, there are already many services that gives you additional utility such as insurance, backups etc.
Crypto already has replaced money in several countries, especially third world countries where it has replaced money for 30% of the population that have protected their funds against inflation thanks to the inherent scarcity of respective cryptos.
That just means that you were part of the scam. Hell; somebody approvingly reading this comment might be the bagholder of the future, shooting himself after all of his savings have evaporated into some ETH tycoon's pocket who dumped before the market locked up.
Now that the bag holders include major investment houses... Well, if it's possible for a scam to have a successful "exit," that's what happened. They used their funny money to tap in to the real funny money. If all cryptocurrencies went to 0 tomorrow I wouldn't be surprised at all if some part of the "real" financial infrastructure got caught and there had to be bailouts, which we've learned is what happens when the wrong people lose a bet.
There's too much money in the system now for it to all be from mom-and-pop marks. That's just not a viable explanation at these market capitalizations. That's not to say that average people aren't going to find out that they're long crypto - but it'd be in the way they found out they were long real estate.
Could you please stop posting unsubstantive and/or flamebait comments to HN? It's not what this site is for, and it destroys what it is for.
In case it helps: the first two comments you posted with this account (a couple weeks ago) were much more substantive and much more along the lines of what we're looking for.
Thomas's wallet is public and advertised on Twitter via his ENS domain. He had $100M+ in aETH, a derivative token provided by Aave when you lend out your assets for interest. The aETH is redeemable for the underlying asset.
The scammers created a fake NFT project associated with space and drones, and proceeded to give Thomas a free one, but asked that he stake it (or deposit it into a smart contract), to earn yield in the form of Armstrong ETH, a token they made up that had the same acronym as Aave's (aETH).
The catch was that when he went to stake his NFT, they asked for an approval for spending aETH from his wallet. Approvals such as this are normal when interacting with smart contracts, since the contract has to be "delegated" responsibility over the tokens in order to move them. However, what wasn't normal is that the approval was actually for Aave ETH.
If he had only looked at the front end of the scam site, it wasn't obvious what was going on. However, a quick glance at Etherscan revealed that he had signed off on an unlimited spend approval for Aave ETH.
Luckily, he had done so on a fresh wallet and not his main wallet that has $100M in aETH. When the scammers tried to get him to stake a second NFT from his main account, he got suspicious and discovered the truth.
This scam was specifically targeted at Thomas, and orchestrated over multiple weeks, for the specific assets in his primary wallet.
Couple takeaways:
- divide your assets across multiple wallets. New wallets are free. Don't put all your eggs in one basket.
- use a hardware wallet or an audited battle tested smart contract such as Gnosis Safe for storing significant sums of money.
- always verify your transactions
- avoid associating your public identity with your main wallet / vault address
- be careful, scammers are getting more creative and advanced in technique including standing up professional front end websites to give the appearance of legitimacy